Attorney General Jennings Announces Settlement With Experian-Owned Company Over Sensitive Information Breach

Attorney General Jennings today announced a multistate settlement with Experian Data Corp (“EDC”) for failing to warn affected consumers after it learned that an identity thief was posing as a private investigator and retrieving sensitive personal information from Court Ventures Inc., a database that EDC had purchased.

In 2012, the U.S. Secret Service notified EDC of the existence of the identity thief, who had begun accessing information from the Court Ventures, Inc. database before EDC purchased the company and continued to do so after the purchase. EDC failed to notify affected consumers of the identity thief’s actions.

Since that time, the individual has pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges.

“Today’s settlement will help protect the personal information of Delawareans moving forward,” said Attorney General Jennings. “We will continue to hold businesses like EDC accountable for their duty to protect our entrusted information from unlawful use or disclosure. Everyone who does business in Delaware needs to stay alert and protect their customer’s personal data.”

EDC has agreed to injunctive relief and a payment of $1 million to resolve this multistate investigation. Under this resolution, joined by a group of 40 states, EDC has agreed to a series of provisions designed to strengthen its security and reporting practices, including:

  • Strengthening its vetting and oversight of third parties that it allows to access personal information;
  • Investigating and reporting data security incidents to the Attorneys General;
  • Maintaining a “Red Flags” program to detect and respond to potential identity theft; and
  • Implementing certain personal information safeguards and controls, including encryption or its equivalent for personal information on their network and in transit.

Delaware, which assisted with the investigation, will receive $20,000 from the EDC settlement.

Joining Attorney General Jennings in today’s settlement are the Attorneys General of Alaska, Arizona, Arkansas, Colorado, Connecticut, District of Columbia, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin.

 

AG Jennings joins nationwide investigation into Instagram’s impact on youth

Attorney General Jennings today joined a nationwide investigation into Meta Platforms, Inc., formerly known as Facebook, for providing and promoting its social media platform – Instagram – to children and young adults despite knowing that such use is associated with physical and mental health harms. Attorneys General across the country are examining whether the company violated state consumer protection laws and put the public at risk.

“Nothing—nothing—is more important than protecting our kids, especially online,” said Attorney General Jennings. “We expect the world’s largest social media companies to be responsible. We’re launching this investigation because Delaware’s families need the law to be followed and our kids to be safe.”

The investigation targets, among other things, the techniques utilized by Meta to increase the frequency and duration of engagement by young users and the resulting harms caused by such extended engagement. Today’s announcement follows recent reports revealing that Meta’s own internal research shows that using Instagram is associated with increased risks of physical and mental health harms on young people, including depression, eating disorders, and even suicide.

AG Jennings has long been concerned about the negative impacts of social media platforms on Delaware’s youngest residents. In May, a bipartisan coalition of 44 attorneys general urged Facebook to abandon its plans to launch a version of Instagram for children under the age of 13.

Attorney General Jennings Announces Multistate Settlement with Johnson & Johnson, Ethicon, Inc.

Delaware Attorney General Kathleen Jennings announced Thursday a multistate settlement with Johnson & Johnson and its subsidiary, Ethicon, Inc., for their deceptive marketing of transvaginal surgical mesh devices.

A multistate investigation found the companies violated state consumer protection laws by misrepresenting the safety and effectiveness of the devices and failing to sufficiently disclose risks associated with their use.

“Manufacturers of medical devices must do better than the cavalier and dangerous attitude towards women exhibited here by Johnson and Johnson. Today’s settlement holds Johnson and Johnson accountable for their failures and my office will continue to ensure that Delawarean’s can rely on manufacturer’s assurances as to the safety and effectiveness of medical devices,” said Attorney General Jennings.

Transvaginal surgical mesh is a synthetic material that is surgically implanted through the vagina to support the pelvic organs of women who suffer from stress urinary incontinence or pelvic organ prolapse.

The multistate investigation found the companies misrepresented or failed to adequately disclose the products’ possible side effects, including the risk of chronic pain and inflammation, mesh erosion through the vagina, incontinence developing after surgery, painful sexual relations, and vaginal scarring. Evidence shows the companies were aware of the possibility for serious medical complications but did not provide sufficient warnings to consumers or surgeons who implanted the devices.

The settlement requires J&J and Ethicon to provide full disclosure of the device’s risks and accurate information on promotional material and package inserts.

Among the specific requirements, the companies must:

  • refrain from referring to the mesh as “FDA approved” when that is not the case;
  • refrain from representing in promotions that risks associated with mesh can be eliminated with surgical experience or technique alone;
  • ensure that any product trainings provided to medical professionals covers the risks associated with the mesh;
  • omit claims that surgical mesh stretches after implantation, that it remains soft after implantation, that foreign body reactions are transient, and that foreign body reactions “may” occur (when in fact they will occur);
  • disclose that mesh risks include: fistula formation, inflammation, mesh extrusion, exposure, and erosion into the vagina and other organs;
  • disclose risks of tissue contraction, pain with intercourse, loss of sexual function, urge incontinence, de novo incontinence, infection following transvaginal implantation, and vaginal scarring; and
  • disclose that revision surgeries may be necessary to treat complications, that revision surgeries may not resolve complications, and that revision surgeries are also associated with a risk of adverse reactions.

Additionally, Johnson & Johnson has agreed to pay a combined $116.86 million to the 41 participating states and District of Columbia. Delaware will receive $1.4 million under the settlement which will go to the state’s Consumer Protection Fund. The Fund pays the investigative costs, consumer outreach activities and operations of Delaware DOJ’s Consumer Protection Unit, with excess amounts returned to the state’s General Fund for allocation by the state legislature and Governor through the normal budgetary process.

Joining Delaware in this multistate settlement are Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, and Wisconsin.

The matter was handled by Assistant Director of Consumer Protection Regina S. Schoenberg.

During Peak Tax Season, Consumer Protection Unit Urges Delawareans to be on Guard Against IRS Scams

With IRS W-2 forms already issued by many employers, the 2019 tax season is underway, and the Department of Justice’s Consumer Protection Unit is cautioning Delaware consumers and employers to be on guard for fake IRS phone call scams and IRS Form W-2 email phishing scams that are targeting Delaware employers, including retail businesses, school districts, nonprofit organizations, and law firms.

IRS Phone Call Scam

In a typical IRS phone scam, a caller pretends to work for the Internal Revenue Service (or sometimes the U.S. Treasury Department), and tells the intended victim that the IRS will imminently be filing suit against the victim, or threatens the intended victim with arrest or some other kind of punishment, and the only way to avoid the lawsuit or arrest is to immediately pay a sum of money, usually via a pre-paid debit card or a money order, or even Amazon or iTunes gift cards.

The IRS says that these scammers often spoof the telephone number to disguise where they are calling from, and they sometimes manipulate the caller ID information so it seems like the call is coming from the IRS. They may even give out a fake IRS badge number, and may even know the last four digits of a victim’s Social Security number and try to use that information to gain a victim’s trust. Many times these scam messages will contain misspellings, unusual phrases, or terminology that is not customary in the U.S. or the area.

As a reminder, the IRS will never reach out to a taxpayer with an initial contact by telephone, email, text message, or social media. The IRS also will never demand credit or debit card payment over the telephone, nor will the IRS demand that you pay a tax bill in a specific manner, such as with a gift or pre-paid card.

The Consumer Protection Unit urges consumers to ignore these calls and not return voicemail messages. Consumers should instead do the following:

  • If you are worried that the call might be real, because you owe federal taxes, or think you might owe federal taxes, hang up and call the IRS directly at 1-800-829-1040. IRS workers there will be able to help you with any payment questions.
  • Report the scam to federal authorities: fill out the “IRS Impersonation scam” form on TIGTA’s website, or call TIGTA at 800-366-4484, and also consider filing a complaint with the Federal Trade Commission at www.ftc.gov (add “IRS Telephone Scam” to the comments in your complaint).

IRS Form W-2 Phishing Scam

The Consumer Protection Unit also warns Delawareans about a dangerous email scam that has been circulating nationwide and is targeting a wide variety of public and private-sector employers, including retail businesses, universities, secondary school districts, nonprofit organizations, hospitals, and law firms.

Typically, the scammer sends a “spoofing” email posing as an internal executive or official within the organization, requesting employee payroll data, including IRS W-2 forms that contain Social Security numbers and other personally identifiable information. If these cybercriminals are successful in tricking payroll and human resource officials into disclosing that data, they can use the data to file fraudulent tax returns for refunds and commit other forms of identity theft.

According to the IRS, these are examples of the details that may be contained in some of these emails:

  • “Kindly send me the individual [2018] W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employee wage and tax statement for [2018], I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

The IRS has also established a process that will allow employers and payroll service providers to quickly report any data losses related to this W-2 scam: https://www.irs.gov/individuals/form-w2-ssn-data-theft-information-for-businesses-and-payroll-service-providers. The IRS has established a dedicated email address for employers to report W-2 scams and data thefts: dataloss@irs.gov. According to the IRS, if notified in time the IRS can take steps to prevent employees from being victimized by identity thieves filing fraudulent returns in their names. There is also information about how to report receiving the scam email even if an employer did not fall victim to the scam.

The Consumer Protection Unit also reminds employers that if they are victimized by this scam, they have suffered a data breach and may need to give notice to affected individuals under Delaware’s data breach notification law (Title 6, Chapter 12B of the Delaware Code), and may also need to give notice under other applicable state or federal law. Employers who suffer a data breach are encouraged consult with legal counsel to ensure compliance with all applicable data breach notification laws.

DOJ Consumer Protection Unit Warns Delawareans About Scam Utility Calls

The Department of Justice’s Consumer Protection Unit (CPU) warns Delawareans to be wary of threatening collection calls purporting to be from Delmarva Power. The callers allege that the consumer has an overdue balance and threaten to have utility services shut off within minutes if large sums of money are not provided. The callers demand these large payments in MoneyPak cards, iTunes gift cards, or other prepaid card products. The callers may also attempt to obtain certain personal or financial information from consumers as well.

Delaware utility consumers should be cautious of any phone call where the caller employs threats to immediately turn off utility services. Current customers of Delmarva Power, or other authorized utility providers, should ask the caller to provide information that legitimate employees of actual utility providers should have readily available – including the utility account number, property address, and account holder’s name – in order to verify their identity. Consumers should terminate the call if the caller cannot provide this basic information.

In addition, consumers should inform callers that they will check recent billing statements and payment records and call back at the telephone number listed on their billing statements. If the caller provides a different number or directs the consumer to take another action, it is likely a scam.

The CPU is aware of these scam phone calls and Attorney General Jennings cautions all consumers to be diligent before disclosing any personal information, payment information, or account information to any callers. More importantly, consumers should verify the amounts claimed due with their own records before remitting any money. Some tips to protect personal information include:

  • Asking callers pointed questions to verify that they are who they say they are;
  • Reviewing monthly bills for any information about amounts due;
  • Asking callers for time to review records before agreeing to pay any amounts – legitimate collection calls will allow time to verify the balance due;
  • Wariness of any calls where a caller employs a threat of any kind to try to compel immediate financial action; and
  • Declining to answer calls from unfamiliar numbers or callers, or hanging up if the caller pressures the consumer.

The CPU Unit encourages consumers who believe they may have been scammed to call its toll-free Consumer Hotline at (800) 220-5424 or email consumer.protection@delaware.gov. Consumers who have lost money to scam calls should make a report to their local police agency.