What a night at this evening’s 2015 Public Justice Gala in Montreal, Canada. More to come in future posts. However, I wanted to share with you the amazing moments between the new President of Public Justice, Brad J. Moore, and SKW partner Keith L. Kessler. The room was filled with dedicated advocates, who have fought tirelessly for consumer rights. I could go on and on right now, but it’s late. So, I will just put up a couple of wonderful photos.
The first photo (see top of this post) is of Brad Moore and Esther Berezhovsky (outgoing PJ president) on stage.
The next one is of Brad and Keith. Can you see the joy and pride in Keith’s eyes? What a proud father and tremendous mentor…
Brad’s mother, former State Senate House Majority Leader Lynn Kessler, did me the honor of sitting next to me and sharing a little about Brad before he started practicing law. I am truly proud to be a part of such a remarkable firm. We will continue to champion the rights of consumers everywhere.
We are actively investigating a class action on behalf of all Washington State consumers who have received notification about their information affected as the result of the Anthem’s 2014 data breach. SKW Seattle Data Breach/Class Action attorneys were provided with information that links Washington residents who were Anthem insureds directly with instances of tax fraud and other attempts of identity theft.
As NY Times recently reported, over 200,000 attempts to view the past returns using stolen information were made from February of this year to mid-May. What’s scarier: about half of the attempts were successful. According to a data security expert and consultant who is a source close to the SKW law firm, there is a direct connection with the Anthem data breach and fraudulent tax returns in Washington state. More to come in future posts.
If you were a Washington state resident insured with Anthem or Apple Health (Washington State Medicaid provider) and have experienced identity theft, please contact Catherine@Stritmatter.com.
We are actively investigating a class action lawsuit against Anthem for Washington State consumers. We have spoken with a few individuals who have already received a notice of the data breach. If you know of someone in Washington who was insured with Anthem and who has received notice of the breach, please contact me at Catherine@stritmatter.com or Counsel@stritmatter.com.
Many questions ran through my head about Premera’s information security, when news came out earlier this week about its massive data breach involving at least 11 million customers first hit the news. Initially, some praised Premera’s response to the sophisticated cyber attack that reportedly occurred in May 2014. However, it turns out that before the breach ever occurred, a federal watchdog agency (Office of Personnel Management’s Office of Inspector General) notified Premera of at least 10 ways that it should address a range of security weaknesses that the audit of their systems revealed.
Among the weaknesses found by the Office of Personnel Management’s Office of Inspector General’s audit were issues related to patch management, insecure server configurations and weakness related to password history configuration settings
Pop. With the news about the fed audit and findings, the bubble of hope in my mind burst: Looks like Premera had not done everything possible in securing its customers’ data before the May 2014 cyberattack. In fact, Premera had “respectfully disagreed” with some of the recommendations related to patches “as it believe[d] deployment of critical security patches is in compliance with the documented patch management policy provided to the OPM audit staff.”
OIG didn’t agree:
The results of the vulnerability scans performed during the fieldwork phase of this audit indicated that Premera was not in compliance with its policy for deploying patches within a specific timeframe based on criticality. As part of the audit resolution process, we recommend that Premera provide OPM with evidence that it has adequately implemented this recommendation. [emphasis added]
The onsite portion of the audit was conducted during January and February of 2014, with additional offsite audit work performed by OIG before and after the on-site visit. The draft report that OIG issued to Premera on April 18, 2014, was based on Premera’s security controls as of March 2014, according to a final version of the report that OIG issued publicly in November 2014.
In a statement earlier this week, Premera, based in Mountlake Terrace, Wash., said that on Jan. 29, it discovered that cyber-attackers had gained unauthorized access to its systems, exposing information on 11 million individuals. An investigation by forensic experts hired by Premera shows that the initial attack occurred on May 5, 2014, the insurer says. That’s less than a month after OIG issued its draft audit report. What unfortunate timing for Premera and all of its insureds…
Granted, no one is yet saying that had Premera timely compliance with OIG’s recommendations would have thwarted the May 2014 cyberattack. The facts should illuminate all of us at some point down the road*. In the meantime, privacy experts such as Kate Borten point out that “failure to patch and unsecure configurations are vulnerabilities we’ve known about for decades…Regardless of whether they contributed to this latest attack, every organization – large and small – should pay attention to such common issues… Make it a priority to keep up with patches. Run vulnerability scans and respond to them by correcting security problems. Make sure your tech and infosec staff understand these security risks, and train them if not.”
NOTE: Stritmatter Kessler Whelan is researching a potential class action against Premera. If you or someone you know had an individual plan (not on a company sponsored plan), please contact me at Catherine@Stritmatter.com.
Sprint may have been overcharging its consumers to the tune of millions of dollars by cramming unauthorized charges onto its consumers’ bills. Haven’t we heard this before? Yes, in fact earlier this year, SKW attorney Brad J. Moore, also the President Elect of Public Justice (the country’s largest public interest law firm focused on consumer protection) obtained a $20 million class action settlement against Sprint PCS for illegal taxes.
Most recently, the Federal Communications Commission (FCC) and Consumer Financial Protection Bureau are targeting Sprint in an investigation for practices of illegally billing customers tens of millions of dollars for unauthorized charges related to premium text messages.
Just yesterday, the consumer bureau sued Sprint in Federal District Court in Manhattan. The lawsuit claims that Sprint has been operating a billing system that allows third parties to “cram” unauthorized charges onto consumers’ mobile phone bills.
On a parallel track, the F.C.C. is conducting a similar investigation. Sources reveal that a settlement where Sprint would pay $105 million in refunds/restitution is imminent.
“Consumers ended up paying tens of millions of dollars in unauthorized charges, even though many of them had no idea that third parties could even place charges on their bills,” said Richard Cordray, director of the consumer bureau. “As the use of mobile payments grows, we will continue to hold wireless carriers accountable for illegal third-party billing.”
In the past, the F.C.C., the Federal Trade Commission and state attorneys general have participated in lawsuits or settlements with AT&T and T-Mobile for similar alleged cramming charges. The practices under scrutiny typically focused on charges on customers’ bills for premium text messages, that came via horoscopes or other digital content.
The three major mobile companies have gotten hit with accusations of ignoring warning signs that many of the charges were unauthorized. Ignoring thousands of consumer complaints, these carriers blithely allowed third-party companies to assess the charges.
The action by the consumer bureau is a clear signal (again, no pun intended!) of its ongoing plans to police mobile payment systems (e.g., Apple Pay, Google Wallet, and others). Thank goodness for consumer protection groups and watchful agencies who are not entirely in the pockets of these mobile companies.
This past week, an important milestone was reached for online privacy and consumer protection.
Gmail users often ignore the fact that targeted ads appeared, when accessing their Gmail. Google’s contention is that its users opt in because they have read and have agreed to Google’s Privacy Policies. But U.S. District Judge Lucy Koh disagreed. She found that the Google’s Terms of Service and Privacy Polices did not inform users about the Gmail interceptions. She wrote:
The Court finds, however, that those policies did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising …
The Court therefore finds that a reasonable Gmail user who read the Privacy Policies would not have necessarily understood that her emails were being intercepted to create user profiles or to provide targeted advertisements. Accordingly, the Court finds that it cannot conclude at this phase that the new policies demonstrate that Gmail user Plaintiffs consented to the interceptions.
California based Consumer Watchdog Project Director explained the significance of the court’s holding: Internet communications should be subject to the same privacy laws that exist in the rest of society… The court rightly rejected Google’s tortured logic that you have to accept intrusions of privacy if you want to send email.”
Google’s interceptions of emails is not within its ordinary course of business.
Stay tuned to see the result of this case, In re Google Inc. Gmail Litigation, 13-md-02430, U.S. District Court, Northern District of California (San Jose). This is going to have a huge impact in the world of online privacy.