FTC Databook Highlights Consumer Fraud

Posted by Michael Young on March 04, 2013

The FTC last week announced the release of the Consumer Sentinel Network Databook for January – December 2012.  The “Consumer Sentinel Network” is the FTC’s platform for law enforcement collaboration on issues affecting consumers. The program collects data from a wide range of sources, providing a comprehensive, nationwide picture of consumer complaints. Given the possible existence of reporting biases and other factors, the FTC report should not be treated as a statistically valid survey of all consumer fraud. It is, nevertheless, an interesting and important part of the overall consumer-fraud picture.

This year’s Databook reports on over 2 million consumer complaints received, with identity theft as the top issue by a wide margin (369,132 complaints, 18% of complaints in all), followed by debt collection (199,721; 10%), banks and lenders (132,340; 6%), shop-at-home and catalog sales (115,184; 6%) and prizes, sweepstakes, and lotteries (98,479; 5%).

The total reported cost paid by consumers as a result of fraud was nearly $1.5 billion, or an average cost of $2,350 per affected consumer. However, this average is skewed by the existence of higher-dollar frauds affecting a minority of consumers. A close examination of the FTC-provided data reveals that most (54%) of consumers paid nothing as a result of fraud, with a median cost of $535 among victims who did pay. Thirteen percent of victims paid between $1,001 - $5,000, while only four percent paid more than $5,000,  rates which have remained fairly steady in each of the last three years.

It remains the case that most fraud originates in cyberspace, either via email (38%) or other web or internet exchanges (12%), although phone contact remains significant as well (34%).

Among reporting consumers, those aged 40 and above are at a higher risk of being victimized by fraud (66% v. 33% for those aged below 40). However, a complete look at the data undercuts any simple theory that susceptibility to fraud increases significantly with age. Considered as a whole, the under-40 group is helped by the fact that relatively few frauds target those 19 and under. And among reporting adults and broken down by decade, those aged over 70 are in fact the least likely of any group to be fraud victims.

In the category of identity theft fraud, most reported frauds are tax or wage related (43.4%), followed by credit card fraud (13.4%), and phone or utilities fraud (9.7%).

The HIPAA/HITECH Final Rule Has Been Released

Posted by Theodore J. Kobus III on January 17, 2013

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

  • BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
  • Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
  • Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
  • Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
  • When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
  • There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
  • Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
  • The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
  • Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
  • The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
  • Notification does not require an analysis of risk because the occurrence of a breach is presumed.
  • Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
  • Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
  • Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
  • Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

  • HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
  • The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
  • "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
  • The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
  • The "minimum necessary" standard applies directly to BAs.
  • Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
  • BAAs are still required to help clarify and limit permissible uses and disclosures.
  • A decedent's PHI will require protection for 50 years.
    •
  • The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
  • HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
  • Timeliness and content of notification have not changed.
  • A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
  • Media notification and notification to HHS has not changed.
  • Law enforcement delays remain available.
  • There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

Lame Duck Congress Acts on Privacy Bills, Mostly With an Eye Toward 2013

Posted by William J. Weber on December 21, 2012

While continuing congressional inaction on the fiscal cliff is getting most of the ink/pixels in news headlines over the last couple weeks, several privacy bills have advanced in the House and Senate. Though only one is likely to become law before the 112th Congress ends in a few days, they embody what will be the starting point for action on these issues next year.

GLBA Privacy Notices

The Eliminate Privacy Notice Confusion Act, H.R. 5817 passed the House by voice vote on December 12. As amended, the bill would remove the Gramm-Leach-Bliley annual privacy notice requirement of a financial institution if it has not, in any way, changed its privacy notice or procedures. After Rep. Ed Markey (D-MA) and others opposed a provision in the original bill that exempted State-licensed financial institutions subject to consumer privacy laws. The amended bill is substantially the same as the legislation that passed the House by voice vote in April 2010 and is supported by the Independent Community Bankers of America, the Credit Union National Association, the American Bankers Association, the National Association of Federal Credit Unions, and the Consumer Bankers Association, among others. As with its predecessor, however, the Senate is unlikely to take up H.R. 5817 in the little time remaining before year-end.

Location Privacy

The Senate Judiciary Committee approved the Location Privacy Protection Act of 2012, S. 1223, on December 13. Sponsored by Sen. Al Franken (D-MN), the bill would require mobile device (phones, tablets, car GPS) service providers to get prior consent from customers before collecting their geolocation information or sharing it with third parties. It also includes provisions designed to prevent so-called “cyberstalking”: Service providers that fall into one of the bill’s exceptions (to help a parent locate a child, provide emergency services, protect customers from fraud, etc.) must nonetheless notify the individual about the tracking and how to revoke consent. Further, the bill makes it a crime to intentionally operate a stalking application and provides for a study of the use of geolocation data in violence against women. The bill is enforceable by DOJ, state AGs, and a private right of action via a minimum of $2,500 in damages, plus punitives, and preempts only contrary, not stronger, state laws.

Despite passing committee with minimal opposition and having the support of “nearly every national domestic violence and consumer group in the country," Ranking Member Chuck Grassley (R-IA) and senior Democrat Chuck Schumer (NY) both expressed reservations about the bill’s potential negative impact on hi-tech, signaling further changes are likely before the bill would advance in the Senate. Grassley, citing a letter from the Interactive Advertising Bureau, also asked for a future hearing on technical aspects of the bill’s notice and consent requirements. Franken acknowledged the bill would not advance further this year, but expressed hope that the bill could make it through the Senate in 2013.

Of interest to the broader legal community, during committee consideration of the bill, Sen. Grassley offered an amendment to require state attorneys general pursuing ANY court action under federal law, including enforcement of S. 1223, to notify the court if they hired private counsel to represent the state, cite their authority to do so, and reveal the terms of any such agreement. Grassley said he’s troubled by firms hired on a contingent fee basis to enforce federal law. The amendment failed 8-9 on a party-line vote.

Video Privacy Protection Act

On December 18, by voice vote, the House passed a bill, H.R. 6671 “to clarify that a video tape service provider may obtain a consumer's informed, written consent on an ongoing basis and that consent may be obtained through the Internet.” In other words, the House passed the so-called “Netflix bill” to modernize the 1988 Video Privacy Protection Act to facilitate sharing one’s viewing information online. The bill included the enhanced video privacy protections from Senate Judiciary Committee Chairman Patrick Leahy’s (D-VT) version of the legislation (H.R. 2471), approved by the Committee in November, but excluded his provisions strengthening the Electronic Communications Privacy Act dealing with government access to communications. The former provision requires renewing consent to share video-viewing information every two years and a "clear and conspicuous" option to withdraw consent at any time. The latter would require the government to obtain a search warrant anytime it seeks individuals’ electronic communications such as email, regardless of how old they are, though notice to the individual could be delayed almost indefinitely in consecutive six month increments if it would jeopardize an investigation, endanger someone’s life, etc. Late yesterday, the Senate passed the House bill by unanimous consent and the President is expected to sign it into law. Judge Robert Bork, whose circumstances inspired the VPPA when a weekly newspaper in Washington, DC published his video rental history, passed away on December 19.

Identity Theft

Yesterday, the House considered the Medicare Identity Theft Prevention Act, H.R. 1509, which would simply eliminate the display (or coding or embedding) of Social Security numbers on Medicare cards within the next two years. It is expected to pass the House any day now with overwhelming bipartisan support. The Senate, however, has yet to act on similar legislation introduced by Richard Durbin (D-IL).

CFPB & Privileged Documents

Last but not least, the President is expected to sign into law any day now H.R. 4014, which clarifies that sharing attorney-client privileged information with the Consumer Financial Protection Bureau does not waive the privilege and potentially open up financial institutions to third-party subpoenas. Current law already preserves the confidentiality of information that financial institutions provide to most regulators, but Congress failed to make that explicit in the Dodd-Frank Wall Street Reform and Consumer Protection Act that created the CFPB.

Data Breach Reporting for DOD Contractors

Today, the Senate is expected to approve the Conference Report on the FY 2013 NDAA, one of the most important annual bills considered in Congress and the culmination of several months’ work. The Conference Report reflects a compromise between the House and Senate versions of the legislation and contains an entire Subtitle IX.D on “Cyberspace-Related Matters.” In addition to authorizing funds and setting policy parameters for cybersecurity planning and system development, the bill contains a provision directing DOD to establish a breach reporting mechanism for contractors. Section 941 of the legislation directs the Secretary of Defense to establish, within 90 days of enactment, procedures for “cleared defense contractors” to “rapidly” report successful penetrations of certain “networks and information systems” that meet criteria to be developed by the Secretary and other senior DOD officials. The procedures must include a mechanism for limited DOD access to contractor equipment and information for forensic analysis and must prohibit disclosure of non-DOD information outside the Department. The language is reportedly less onerous than provisions opposed by some business groups in the original Senate-passed bill. The House passed the Conference Report yesterday 315-107, so Senate passage will clear the legislation for the President’s signature. A broad overview of the NDAA is available on Armed Services Committee Chairman Levin’s website.

Wow! Government Amends Red Flags Rule to Make it Narrower

Posted by Barry Cutler on December 14, 2012

Congress, FTC Restrict Definition of “Creditors” who must Adopt a Formal Plan to Prevent, Detect ID Theft

In journalism, the adage goes, “man bites dog” is news. The regulatory equivalent should be “government amends Rule to make it narrower.”  Yet that is what the Congress and the FTC have done to the definition of “creditors” that are required to approve and implement a “Plan” to prevent, or at least detect and ameliorate, incidents of identity theft, one of the most frustrating violations of personal privacy that unlucky consumers must confront.  See 77 F.R. 72715 (December 6, 2012).

And it all makes good sense. Over the last decade, ID theft has become a major problem. In 2007, Congress addressed it by adding to the Fair Credit Reporting Act a section requiring that certain businesses, including “creditors,” adopt a Plan to prevent and detect instances of identity theft. Using federal guidelines, each covered party had to create a plan that was tailored to its unique business and circumstances.

There was a studied effort to avoid “one size fits all” regulatory requirements.  In issuing its final Rule and follow-up guidance, the FTC made clear that it would judge plans in a flexible manner, looking to ensure that the business had made a bona fide effort to identify the elements of it process that could increase the risk of ID theft.

In the original Act and, similarly, in the FTC’s implementing Rule, the definition of “creditor” was based on the very broad definition of the term in the Equal Credit Opportunity Act (“ECOA”).  Even under the Fair Credit Reporting Act (“FCRA”) that contained the Red Flag requirements, the term “credit” was not defined but had been construed very broadly by courts over a long period of time.

There was a good policy reason for these broad definitions. In determining when discrimination should be prohibited (ECOA) or when consumers should get disclosures to make sure that adverse credit actions were based on accurate facts (FCRA), one should not constrict the scope of those rights.  At the same time, those definitions bring into play many creditors for whom the risk of involvement in identity theft is very low. For example, a neighborhood store that takes checks is much less likely than a credit card issuer to run into such problems, but depending on circumstances, both could be covered by the Red Flags Rule.

Congress limited the statutory definition of “creditor” to include 3 tests for Red Flags purposes:  “creditors that regularly and in the ordinary course of business engage in at least one of the following three types of conduct:

  1. Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; or
  2. Furnish information to consumer reporting agencies in connection with a credit transaction; or
  3. Advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.” (Footnotes omitted).

These may not be the only criteria Congress could have chosen, but they do comprise the most likely sources of ID theft issues. To add flexibility, the Congress authorized the FTC to supplement the Rule with other criteria for “creditor” that would serve the same policy purposes.

In announcing the amendments to the Red Flags Rule, the FTC did not first seek public comment, noting that the changes were purely ministerial to conform its Rule to the amended definition in the Act. The FTC announced it was not proposing additional criteria for covered “creditors” at this time.

Even companies that benefit from the streamlined definition should not discontinue their efforts to combat ID theft.  Even if they do not want to prepare a formal plan approved by the Board of Directors and implemented at a high level in the company, protecting its customers from ID theft is good business.  What responsible company would ignore indicators of possible ID theft (red flags) or not try to halt an incipient breakout, just as they would try to avoid data breaches through improved security?

Such flare-ups can be expensive and lead to legal liability beyond the FTC’s Red Flags Rule. Still, the government’s actions cut back on the need for universal formulaic compliance and are a sensible step in the war against ID theft.

It's Raining PII in New York

Posted by Judy Selby on November 26, 2012

On November 25, 2012, the front page of the New York Post blasted the headline, “Drop Secret. Shred Alert! Covert cop files used as parade confetti.” The Post reported that shredded files appearing to contain material from Long Island’s Nassau County Police Department were dropped during this year’s Thanksgiving Day parade. The confetti reportedly contains the names and social security numbers of detectives as well as other confidential information. An anonymous law enforcement source indicated that the documents were to have been shredded and then burned. The Police Department is investigating and has vowed to conduct a review of its procedures “for the disposing of sensitive documents.” Although most data breaches don’t result in PII being strewn throughout the streets of New York, they can and often do become front page news and can have serious legal, regulatory, financial and reputational consequences. Notably, the most common cause of data breaches is not sophisticated professional cyber-attacks, but simple human error.

Regardless of how the confetti investigation plays out, this incident should serve as a reminder to all organizations to consider their own risk management plans, including the following factors:

  • Review your internal policies and procedures and make sure they’re up to date. The statutory and regulatory framework governing confidential information is constantly evolving and must be incorporated by your organization. Federal statutes such as HITECH, HIPAA and Gramm-Leach Bliley must be considered, and the 46 state laws seem to always change with respect to notification and security requirements. If your organization conducts business outside of the US, requirements of foreign laws must be incorporated into your policies and procedures. Remember, having a policy your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed to, and followed by, employees.
  • Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
  • Hire a consultant to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments. And, it is good practice as organizational risks change with changing practices.
  • Education of employees is critical to the success of any compliance program. Make sure all employees are educated and trained concerning those policies and procedures and any laws and regulations that apply to your business. There are laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, that mandate these types of training programs.
  • Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
  • Do not forget to compare your data collection and sharing practices to what your privacy policy says. Regulators, such as the Federal Trade Commission, are watching closely.
  • Cyber insurance can help organizations respond to and mitigate the harmful consequences of a data breach. Indeed, the SEC wants companies to consider insuring these risks. Insurance should be considered an important piece of your risk management plan.

Internet Banking Authentication Security Procedures Found Commercially Unreasonable

Posted by Craig Hoffman on July 12, 2012

It is a common scenario—a company's computer system becomes infected with some variant of the Zeus Trojan with a key logger that sends key strokes out to a command and control server operated by a criminal. The criminal searches the key strokes to find login credentials to that company's Internet bank account, which are used to access the account and make wire transfers to accounts controlled by money mules. If the transactions are not blocked by the bank or detected by the company in time to block them, the company and the bank end up in a dispute over who bears the risk of loss. If the dispute leads to litigation, each side faces risk and litigation costs, in part due to the practical difficulties of meeting their burdens of proof.

This scenario occurred in 2009 between Patco Construction Company and Ocean Bank (later acquired by People’s United Bank). Patco filed suit to recover $345,000 in fraudulent wire transfer losses, but the district court found that the bank had implemented reasonable security measures, allocated the risk of loss to Patco and dismissed all of Patco’s claims. On July 3, 2012, the First Circuit Court of Appeals reversed the district court upon finding that the bank failed to implement commercially reasonable security methods to prevent unauthorized transfers. The First Circuit’s decision offers valuable lessons, which are dependent on understanding how the law allocates risk and the security methods that were used.

The Law. Article 4A of the Uniform Commercial Code allocates the risk of loss for unauthorized commercial wire and ACH transfers to the bank that receives the transfer order unless the bank can show that it accepted the order in good faith and followed a commercially reasonable security procedure for verifying the transaction that was agreed to by the customer. The bank must show that the security procedure was reasonable for that specific customer and bank based on any express instructions from the customer, as well as the circumstances of the customer known to the bank (size, type and frequency of payment orders normally issued by the customer), alternative security procedures offered to the customer, and security procedures in general use by similarly situated banks and customers.

The Security Procedures. In October 2005, the FFIEC issued guidance for authentication in Internet banking, which recommended that banks implement multifactor authentication, layered security, or other controls to mitigate the risk of fraud associated with single-factor authentication (i.e. username and password). To meet the guidance, the bank purchased a “premium package” from a security vendor and implemented a multifactor authentication security procedure with six features: (1) user ID and password; (2) device authentication using a cookie; (3) risk profiling using an algorithm that assigned a risk score to each login and transaction based on factors such as location, IP address and size, type, and frequency of orders; (4) challenge questions; (5) dollar amount of the order that triggers challenge questions; and (6) blacklisting of IP addresses associated with known instances of fraud. The bank did not use out-of-band authentication or tokens.

The Fraudulent Transfers. For six years, Patco used Internet banking to make ACH transfers primarily for payroll. The payroll ACH transfers were always made on Fridays from a computer in Patco’s office with the same static IP address. Over six years, the largest ACH amount was $36,000 and the highest risk score was 214. In May 2009, an unauthorized person who supplied the correct user name, password and challenge question answers to access Patco’s Internet bank account made a series of daily fraudulent ACH transfers over the course of one week that totaled $588,851. All of the logins associated with the fraudulent transfers were from an unrecognized device and an IP address that Patco had never used. The daily fraudulent transfers were two and three times larger than any daily transfer Patco had requested in the prior six years, and they were assigned high-risk scores of 720 and 790. The payments were directed to accounts that had never before received payments from Patco. Even though the fraudulent transfer orders generated high-risk scores, the bank did not manually review any of the high-risk transactions.

The fraudulent transfers were only detected after Patco received notice by mail from the bank that some of the fraudulent transfers failed because they were sent to invalid account numbers. Even after Patco notified the bank of unauthorized transfers, another unauthorized transfer order was placed and initially processed by the bank. The bank was only able to recover or block some of the transfers, leaving a net loss of $345,000.

Commercially Unreasonable. In finding that the bank’s security procedures were commercially unreasonable, the First Circuit relied on the totality of the following “collective failures”: (1) prior to May 2009, the bank was aware of the increased fraud resulting from keylogger malware and had already experienced two other instances of fraud associated with keylogger malware; (2) the bank lowered its dollar threshold for the use of challenge questions from $100,000 to $1, which the court determined substantially increased the risk that a keylogger would capture the challenge question answers at the same time as the log-in credentials; (3) the bank introduced no additional security measures to counter its decision to lower the challenge question threshold; (4) other similarly situated banks had introduced the use of tokens or manual review and verification of uncharacteristic or suspicious transactions; and (5) the fraudulent transactions were flagged as uncharacteristic, highly suspicious, and potentially fraudulent from a “very high risk non-authenticated device,” but the bank did not use that information in processing the transactions.

Consumer Obligations. The First Circuit noted that there are open questions under Article 4A of the UCC as to what, if any, obligations a company has when the bank’s security system is commercially unreasonable. The court identified two factual issues that might affect this determination. First, Patco argued that it requested e-mail alerts from the bank but never received them, while the bank argued that it sent a general notice to all customers with instructions on how to change their “Alerts” to receive e-mail alerts and Patco never set its account to receive alerts; and (2) whether the fraud originated from keylogging malware because Patco was alleged to have failed to properly preserve available computer forensic evidence (the anti-virus scan that Patco’s IT consultant ran after the fraud was detected quarantined and deleted the encryption key necessary to see the configuration file, which could have shown whether the malware was configured to capture log-in credentials).

The lessons-learned and issues to consider based on this decision include:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

  • Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?
  • It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.
  • Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.

Reading This Might Just Preserve Your Identity and Reputation

Posted by Gerald Ferguson on June 07, 2012

Authorship Credit: Dave Taylor, Director, Information Technology, Baker & Hostetler LLP

We are seeing a dramatic increase in spam and email phishing schemes once again.  These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day.  Please consider the following when reading and reacting to emails.

1. The bad guys love playing off of our emotions.  So they have taken to all manner of “inspiring” a reaction (mouse click) from us.  You have likely seen at least one of the following recently:

  • A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
  • A password reset or other account activity that you didn’t actually do.  American Express, Verizon, Apple iTunes/App Store.
  • A LinkedIn request from someone you don’t know.
  • An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content.  This must be real because this offer is only coming to me because it relates to my profession…
  • A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!

2. Please keep the following in mind:

  • If your name or email address is not in the To: field of an email, it’s a fake.
  • If there are other names in the To: or Cc: field of the email, it is a fake.  No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
  • No company or web site is going to send you an unsolicited password reset request via email.
  • LinkedIn is being used more and more for phishing AND social engineering attempts.  Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know.  Even if they appear to be connected with others you may know.  Hackers and cyber criminals are using every means available to them to build a facade of credibility.
  • Blackberry, iPhone, and iPad are not immune to malware and phishing attacks.  In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them.  Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
  • Text messaging is now being used to launch phishing and malware attacks almost as frequently as email.  And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.

3. What can I do to protect myself and the firm from hackers and phishers?

  • Pay close attention to any and every email you read.  Train yourself to question the legitimacy of any email that “feels” wrong.
  • Remind yourself to delay reacting to such emails especially from your mobile devices.
  • Look for your name, and JUST your name, in the header of the email.
  • Update your mobile device software frequently.
  • Do not click on links in emails, especially from a mobile device; but if you must, at least …
  • Practice the “hover” …  by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to.  If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake.  DO NOT CLICK on any such link.
  • Read web links carefully.  You must scroll to the end of the link to see where it’s actually taking you.  Don’t be fooled by the first part of the web link.  For example, this link is actually not related to American Express in any way …  americanexpress.com.1243abc.badguy.com            The domain in this case is badguy.com.  They are not going to be as obvious as I am !  And from your mobile device, you might not even be able to scroll to the end.  What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you.  And guess what, the bad guys know this and hope that you don’t!!!

SEC and CFTC Propose Identity Theft Prevention Rules

Posted by Craig Hoffman on March 14, 2012

Reflective of an increased interest in data privacy concerns, on February 28, 2012, the Securities and Exchange and Commodity Futures Trading commissions jointly released proposed rules designed to protect investors from identity theft by mandating the creation of programs to detect potential security threats.  The proposed rules are meant to implement Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The written identity theft prevention programs mandated under the proposed rules would be designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.  Such programs would be triggered by the occurrence of certain “red flags,” including such patterns, practices and specific activities that indicate a potential instance of identity theft.

The proposed rules would apply to broker-dealers, mutual funds and other SEC-regulated entities, as well as future commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants on the CFTC side.

The release also includes guidelines to assist entities in their compliance with the proposed rules.

Authorship Credit: Robert A. Oestreicher

Hi-Tech & Low-Tech Social Engineering Used for Corporate Bank Account Takeovers

Posted by Craig Hoffman on March 13, 2012

Hi-Tech

Corporate bank accounts continue to be targeted by criminals who use various forms of malware to gain access to the account and then wire money out of the account.  One variation of these cyberattacks occurs in the form of a virus that captures corporate online banking credentials combined with a DDoS attack against the bank.  The virus is a variation of the Zeus virus, and it is being sent through spear phishing e-mails designed to look they are being sent by NACHA to alert a user of a problem with an ACH transactions.  NACHA has continued to post alerts on its website since mid-November warning about the false e-mails.  Apparently, when the attackers capture online banking credentials, they initiate a denial of service attack against the bank in an effort to distract the bank IT team and victim (the victim cannot log-in to their account to see that the transfers are occurring) from detecting and stopping the fraudulent wire transfers.  This article summarizes the new attack. 

When the criminals are successful, the customer of the bank naturally asks the bank to make them whole and if the bank declines, litigation often ensues.  There have been diverging results in recent court decisions on claims to recover money lost as a result of fraudulent wire transfer have losses.  The plaintiffs base their negligence claims on allegations that the banks failed to comply with the FFIEC guidelines because they are only using single factor authentication (user name and password) for online banking access (e.g. Global Title, LLC v. Capital One Bank).  It is likely that we will continue to see these cases being filed, especially if the bank involved is not in compliance with the revised FFIEC guidelines (Supplement to Authentication in an Internet Banking Environment) that took effect January 1, 2012.  And following the new multi-factor authentication guidelines is not a guarantee of security. Criminals have developed, for example, a man-in-the-browser attack to defeat multi-factor environments.

Low-Tech

Criminals have also recently targeted another potential weakness in a financial institution’s security measures, which has nothing to do with their computer systems:  call center representatives who have been trained to assist customers by providing them with information about their accounts.  This potential vulnerability is in large part dependent upon the vast amount of personal information that is now available on the internet.  With a few simple searches, criminals can know a person’s home address, home and work phone numbers, and work email address in a matter of minutes.  This, of course, is the same type of information financial institutions use to verify a customer’s identification when they call with questions about their accounts.

Armed with this information, criminals then attempt to social engineer call center representatives to collect more.  In particular, they want to collect the account and pin numbers and log in identifications that are necessary to enable them to initiate wire transfers out of the customer’s account.  This type of low-tech social engineering scheme may take place over a period of months.  As the scheme evolves, however, the process generally remains the same:  repeated phone calls to call center representatives, in an attempt to get these representatives to unwittingly provide them with the necessary information they need to initiate wire transfers out of the customer’s account.

With that having been said, we believe there are four steps any financial institution can take to help them from being victimized by this type of fraud.  First, make call center representatives aware of its potential.  They are the front line of defense, and educating them should go a long way toward preventing a low-tech scheme from being successful.  Second, enabling call center representatives to quickly check for repeated call activity from a customer.  This does not need to be done on every call, but is good to have available when there is reason to be suspicious.  Third, refusing to ever disclose account numbers, log-in identification and pin numbers over the phone.  Fourth, and finally, setting up the financial institution’s Fed Ex or UPS accounts so that packages containing log-in identifications and pin numbers cannot be re-routed.  If the accounts are not set up in this way, criminals can use the same social engineering techniques on the shipping companies, and have the packages re-routed to their own address. 

These four steps should help prevent financial institutions from becoming the victim of a low-tech social engineering data breach.  At the very least, raising awareness among the bank’s workforce of the potential for this type of fraudulent activity should go a long way toward preventing it from being effective.

Authorship Credit: David A. Carney & Craig A. Hoffman

FTC Report Shows Rise in Identity Theft Complaints

Posted by Michelle L. Young on March 06, 2012

The Federal Trade Commission has released the Consumer Sentinel Network Data Book, its annual report of complaints filed with the FTC and other state organizations. The report tracks consumer complaints by categories such as fraud, identity theft, and other. Fraud complaints span 30 different categories, including debt collection, bank/lending services, prizes/sweepstakes/lotteries, impostor scams, shop-at-home and catalog sales, and foreign money offers/counterfeit check scams. Identity theft complaints include credit card fraud, government documents/benefits fraud, phone/utilities fraud, bank fraud, loan fraud, and employment-related fraud.

The report reveals that more than 1.8 million complaints were filed during 2011, up from 1.4 million in 2010. Of those complaints:

  • Approximately 55% were related to fraud and 15% related to identity theft.
  • 56% of consumers reporting fraud said the initial method of contact with the offending party was via email or Internet websites.
  • Government documents/benefits fraud (27%) was the most common form of identity theft, an increase of 11% since 2009, followed by credit card fraud (14%), phone/utilities fraud (14%), and bank fraud (9%).
  • Top 5 states with the highest per capita rate of fraud complaints:
  1. Colorado
  2. Delaware
  3. Massachusetts
  4. Nevada
  5. Virginia
  • Top 5 states with the highest per capita rate of identity theft complaints:
  1. Florida
  2. Georgia
  3. California
  4. Arizona
  5. Texas

The complaints are collected and stored by the Consumer Sentinel Network, Identity Theft Data Clearinghouse, Econsumer.gov, and Consumer Sentinel/Military for law enforcement purposes. The databases are only accessible to law enforcement personnel, but others may access the summary report here.

Privacy and Data Breach Regulatory Activity--A Year in Review

Posted by Theodore J. Kobus III on December 29, 2011

While plaintiffs continue to face an uphill battle proving damages in privacy litigation - regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Office of Inspector General (OIG), Security Exchange Commission (SEC), state Attorneys General, and the California Department of Public Health (CaDPH).

FTC 

The FTC has a long history of being proactive in promoting consumer protection and in preventing anti-competitive business practices.  The FTC has the power to regulate against unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.  In 2011, there were several noteworthy FTC actions in the privacy sector.

  • Google Buzz:  The settlement with Google arose out of alleged violations of Google’s privacy promise related to the sharing of Gmail user account information to populate Google’s new social network, Google Buzz.  The settlement bars the company from future privacy misrepresentations.  Google is also required to implement a comprehensive privacy program and submit to independent audits for the next 20 years.  Additionally, for the first time, the FTC alleged violations of the U.S.-EU Safe Harbor Framework (which has privacy requirements for the transferring of personal information from the EU to the U.S.).
  • Playdom:  Playdom, an online game developer, was accused of collecting and disclosing information about hundreds of thousands of children under 13 without parental consent.  The FTC announced on May 12, 2011 that it had reached the largest civil penalty settlement under the Children’s Online Privacy Protection Act (COPPA) with Playdom for $3,000,000.  COPAA  prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent (including name, address, email address, telephone number, social security number, etc.).  The FTC has online resources for those interested in learning more about COPPA.
  • Facebook:  Ending the FTC’s 18-month investigation into Facebook’s user privacy practices, the FTC and Facebook reached a settlement [pdf] in November of 2011.  As we reported here, by adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  The focus of the FTC seemed to be on sharing user information and making certain user information available without clear consent.  Similar to the Google Buzz settlement, Facebook agreed to not misrepresent its privacy controls.  Independent audits for the next 20 years are also part of the settlement.

With the FTC’s recent workshop on facial recognition technology as it relates to privacy and security concerns, it is clear that we will continue to see FTC activity in 2012.  The question remains—will we see any enforcement activity relating to the Red Flag Rules, which we talked so much about between 2008 and 2010?

DOE 

We have seen investigations by the DOE following data breaches involving educational institutions pursuant to Family Educational Rights and Privacy Act (FERPA).  While there is currently no duty to report a breach to the DOE, the agency is reading news reports and utilizing online resources to track breaches that have been made public.  We expect that this activity will continue in the new year, particularly since the DOE has been more focused on privacy issues in the past few years with the addition of a new Chief Privacy Officer, establishment of the Privacy Technical Assistance Center (PTAC), and the enhancement of FERPA regulations.

HHS OCR

Since the enactment of HITECH, and with its enforcement authority of the HIPAA Privacy and Security Rules in place, OCR has been quite active following data breaches involving healthcare organizations.  Typically, the organization receives a laundry list of document requests (and often supplemental requests as well) during the course of the investigation.  While penalties are available, we have not seen significant activity in this regard.  Still, there were two civil penalties assessed in 2011 that may be a warning call that the HHS is looking carefully at the safeguards in place to protect protected health information (PHI) at healthcare organizations.   The first penalty was for $1M and involved Massachusetts General Hospital.  There, records of 192 patients of the Infectious Disease Associates outpatient practice were lost on public transportation—some containing diagnoses of HIV/AIDS.  The second incident involved a $4.3M penalty against Cignet for refusing to provide 41 patients access to medical records.  Additionally, it was alleged that Cignet did not cooperate with HHS’s investigation.  With the audits of covered entities commencing just recently, the occurrence of major healthcare breaches in 2011, and the fact that over 30,000 healthcare breaches have been reported since HITECH, we expect that OCR activity will increase in 2012.

State AGs

2011 brought additional activity by state AGs.  AGs have enforcement authority of their own state data breach laws in most cases, as well as enforcement authority under HITECH.  Two actions came out of Massachusetts that should be closely followed. The first involved the Briar Group, LLC (“Briar Group”), a restaurant chain.  On March 28, 2011, the Briar Group was the first company to be fined  under the Massachusetts Data Privacy Law.  In addition to the $110,000 in penalties, the Briar Group will have to prove compliance with the Commonwealth’s data security regulations as well as the Payment Card Industry Security Standards.  The second action involved Belmont Savings Bank and a $7,500 fine.  The fine may seem small, but the incident involved only 13,000 customers, and the back-up tapes at issue were known to be discarded in a trash can by a cleaning company.  The focus of this action seems to be an allegation of poor information security practices, including security procedures for handling computer tapes and customer information.  Also, in Indiana, the Attorney General settled with Wellpoint, Inc. for $100,000 after the company allegedly delayed in notifying approximately 32,000 residents about a data breach.  Wellpoint was also required to provide up to 2 years of credit monitoring and identity theft protection services to Indiana consumers affected by the breach, and reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the incident.  The Indiana Attorney General’s Office interprets the timeliness requirement of the Indiana Disclosure of Security Breach Act to require notice to affected individuals within 30 days.

In addition, the HHS conducted training sessions for HITECH enforcement this year to state AGs.  Now that the training has been completed, we expect to see increased activity in 2012.

These are some of the 2011 regulatory highlights.  Other agencies have been active as well.  No matter which agency may have enforcement power over your organization, do not wait until a breach occurs to think about how you will respond to an investigation.  As we discussed here, regulators expect a prompt and thorough response, transparency and involvement by the C-Suite. 

Facial Recognition: The End of Privacy or a Precursor for New Laws?

Posted by Craig Hoffman on December 02, 2011

Thumbnail image for Thumbnail image for Face shutterstock_54257560lowres.jpgDo you feel compelled to wear a Richard Nixon mask or a baseball hat equipped with infrared signal emitters on the brim when you leave the house?  If so, you may be trying to prevent a passerby on the street from guessing your name, interests, Social Security number, or credit score using only a pair of face-scanning glasses and an iPhone.  This is not science fiction—law enforcement has been using facial recognition technology for years.  Through advances in facial recognition software and the convergence of the vast amount of personal information on social networks (especially photographs), smartphones, the power of cloud computing, and statistical re-identification, the use of this technology has the potential to become widespread.  The potential ubiquitous use of facial recognition technology raises critical concerns regarding privacy, security, and basic freedom.

Facial recognition technology traces its origin to government-funded research in the 1960s.  The technology works by using an algorithm to create a unique numerical code from distinguishable landmarks on faces, sometimes called nodal points.  The technology measures approximately 80 nodal points, such as the distance between eyes, nose width, eye socket depth, and jaw line length.  The unique code or “biometric template” created by facial recognition software from a photograph can be stored in a database and later compared to other photographs to create a match. 

There are several applications of facial recognition technology in law enforcement that most would agree are useful.  Police in Tampa, Florida have made over 500 arrests after identifying suspects by taking photographs at a traffic stop and comparing the images to a mugshot database.  In 2010, the Massachusetts state police obtained over 100 arrest warrants for creating false identities and revoked 1,860 licenses using facial recognition software against the state’s driver’s license registry.  In Britain, Scotland Yard is using facial recognition software to identify suspects from the recent riots in London.    

Facial recognition can also provide modern convenience.  Since 2002, Australians have been able to use self-processing e-passports at airport customs checkpoints.  Advertisers have generated more relevant billboard advertisements based on the age and gender of passers-by.  Even Facebook uses facial recognition to suggest the identity of friends to tag in a photo, and programs like iPhoto and Picassa allow users to organize photographs by faces.  

The technology is not foolproof, and there are other applications that are outright alarming.  The ability to successfully identify a person by matching two photographs is dependent on the quality of the images.  If the person in the photograph is not directly facing the camera with open eyes and in front of a plain, light-colored background, the performance of the facial recognition software declines.  Thus, while you can obtain a high-quality picture from a driver’s license database, pictures taken without the cooperation of the subject (e.g. through surveillance cameras) rarely meet the ideal standard.  Although the technology has improved over the last ten years, there is an inherent error rate because it is reliant on statistics.  Accordingly, either matches that should be made do not occur or false identifications happen.   

A driver in Boston recently had his license revoked because his picture closely matched the picture of another driver.  Although his license was returned, it took days of wrangling for him to prove his identity.  At least 34 other states are using similar technology.  There are no current reported statistics on the number of false positives, but Massachusetts alone issues 1,500 suspension letters per day using the system. 

On August 4, 2011, researchers from Carnegie Mellon’s CyLab presented the results of three experiments from which they concluded that it is possible to use facial recognition software to identify strangers and then determine sensitive information about that person, including their Social Security number.

In one experiment, the researchers were able to identify members of Match.com, who used pseudonyms on the dating site to protect their identities, by comparing their profile photograph to photographs on Facebook. 

In the second experiment, they took photographs of college students that they were able to successfully match one-third of the time to the student’s Facebook profile (in less than three seconds). 

In the third experiment, the researchers used a custom iPhone application to predict a stranger’s Social Security number (generally just the first five digits) by matching a photograph to a Facebook profile picture in conjunction with information about the stranger’s state and year of birth gathered online.  The lead researcher, Alessandro Acquisiti, said: “A person’s face is the veritable link between their offline and online identities.” 

In addition to the obvious privacy concerns, there are security and personal liberty concerns.  According to a report, one in 750 passengers scanned at an international airport in the United States is falsely identified, and some of the falsely identified individuals may have been temporarily detained by the FBI.  In locations where biometric data like facial recognition is used to gain entry to a secured area or through customs, the failure of those institutions to safeguard that data in a computer system can lead to unauthorized persons gaining access. 

Although it is not yet possible to consistently and accurately identify all of the faces in a crowd, the technological limitations are likely to continue to fade.  The billions of images tagged on social networking sites and associated data provide an easily accessible source of personal information to match with other offline data collected by data aggregators, which can be turned into detailed personal profiles and sold to companies for use in behavioral advertising targeted directly to you through your smartphone or cable box.   It may become possible to search for a person online using an image of their face just as easily as it is now to enter a name in a search engine.  On the law enforcement side, the FBI will begin testing its Next Generation Identification facial recognition system in January 2012 in four states.  The system, which will also use biometric indicators (e.g. iris scans and voice recordings) to identify suspects, will match a photo of an unknown person against mug shots.   

Facial recognition technology has not gone unnoticed by lawmakers and regulators.  The FTC is hosting a workshop to explore beneficial uses of the technology and the associated privacy and security concerns on December 8, 2011.  And U.S. Senator John Rockefeller has asked the FTC to provide a report on the findings from its workshop to his Commerce Committee.    

This article, which was published in the December 2011 CBA Report, is republished with permission.

Beware an Email Scam That Appears to be From a Friend in Need

Posted by Craig Hoffman on April 20, 2011

Authorship credit: Richard M. Lehrer

The following reveals the importance of (i) selecting a strong password (one with at least a combination of numbers and letters) for association with your email account and (ii) confirming all information before sending money in response to any email.

In the coming days you may receive an email from a friend informing you that she was robbed while on vacation and that she desperately needs to borrow some money to get home.  The following is an example of such an email: 

I'm sorry for this sudden request, It's because things actually got out of control. I'm stuck in Cardiff Wales, UK with family right now, we came down here on a short Vacation, We were mugged and all our belongings including cell phone and credit cards were all stolen at "GUN POINT". It was a traumatic experience for me and my family. I need your help flying back home as we are trying to raise some money to get back home. The good thing is that we still have our passports but the airline is requesting for extra charges on re-print of misplaced airline tickets and also getting a cab to take us to the airport, Please I need you to loan me some money, I will reimburse you as soon as I'm back home. All we need is $2,550.00 but anything you can spare right now will be appreciated and I promise to refund it to you as soon as I arrive back home safely, I give you my word. You can get it to me through western union, Please get back to me so that I can give you my details to send the money to.

Thanks
[Signed with friend’s name]

If/when you receive such an email, be concerned, but also be suspicious.  There is a good chance that your friend is not on vacation, but that her email account has been hacked.  While it is possible that you will receive a valid email from a friend in need, be very wary before sending any money to that friend.  Always confirm that the message actually originated from your friend (ask for a telephone contact, ask that information be provided that only your friend would know, or call your friend to see if you can reach them) before providing assistance.  It may delay the process, but it may also save you from being the friend who gets robbed.

Additionally, after the account is compromised, the hackers delete all emails and contact information from the account in an apparent attempt to prevent the account holder from warning their friends.  If you find yourself in this situation, remember that you probably have other social media accounts from which you can warn your friends.  It is important that you quickly post a message on those accounts informing your friends not to send you money and change the password on your email account.

 

Hackers Are Using Compromised Personal Information to Further Hacking Schemes

Posted by Gerald Ferguson on April 14, 2011

In talking to friends and clients, we are seeing a recent upsurge in attacks by hackers who appear to have access to compromised personal information and are using that information to further hacking schemes.  We are sharing the facts of two recent attacks so that you can be on the lookout for these hacking techniques.

1.  An individual reported receiving an authentic looking email from his credit card company showing his account information. The email warned of a disruption in his charging privileges and instructed him to:  "Click here to resolve this important computer security issue."  The link appeared to be a valid link to his credit card company's official web site, but was not.   Links are easy to "spoof" -- which refers to hiding a link to a malicious web site behind text that appears to be a link to a legitimate web site.  In this case, if this individual had clicked the link, he would have been sent to a web site created for the purpose of identity theft.  Banks, credit cards, and financial institutions do not report fraud or abuse/misuse via email.  Whenever you receive an email like this, you should do exactly what this individual did:

A:  Report the suspicious email to your Information Services Team.

B.  Call the financial institution that was spoofed to check on the status of your account and make a report to their fraud department.

2.  We also received another report from an individual who received an email that appeared to be from a major national retailer. The email included his contact information and frequent shopper number.  The link, however, was spoofed and actually pointed to a malicious Internet address.  This appears to be another case where an individual's personal information was compromised and is now be  used for a further attempt at identity theft.  If you have an interest in some offer being shared via email - do not click the link in the email.  Launch your browser and go to the actual web page for the business.  It's worth the extra time to not put yourself or you company at risk.

Never open a link that is not from a trusted source.  But the fact that the link appears to be from a trusted source is not enough.  It is critical to be aware of hacking tactics. Smart computing habits (especially handling email and web activity) remain among our best defenses to hackers.  Feel free to share this information among your friends and co-workers.