Privacy & Identity Theft

Oakland- After a “massive breach” jeopardized the personal information of 50 million consumers, Attorney General Edmund G. Brown Jr. today joined 40 other states in requiring TJX--the parent company of TJ Maxx, Marshall’s, HomeGoods, and A.J. Wright-- to bolster the security of its databases.

“TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people,” Brown said. “This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards.”

In January 2007, TJX announced that hackers had gained access to portions of its computer databases, which stored credit and debit card numbers, social security numbers and personal information of over 50 million customers.

Subsequently, 41 state attorneys general launched an investigation into how the hackers gained access and if the company did enough to protect its customers.

The investigation found that TJX failed to address the security flaws identified in a 2004 internal audit. This audit found major vulnerabilities connected to using firewalls, encrypting cardholder data, updating anti-virus software and regularly testing security systems. Just one year later, hackers from several different countries exploited the same vulnerabilities the audit identified.

The hackers accessed the company’s databases, connected to unsecured wireless networks, on two separate occasions. The first breach occurred in 2005 when hackers accessed TJX’s main server in Framingham, Mass. They targeted unencrypted and unprotected data such as: names, addresses, social security numbers, military ID numbers, and driver’s license numbers. The hackers obtained 94 million unique credit/debit card numbers.

The second breach occurred in 2006 in which the hackers installed an Open Virtual Private Network (Open VPN) on the main server. Using this connection, the intruders were able to capture card data such as: account numbers, cardholder names, credit card expiration dates, and PIN numbers. The hackers were able to intercept the data as it was being transmitted from banks to the 1,774 retail stores where customers were making purchases. The company estimates tens of millions of credit card transactions were intercepted.

These consumers were put at risk of identity theft, and many were forced to incur credit monitoring costs.

To date, 11 individuals have been arrested in connection with the incidents. Three of the hackers are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus.

Under the agreement, the company must:
• Implement and maintain an Information Security Program designed to protect the security, confidentiality and integrity of personal information within 120 days;
• Designate employees to coordinate and be accountable for the new Information Security Program;
• Conduct a thorough risk assessment of the program;
• Conduct regular testing and monitoring of the effectiveness of the program;
• Replace or upgrade all wired and wireless systems;
• Refrain from storing all personal data such as: account number, cardholder name, expiration date, and PIN on the magnetic strip on the back of credit cards;
• Install intruder detection systems and other devices to track and monitor unauthorized access; and
• Participate in pilot programs for testing new security-related payment card technology.

In addition, TJX will pay $5.5 million for data protection and consumer protection efforts; $2.5 million to a Data Security Fund to be used to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information and $1.75 million in other costs and fees associated with the investigation.

California has 73 TJ Maxx stores, 103 Marshall’s stores, 7 A.J. Wright stores and 31 HomeGoods stores. California will receive $624,393 as part of the agreement.

States involved in today’s agreement are: Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.

A copy of the settlement agreement is attached.

RANCHO CUCUMONGA— Attorney General Edmund G. Brown Jr. today announced that charges were filed against Dr. Lisa Barden of Rancho Cucumonga, who broke the law and “wrecked havoc” on the lives of patients whose identities she stole to obtain highly addictive pain killers.

“This physician wrecked havoc on the lives of dozens of patients, violating her oath and abusing her position as a doctor,” Attorney General Brown said.

In November 2007, the California Department of Justice’s Bureau of Narcotic Enforcement began an investigation of Dr. Barden, who illegally obtained prescription drugs on 131 separate occasions from more than 43 different pharmacies. Barden obtained more than 30,000 tablets of prescription painkillers, including hydrocodone (Vicodin) and oxycodone (Oxycotin). Dr. Barden was arrested on Thursday, January 29.

The Riverside District Attorney’s Office filed 276 felony counts including: commercial burglary, forgery, obtaining a controlled substance by fraud, possession of a controlled substance, insurance fraud and identity theft. Agents recovered from her home multiple prescription pads for 12 different doctors, as well as the personal information of 93 people who are alleged victims of identity theft.

The investigation was led by the Riverside Regional Pharmaceutical Narcotic Enforcement Team, which is a cooperative effort with the California Department of Insurance, Fraud Division and the U.S. Drug Enforcement Administration.

This initiative is part of the Attorney General’s plan to address prescription drug abuse in the state and make it easier for doctors to keep track of prescription drug records.

Prescription drug abuse can have serious public safety consequences, as many abusers hold down critical jobs including truck drivers, transit operators and medical practitioners. The Attorney General has been working in cooperation with the Troy and Alana Pack Foundation, founded by Bob Pack, whose 7 and 10-year old children were killed by a driver who was under the influence of prescription drugs obtained from multiple doctors, to make tracking prescription drug records easier.

Last year, Attorney General Brown unveiled a plan to provide doctors and pharmacies with real-time Internet access to patient prescription drug histories. Under Brown’s proposal, health professionals will have computer access to the drug histories of patients, replacing the current outdated system that required mailing or faxing written requests for information. Each year, more than 60,000 such requests are made to the California Department of Justice.

The state’s database, known as the Controlled Substance Utilization Review and Evaluation System (CURES), contains 86 million entries for prescription drugs dispensed in California, giving healthcare professionals the technology they need to fight the prescription drug abuse currently burdening California’s healthcare system.

According to the latest Department of Justice “Drug Trends” report, Valium, Vicodin, and Oxycontin are the most prevalent pharmaceutical drugs obtained fraudulently. Vicodin and Oxycontin are the two most abused pharmaceutical drugs in the United States.

SACRAMENTO--Governor Arnold Schwarzenegger and Attorney General Edmund G. Brown Jr. today called upon California’s Internet service providers to follow the lead of Verizon, Time Warner Cable and Sprint by “removing child pornography from existing servers and blocking channels” that disseminate the illegal material.

“Protecting the safety of our children must be a top priority, not just for government, but also for businesses with the direct power to reduce the ability to conduct illegal activity,” Governor Arnold Schwarzenegger and Attorney General Edmund G. Brown Jr. said in a joint letter to the California Internet Service Provider Association, which represents more than 100 Internet service providers in California.

“We applaud three of the world’s largest Internet service providers—Verizon, Time Warner Cable, and Sprint—for taking steps to block access to child pornography. It is not enough, however, for only a few Internet service providers to join the fight against online predators. Child pornography is not protected by the First Amendment, and distributing this material is illegal.”

On June 10, 2008, New York Attorney General Andrew Cuomo announced agreements with Verizon, Time Warner Cable, and Sprint, to block access to child pornography by purging their servers of existing child pornography and eliminating access to child pornography newsgroups.

Governor Schwarzenegger and Attorney General Brown said other Internet service providers should follow these companies’ lead by ridding their own servers of child pornography and preventing access to illegal content through newsgroups.

“The California Internet Service Providers Association is the largest association of Internet providers in the country and we are asking your members to take their leadership role seriously. The association can begin by working with its more than 100 members to remove child pornography from existing servers and blocking channels, which include newsgroups, used for distributing this material,” Schwarzenegger and Brown said.

California is home to the Silicon Valley which has hundreds of Internet service providers, ranging from large companies to smaller, local providers. Some of the major providers include AT&T and AOL. According to the California ISP Association, the largest such association in the country, there are more than 100 Internet service providers in California.

The California Attorney General’s office has been working with other states to protect children from dangerous predators on the Internet. California recently joined 49 other states in reaching agreements with Myspace and Facebook so that those social networking sites take steps, including age and ID verification processes, to protect children from online sexual predators. The attorney general’s office also deploys special agents who conduct undercover investigations into online sexual predators. For more information about the apprehension teams, visit: www.ag.ca.gov/cbi

A copy of Governor Schwarzenegger and Attorney General Brown’s letter to the California Internet Service Providers Association, sent today, is attached.

LOS ANGELES--California Attorney General Edmund G. Brown Jr. today called upon CVS Pharmacy to immediately stop selling expired products, including baby food and over-the-counter medications, which were discovered during recent undercover shopping investigation in Southern California. The attorney general also asked the CVS to comply with California laws requiring proper storage and disposal consumer’s confidential medical and financial information.

“State investigators found that dozens of CVS pharmacies in Southern California have old and expired products, including medicines and baby food,” Attorney General Brown said. “CVS Pharmacy should immediately pull these expired products from its shelves and ensure that these consumer safety violations do not occur again,” Brown added.

During a recent undercover shopping operation, state investigators found 48 expired products on the shelves of 26 CVS Pharmacies in Los Angeles, Orange and San Diego Counties. Some of the expired products--which included baby formula, toddler food, and over-the-counter medications--were between four and six months old. Investigators also discovered expired food products including milk and eggs. Some of the products’ “sell by” dates were hidden with price tags or other store stickers.

Recent investigations by the New York Attorney General have also found that CVS Pharmacies in New York have engaged in similarly unlawful selling practices. In a letter sent today, Attorney General Brown asked CVS Pharmacy to change its sales practices to make certain that sales of expired product do not occur in the future.

The California Attorney General’s Office had launched its investigation into CVS Pharmacy sales practices in March, 2008 after receiving consumer reports about expired products on store shelves in Southern California.

Although California law does not explicitly prohibit the sale of certain expired products, federal laws require that products contain expiration dates. The attorney general asserts that placing expired items on its shelves violates false advertising and unfair business practices statues because CVS Pharmacy falsely implies that its products meet national quality control standards.

Attorney General Brown also asked CVS Pharmacy to disclose its formal policies regarding the collection, retention and destruction of such information to determine whether the company is complying with California law. The attorney general has reason to believe that the company may not have properly safeguarded or disposed of consumers’ private health and financial information, in violation of state consumer protection laws.

In February, 2008 Brown reached a settlement with The Walgreen Company after state investigators discovered that that company had failed to properly retain, safeguard and dispose of confidential customer information, in violation of California laws including California Civil Code section 1798.81 Under the terms of that settlement, Walgreens agreed to revise its disposal and retention policies, implement ongoing employee training, and annually review those policies.

In addition to the ceasing the sale of expired products, Attorney General Brown today asked CVS Pharmacy to quickly resolve its practice of not protecting private consumer information.

CVS Pharmacy, a division of CVS Caremark Corporation, is the largest retail pharmacy in the United States with more than 6,300 retail locations and approximately 300 stores in California, most in Southern California. The company is headquartered in Woonsocket, Rhode Island.

LOS ANGELES--In an effort to bolster personal privacy and intellectual property rights, California Attorney General Edmund G. Brown Jr. today announced that District Attorneys in Los Angeles, Orange and San Diego will begin receiving funds for the fight against identity theft violations. The funds, which will be used to purchase specialized equipment, will also assist prosecutors in the evaluation of intellectual property rights violations and other privacy violations. The financial disbursements are the direct result of the state's settlement of a civil case against Hewlett Packard following allegations that the company engaged in the practice of pretexting in order to gain unlawful access to phone records.

The disbursement, totaling $178,000, marks the first of many payments from the state's $13.5 million Privacy and Piracy Fund established in the wake of the settlement. The funds will be used to purchase equipment, including technology for forensic computer analysis, which will assist in the evaluation of evidence from identity theft investigations.

Brown said: 'This Fund provides substantial sums to local prosecutors, over the next decade, to defend against against high-tech crimes and identity theft. This action, the first of many, is another step towards protecting personal privacy in the age of the Internet.'

Today's recipients of the grant are the Los Angeles County District Attorney's Office, the Orange County District Attorney's Office, and the San Diego County District Attorney's Office.

Every year, up to $500,000 from the Fund can be distributed to district attorneys and city attorneys so that they can conduct investigations and bring prosecutions to protect privacy rights and intellectual property rights.

The civil complaint alleged that Hewlett Packard used false pretenses to obtain personal confidential information, including billing records, from phone companies.

Attorney General Brown will continue to accept applications for disbursements from the Fund for the remainder of 2007. District attorneys and city attorneys are encouraged to continue submitting applications, pursuant to the instructions outlined at: http://ag.ca.gov/hpsettlement/

The settlement agreement is attached.