Zappos.com Customer Account Information Compromised

On January 15, 2012, Zappos.com announced that their customer account information may have been compromised, including customer names, e–mail addresses, billing and shipping addresses, and phone numbers. CNN reports that this affects 24 million Zappos.com customers.

Fortunately, Zappos.com announced that customer credit card numbers were not compromised. Although unencrypted customer account passwords were not compromised (the encrypted customer account passwords may have been compromised), Zappos.com took the proactive steps of resetting all customer account passwords and recommending that customers change their passwords at other Web sites.

This is another reminder of how important it is to use separate, strong passwords for each online account that you have. As I mentioned in previous postings, a recent study concluded that 75% of users had the same password for both their e–mail accounts and their social networking accounts. If hackers are able to obtain your username and password from one company, they may try the same username and password combination at other popular Web sites. For a detailed list of other reported data breaches, see the list at Privacy Rights Clearinghouse, a nonprofit consumer organization (at this time of this posting, they listed 2,841 publicly–reported data breaches since 2005!).

I’ve previously written about ways to keep track of and securely store your important passwords and online account information. For online accounts, Microsoft recommends creating strong passwords of 14 characters or more with a combination of uppercase letters, lowercase letters, numbers, and symbols. It’s difficult to remember strong passwords, and it’s easy to make a typo when entering them. As I’ve mentioned before, there are tools that enable you to create and maintain an encrypted electronic list of passwords and online accounts on your smartphone or your computer, and these tools can integrate with your Web browser and automatically look up and enter your passwords for your online accounts. For example, LastPass, KeePass, 1Password, RoboForm, and Keeper, among others.

Remember to let your family members and fiduciaries know where you keep your “master” password to unlock your encrypted electronic list of passwords and online accounts in case you become incapacitated or die, and make sure they know where your encrypted electronic list is kept too.

Posted in Online Sales Accounts | Tagged , , , , , , , , | Comments Off

Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game

I’ve written before about estate planning and charitable giving with video games and virtual worlds. Here’s another example of how valuable digital property can be—including virtual items in video games.

In December 2011, the developers of the video game Age of Wulin held an auction to sell unique virtual items to use in the video game. One man paid $16,000 for a virtual sword to use in the video game. Other unique virtual items to use in the video game sold for $2,500 and $1,600 in the auction.

These values for virtual items are a bit surprising because this video game has not even been released to the public yet. The developers completed the first phase of closed beta testing in 2011, and they plan to release the game to the public sometime in 2012.

As I’ve mentioned before, it is important for video game and virtual world players to plan ahead and incorporate their digital property into their real–world estate plan. Beyond just writing down the account name and password for the fiduciaries to access the account, the fiduciaries and family members need to know if there are monthly fees to keep the video game or virtual world account open (so the valuable video game character and its virtual property and currency are not deleted!), what the approximate real-world value may be, and either how to transfer it or where to sell it. A little time spent planning ahead can make the administration much more efficient when the video game or virtual world player becomes incapacitated or dies.

Posted in Video Games & Virtual Worlds | Tagged , , , , , , , , , | Comments Off

Connecticut Court Requires Spouses to Reveal Online Account Passwords in Divorce Proceeding

On November 7, 2011, Kashmir Hill on Forbes.com reported that a Connecticut court ordered Stephen and Courtney Gallion, spouses in a divorce proceeding, to reveal and exchange their online account passwords, including their passwords to Facebook, eHarmony, and Match.com. According to the article, the judge also ordered Mrs. Gallion not to delete any material from her online accounts.

As the article points out, the judge issued these orders to facilitate the discovery process in the divorce proceeding, including evidence relevant to the custody of their children. However, there’s a big difference between turning over your online account passwords versus simply turning over the contents of your online account (e.g., your Facebook postings, your e–mail messages, etc.) in the discovery process.

Facebook, for example, has a procedure that allows a user to download everything that user has put into Facebook, which a user could do and then turn over that resulting data to the other party in the discovery process. To do this, a Facebook user would go into his or her “Account Settings” and click on “Download a copy of your Facebook data.”

Turning over your online account password to the other party in a lawsuit gives them complete access to and control over all aspects of the account, with the potential for abuse by the other party. Also, turning over your Facebook password or letting anyone else access your Facebook account violates section 4.8 of the Facebook Statement of Rights and Responsibilities (last revised April 26, 2011), and, under section 14, Facebook can stop providing all or part of Facebook services if you violate these rules. However, section VI of the Facebook Data Use Policy (last revised September 23, 2011) also states that Facebook “may share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.” I am interested to find out how Facebook responds to this situation.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , | Comments Off

How to Delete Online Accounts and Digital Footprints

On November 10, 2011, Jeffrey A. Lambert posted a story at Maximum PC called How to Erase Your Digital Footprint. The article describes how much information Facebook, Google, and other companies collect about your Web browsing and other Internet activities, especially for advertising purposes. Using free tools described in the article, you can see how much information these companies are collecting, and you can also take steps to delete your digital footprints.

One valuable resource is a link to an article in Smashing Magazine by Cameron Chapman called How to Permanently Delete Your Account on Popular Websites. This article walks through the step–by–step process of closing your Amazon, eBay, Facebook, Flickr, Google, LinkedIn, Microsoft, MySpace, PayPal, Twitter, WordPress, and YouTube accounts (among others). This is very useful information for fiduciaries and family members handling an estate administration after a person has died. After retrieving any valuable or significant information from the deceased person’s online accounts, the appropriate fiduciary can contact the service providers using these steps to close the online accounts. Family members instead may decide to leave a social networking account, personal Web page, or blog account open as a memorial rather than closing the account. See my previous posting for more information on leaving an online account open as a memorial.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , , , , , , , , , | Comments Off

IRS Chief Counsel Advises IRS Agent Not to Request Taxpayer E-Mail Contents From ISP

In IRS Chief Counsel Advice 201141017, an IRS agent tried to obtain a taxpayer’s e–mail contents from the taxpayer’s Internet Service Provider (ISP) without a warrant. The taxpayer’s ISP refused the IRS agent’s request, citing provisions of the Stored Communications Act (18 U.S.C. §§ 2701–2711) and United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). The agent asked the IRS Chief Counsel how to proceed, and the Chief Counsel advised the agent not to request the taxpayer’s e–mail contents from the taxpayer’s ISP.

In this situation, the IRS agent believed that a shell company improperly received over $250,000 of tax refunds, so the IRS agent was trying to trace where the money went. The IRS agent used an IRS administrative summons under § 7602 of the tax code to request the contents of the taxpayer’s e–mails, including e–mails received within 180 days of the summons.

First, the IRS Chief Counsel advised that this IRS administrative summons should be withdrawn because it violates § 2703(a) of the Stored Communications Act, which requires that a governmental entity obtain a warrant to compel disclosure of the contents of an electronic communication that is in electronic storage for 180 days or less. Here, the IRS agent had not obtained a warrant and “would not be eligible to seek a warrant for the civil (as opposed to criminal) tax law provisions he is engaged in seeking to enforce in this case.”

Second, the IRS agent asked whether the agent could request from the taxpayer’s ISP only the contents of the taxpayer’s e–mails that were in electronic storage for more than 180 days, without a warrant. But, the IRS Chief Counsel advised the IRS agent against doing this citing the Warshak case. The Warshak case concluded that the Stored Communications Act provisions that allow a governmental entity to compel disclosure of the contents of an electronic communication that is in electronic storage for more than 180 days without a warrant are unconstitutional because they are an unreasonable search and seizure in violation of the Fourth Amendment. Although the IRS Chief Counsel points out that the Warshak case was a Sixth Circuit decision while the taxpayer’s ISP is located in the Ninth Circuit, the IRS Chief Counsel advises: “In short, we do not believe there is any reasonable possibility that the Service will be able to obtain the contents of this customer’s e–mails that are more than 180 days old through a modified summons upon this ISP without protracted litigation, if at all.”

Third, the IRS agent asked whether the agent could request from the taxpayer’s ISP only “non–content information for electronic communications services specified in 18 U.S.C. § 2703(c)(2) for the customer (e.g., name, address, length and type of service, and means of payment).” For this question, the IRS Chief Counsel advised that the IRS agent may obtain this “non–content information” from the taxpayer’s ISP without a warrant, and this has been upheld by the courts. This can be accomplished using an IRS administrative summons under § 7602 of the tax code, without notice to the ISP’s customer, and it can even be used to obtain the credit card number or bank account number used to pay for the e–mail service (see 18 U.S.C. § 2703(c)(2)(F)).

Although this IRS Chief Counsel Advice 201141017 cannot be used or cited as precedent, this is still helpful for taxpayers to know the current IRS position on requesting e–mail contents from a taxpayer’s ISP or requesting “non–content information for electronic communications” (including name, address, length and type of service, and means of payment including credit card number or bank account number) from a taxpayer’s ISP. It’s also important to note that the taxpayer’s ISP plays an important role in the process—in this situation, the taxpayer’s ISP protected the rights of its customer by denying the initial IRS administrative summons sent by the IRS agent because the summons was too broad.

Posted in E-mail | Tagged , , , , , , , , , , , | Comments Off

October is National Cyber Security Awareness Month

October is National Cyber Security Awareness Month! For tips about creating strong passwords, backing up your data, Internet safety and security, social networking privacy and security settings, and more, visit: StaySafeOnline.org. Tip sheets and other resources are available on their Resource Library site and on their Stop. Think. Connect. site.

Posted in General | Tagged , , , , , | Comments Off

Importance of Preserving “Electronic Evidence” During Incapacity or After Death

Recently, four potential heirs were found guilty of conspiracy to murder, based on evidence of Google searches for “easiest way to kill an old person,” “poisonous toadstools,” and “1,000 ways to die,” followed by an attack carried out on their 89-year-old father/grandfather. A September 29, 2011, BBC story describes the case, and notes that the prosecution said these family members were trying to kill the man to inherit his money.

In my articles and seminars, I stress the importance of preserving potential “electronic evidence,” including data stored in cell phones, smartphones, computers, and storage media, during a guardianship, conservatorship, probate estate, or trust administration. Although this case is an extreme example, it is especially important to preserve this potential electronic evidence if there is a current or potential future law enforcement investigation or civil suit involving the incapacitated or deceased person.

But, even if there isn’t an investigation or civil suit, still strongly consider hiring a computer security or computer forensics expert before turning on or attempting to access the cell phones, smartphones, computers, and storage media. At least consider making an exact image copy of the storage media before it’s first accessed so that copies of the original data can be preserved and examined without fear of altering or destroying any important data. Simply turning on and booting up a smartphone or computer can overwrite or wipe out data that may be useful in tracking down the person’s online accounts and attempting to recover passwords for those accounts.

Posted in General | Tagged , , , , , , | Comments Off

Protecting Privacy of Customer Personal Information in Borders Bankruptcy Asset Sales

As part of the Borders bankruptcy proceeding, Barnes & Noble offered to purchase the “consumer personal information” of Borders, including over 20 million customers’ online account information, e–mail addresses, and purchase history. However, Borders had a privacy policy that stated customer personal information would not be rented or sold to third parties except with the express consent of its customers.

According to a Federal Trade Commission letter dated September 14, 2011, about this matter, Borders’s database includes customer personal information collected since May 2005. Borders had several versions of its privacy policies, and their privacy policy was revised May 27, 2008, to include an exception for disclosing customer personal information as part of a merger, reorganization, or sale of its assets. The FTC letter recommends that Borders obtain express consent from its customers before transferring a customer’s personal information to a potential purchaser (e.g., Barnes & Noble). If a customer does not consent, the FTC recommends that the customer’s data be purged. The FTC letter cited the FTC v. Toysmart case as a similar situation involving the transfer of customer personal information in a bankruptcy proceeding.

The third–party Consumer Privacy Ombudsman in this matter recommended that Barnes & Noble comply with Borders’s privacy policy by getting consent of the Borders customers. According to a September 21, 2011, Reuters article, “Barnes & Noble rejected the consent requirement as ‘completely unrealistic.’ ” As the Reuters article points out, this could decrease the value of the customer personal information that Barnes & Noble offered to purchase, and it might end the deal. It will be interesting to watch how these important consumer privacy issues are resolved.

Posted in Intellectual Property Rights | Tagged , , , , , , | Comments Off

Ponzi Scheme in Online Video Game

In August 2011, thousands of players of the video game EVE Online found out that they were victims of an in–game Ponzi scheme. Players invested virtual currency in an in–game virtual company that paid out high returns supported by other players’ investments. In just eight months, the people who ran the Ponzi scheme pocketed over 1 trillion ISK—the game’s virtual currency—worth an estimated $51,577 in real U.S. dollars (link). An interesting twist is that the two people who ran the Ponzi scheme describe the story about how they did it and why they did it on their Web site.

I’ve written previously about the potential financial value in online accounts and digital property, especially in video games. Where there is financial value, there is the potential for unscrupulous or criminal actions to try and take that value. As Francis Bacon wrote, “Opportunity makes a thief.”

In estate planning, it’s important to protect passwords, online accounts, and digital property—especially digital property with financial value—when a person becomes incapacitated or dies. For video games and virtual worlds, some are free to play, and others require monthly or annual access fees to preserve the account and keep the account active. Some virtual worlds and virtual property require active management and maintenance to preserve and maximize the financial value. When the person becomes incapacitated or dies, consider changing the passwords used to access the account to prevent unauthorized access. Whether or not the video game character, items, or virtual currency can be transferred depends on the video game Terms of Service contract—some companies allow transfers but others don’t. Also, be alert for unscrupulous activity in the video game or virtual world, and consult a video gaming expert if you need assistance.

Posted in Video Games & Virtual Worlds | Tagged , , , , , , , , , , | Comments Off