Attorney General Denn Announces New Online Data Security Breach Reporting Resource

Amendments to Delaware’s data security breach notification law that went into effect Saturday require companies to notify the Delaware Attorney General when they experience a breach affecting the personal information of more than 500 Delaware residents, and the Delaware Department of Justice’s Consumer Protection Unit has launched an online portal to assist consumers, businesses, and other individuals and organizations who are involved in, or want to learn more about, data security breaches affecting Delaware residents.

Since 2005, any person who conducts business in Delaware, and who owns, licenses, or maintains personal information of Delaware residents, has had to provide notice to Delaware residents when the personal information of those Delaware residents has been subject to a security breach. Amendments to Delaware law passed in 2017, sponsored by Rep. Paul Baumbach and Sen. David Sokola, and backed by the Consumer Protection Unit, greatly expanded the definition of “personal information” to protect more sensitive information, and now require persons to provide notice to the Delaware Attorney General when a security breach affects more than 500 Delaware residents. Prior to the amendments, businesses and other organizations which suffered security breaches were not required to provide notice to the Delaware Attorney General, regardless of how many Delaware residents were affected.

A new webpage is now available on the Attorney General’s website, at https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/, with the following resources:

  • Online Reporting of Data Security Breaches — Any person, including businesses, organizations, and government agencies, who needs to provide notice of a data security breach to the Delaware Attorney General will be able to do so using either a web form available on the new webpage, or a fillable PDF form also available on the webpage that can be emailed directly to the Consumer Protection Unit’s dedicated email address for notifications (security.breach.notification@delaware.gov). Use of these resources is voluntary, and persons required to provide notice to the Attorney General can still send written notice through the mail.
  • Data Security Breach Notice Database — A database will allow consumers to see which entities have reported data security breaches to the Attorney General, when those breaches occurred, and the approximate number of Delaware residents affected by those breaches.
  • Model Form for Providing Notice to Consumers and Other Affected Persons — Delaware’s Data Security Breach Notification Law does not require a specific form of notice in order to notify Delaware residents that their personal information was involved in a data security breach, but to provide assistance and guidance to persons required to provide notice to Delaware residents, the Consumer Protection Unit is making available a Model Data Security Breach Notification Form that will help provide Delaware residents with clear, easy-to-read, and accessible information regarding the data security breach.
  • Links to Online Cybersecurity Resources — The webpage will also include links to helpful resources on cybersecurity issues, including the Delaware Department of Technology and Information, the Delaware Small Business Development Council, the Federal Trade Commission, and the U.S. Department of Homeland Security.

“Data security breaches, whether due to simple human error, criminal conduct by hackers, or something else, can have long-lasting and significant effects on the Delawareans whose personal information is stolen,” Attorney General Matt Denn said. “It’s important that businesses and other organizations that suffer these breaches promptly notify consumers and law enforcement, including my office. These new online resources will make it easy to let my office know what’s happened, so that we can ensure appropriate action is taken to protect and help Delawareans affected by data security breaches.”

Attorney General’s Office Warns Delawareans About Vacation Rental Scams

With people already making summer vacation plans, the Consumer Protection Unit of the Delaware Department of Justice warns Delawareans to be careful when looking for a vacation rental. Scammers operating rental schemes find legitimate rental postings and capture the information and photos of the property, and then list it on Craigslist or other online advertising platforms. Unsuspecting consumers looking for a good deal on a vacation rental find the bogus posting, send a deposit, and receive confirmation of their rental only to arrive to find other people in the home, unable to gain access, or otherwise turned away from the property they believed they had rented.

Scams also can occur with regards to long term leases for homes or apartments, where scammers may even have changed to locks illegally on a property and allow someone to move in, even though they are not the true owner.
All consumers should be diligent before entering into any type of lease for a rental property or providing any deposit or rental payment by taking these steps first:

  • Consider working with a licensed realtor or property management company when possible;
  • If using an online search engine or website, research whether the property appears on other websites or listing platforms and make contact with the listing agents to determine which is the legitimate advertisement;
  • Research who the true owner of the property is by doing a parcel search online: In Delaware, one can search New Castle County properties at http://www3.nccde.org/parcel/search/; Kent County properties at http://kent400.co.kent.de.us/PropInfo/PIName.HTM, and Sussex County properties at, https://sussexcountyde.gov/zoning-and-sales-information;
  • Carefully review the posting, advertisement or lease for misspellings and grammatical errors;
  • If you are looking at a rental through an online listing site, you should familiarize yourself with the site’s policies for detecting and dealing with potentially fraudulent listings;
  • Never pay any security deposit or rental payment in cash—always use a check, money order or credit card—and demand a receipt;
  • For long-term leases:
    o Demand a written lease in advance, that includes the identification and contact information of the landlord, as well as identification of the bank where your security deposit (if applicable) will be held;
    o When possible, request a walk-through before agreeing to rent or paying any deposit;
    o Talk to neighbors to learn more about the property and the owners—be cautious of properties with a recently deceased owner or foreclosure;
    o If you meet the person claiming to be the landlord, request to see their credentials, such as a business card or realtor’s license, and identification; you should also make note of the make and model of their car and the license plate number.

Consumers who believe they may have been scammed should contact their local police department and file a report. They can also call the Attorney General’s toll-free Consumer Hotline at 1-800-220-5424 or email the Consumer Protection Unit of DOJ at consumer.protection@delaware.gov. If the listing was posted on an online platform, such as Craigslist, the consumer should also file complaints with the online platform and with federal law enforcement at www.ic3.gov.

Customers of Improper Credit Services Company Receive Refunds After Settlement

Cornerstone Credit Services no longer operating in Delaware

Attorney General Matt Denn announced that 35 Delawareans victimized by a national debt services provider recently received refunds for fees and costs paid for unlawful debt management services rendered by Cornerstone Credit Services, a Wisconsin company. In December 2017, the Wilmington law firm of Cross & Simon and the Consumer Protection Unit (CPU) of the DOJ’s Fraud and Consumer Protection Division reached a settlement with Cornerstone, under which Cornerstone ceased doing business in Delaware and refunded fees and costs totaling more than $115,000 to Delaware consumers.

Delaware law requires that debt management services providers doing business in the state register with the Attorney General, obtain a license, and fulfill a number of other requirements. The relevant statute exempts law firms providing legal services, and evidence produced during the litigation showed that Cornerstone had hired a law firm as its purported local representative in Delaware in an attempt to evade the statutory requirements. In 2015, the Cross & Simon law firm filed an action in the Court of Chancery alleging that Cornerstone’s business model was a sham and that the company had been charging fees to Delaware customers while not substantially lowering their debts. In 2017, the CPU moved to intervene in the litigation on the side of the plaintiffs, in order to ensure that any resolution of the case would include relief for all affected customers. In December 2017, the case settled.

Over the past two weeks, CPU representatives have been distributing checks, in some cases totaling several thousand dollars, to each of the consumers affected. “This is another example of how our CPU protects Delaware consumers,” Attorney General Denn said. “I want to thank Rick Cross and Cross & Simon, and Deputy Attorney General Michael Clarke and Chief Special Investigator Alan Rachko and their team, for their diligence in pursuing this case for the benefit of the Delaware customers, some of whom were facing significant financial difficulties.”

DOJ Consumer Protection Unit Urges Delaware Consumers To Be On Guard Against IRS Scams And Other Financial Frauds

With IRS W-2 forms already issued by some employers, the 2018 tax season has arrived, and the Department of Justice Consumer Protection Unit is again warning Delaware consumers and employers to be on guard for fake IRS phone call scams and IRS Form W-2 email phishing scams that are targeting employers, including retail businesses, school districts, nonprofit organizations, and law firms.

IRS Phone Call Scam

In a typical IRS phone scam, a caller pretends to work for the Internal Revenue Service (or sometimes the U.S. Treasury Department), and tells the intended victim that the IRS will imminently be filing suit against the victim, or threatens the intended victim with arrest or some other kind of punishment, and the only way to avoid the lawsuit or arrest is to immediately pay a sum of money, usually via a pre-paid debit card or a money order, or even Amazon or iTunes gift cards.

“These scammers use scare tactics, threats, and aggressive language to put the person answering the phone into a precarious position,” said Attorney General Matt Denn. “They hope their prospective victims will quickly make payment in order to avoid the possibility of penalties like losing their jobs, or going to prison.”

The Internal Revenue Service says that these scammers often spoof the telephone number to disguise where they are calling from, and they sometimes manipulate the caller ID information so it seems like the call is coming from the IRS. They may even give out a fake IRS badge number, and may even know the last four digits of a victim’s Social Security number and try to use that information to gain a victim’s trust.

As a reminder, the IRS will never reach out to a taxpayer with an initial contact by telephone, email, text message, or social media. The IRS also will never demand credit or debit card payment over the telephone, nor will the IRS demand that you pay a tax bill in a specific manner.

DOJ’s Consumer Protection Unit urges consumers to ignore these calls and not return voicemail messages. Consumers should instead do the following:

  • If you are worried that the call might be real, because you owe federal taxes, or think you might owe federal taxes, hang up and call the IRS directly at 1-800-829-1040. IRS workers there will be able to help you with any payment questions.
  • Report the scam to federal authorities: fill out the “IRS Impersonation scam” form on TIGTA’s website, or call TIGTA at 800-366-4484, and also consider filing a complaint with the Federal Trade Commission at www.ftc.gov (add “IRS Telephone Scam” to the comments in your complaint).

IRS Form W-2 Phishing Scam

Delawareans should also be aware of a dangerous email scam that has been circulating nationwide and is targeting a wide variety of public and private-sector employers, including retail businesses, universities, secondary school districts, nonprofit organizations, hospitals, and law firms. The scam first appeared in 2016, but saw a significant increase in 2017, with an estimated 200 employers across the United States being victimized last year.

Typically, the scammer sends a “spoofing” email posing as an internal executive or official within the organization, requesting employee payroll data, including IRS W-2 forms that contain Social Security numbers and other personally identifiable information. If these cybercriminals are successful in tricking payroll and human resource officials into disclosing that data, they can use the data to file fraudulent tax returns for refunds and commit other forms of identity theft.

According to the IRS, these are examples of the details that may be contained in some of these emails:

  • “Kindly send me the individual [2017] W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  •  “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employee wage and tax statement for [2017], I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

The IRS has also established a process that will allow employers and payroll service providers to quickly report any data losses related to this W-2 scam: https://www.irs.gov/individuals/form-w2-ssn-data-theft-information-for-businesses-and-payroll-service-providers. The IRS has established a dedicated email address for employers to report W-2 scams and data thefts: dataloss@irs.gov. According to the IRS, if notified in time the IRS can take steps to prevent employees from being victimized by identity thieves filing fraudulent returns in their names. There is also information about how to report receiving the scam email even if an employer did not fall victim to the scam.

DOJ also reminds employers that if they are victimized by this scam, they have suffered a data breach and may need to give notice to affected individuals under Delaware’s data breach notification law (Title 6, Chapter 12B of the Delaware Code), and may also need to give notice under other applicable state or federal law. Employers who suffer a data breach should consult with legal counsel to ensure compliance with all applicable data breach notification laws.

Deadline Approaching For Delaware Scam Victims Who Used Western Union To Claim Repayments

Delaware consumers who used Western Union from 2004 to 2017 to send money to scammers and lost their money are reminded they have a month to file a claim to get their money back under a legal settlement.

Under a settlement between Western Union and state attorneys general, including Delaware, anyone who was tricked by scammers into sending money by Western Union between January 1, 2004 and January 19, 2017 can go to www.ftc.gov/WU before February 12, 2018.

Some people who have already reported their losses to Western Union, the Federal Trade Commission, or another government agency will receive a form in the mail from the claims administrator, Gilardi & Co. The form will have a Claim ID and a PIN number to use when filing a claim online via FTC.gov/WU. Gilardi was hired by Justice Department, which is responsible for returning victims’ money as part of its settlement with Western Union.

Filing a claim is free, so consumers should not pay anyone to file a claim on their behalf. No one associated with the claims process will ever call to ask for consumers’ bank account or credit card number. If you lost or did not receive a claim form, there is also a link on www.ftc.gov/WU which will enable you to file.

The attached graphic from the FTC is a simple explanation of the claims process.

The settlement with Western Union came after state and federal consumer protection agencies alleged that fraudsters were able to use Western Union’s money transfer system to get payments from their victims, even though the company was aware of the problem and received hundreds of thousands of complaints about fraud-induced money transfers made for fraudulent lottery and prizes, family emergencies, advance-fee loans, online dating and other scams. The settlement announced in January 2017 required $586 million from Western Union to repay consumers, and required Western Union to develop and put into action a comprehensive anti-fraud program designed to help detect and prevent incidents where consumers wire money to scam artists.

Previous Announcements from the Delaware Department of Justice regarding the settlement and claims process can be found at https://news.delaware.gov/2017/01/31/wu/ and https://news.delaware.gov/2017/11/13/wus/.