When The Cure May Be Worse Than The Breach
Vertafore, Kroll, and Duff & Phelps
TL;DR: In proffering ID theft and credit repair services after a breach of more than 22 million records, Vertafore - an insurance services company - is shunting hapless consumers towards a product that may doubly victimize them: the firm just might sell the information consumers provide (and some they didn't know they were providing).
Vertafore, which assures us that it "takes data privacy and security very seriously," tells us it, "has safeguards to protect its information and systems, with dedicated internal teams and partnerships with leading external firms."
So it was a surprise when we learned that their employees had recently parked three fantastically large files of Personally Identifiable Information (PII) on a public server that exposed information about every Texas Driver License and ID card issued before 2019. That's PII of millions of people.
Yet Vertofore try to sound magnanimous about how they are offering services to repair the damage: "to be considerate of all Texas driver license recipients and out of an abundance of caution," they intone, "Vertafore is offering [...] one year of free credit monitoring and identity restoration services in recognition that these services offer valuable protection in other contexts beyond this event."
Isn't that nice?
The firm they hired for this is Kroll, which in turn is owned by Duff & Phelps (D&P). To reach their site - the one for free credit monitoring and credit restoration (whatever that means), you need to "certify that [you were] issued a Texas driver license and believe that [you were] potentially impacted by the event involving Vertafore." So you're providing a legal attestation. Clicking the "Activate Now" button brings you to another site, and before they even tell you whether you've been impacted, or go in to any of the terms of what you might get if you have been impacted, or the legal rights you may give up by accepting what they offer, you are asked for information.
A lot of it.
In order to provide the service, right on the landing page, D&P ask for your First Name, Last Name, Primary Telephone Number, Secondary Telephone Number, Date of Birth, Social Security Number, Street, City, State, Country, Zip Code, and email address.
That's a lot of information to be asking on behalf of a company that just lost 66% of those same data-types (plus vehicle registration history) for millions of people.
But D&P is "committed to complying with the applicable data privacy and security requirements in the countries in which it operates," so all is good, right? Well...
D&P states they will harvest your browser and conputer environmentals (this, kids, means fingerprinting you). They will use the information they harvest for a range of things including telling you "about other products or services similar to the products or services we have provided to you and that we think will be of interest to you (where the processing is necessary for our legitimate business interests)"
Note, this is D&Ps legitimate business interests, not yours. This I believe is clearly intended to make it just fine for them to sell your data. Because you went to them to get help when their client lost your data.
If they send you an email they tell you it will include "standard tracking", so "D&P may collect information about your activity as you interact with our email messages and related content.""
Their Cookies policy allows them to use tracking cookies and share them with third parties. This particularly disingenuous passage is stunning: "The ad partners may track anonymous site usage behavior on Duff & Phelps and link it to other information they have associated with your IP address."
They use the word "anonymous" there, but I don't think it means what they are trying to imply it means.
This is especially galling when they say they are tracking referrers, environmentals and fingerprinting, along with clickstream data, all of which is to identify you absolutely and uniquely. So it seems that they're saying they will anonymously track everything you do, and tie this anonymous data to their collection of data about you, personally.
And while their Privacy policy talks about their fingerprinting using examples like "IP address and pages you visit," their Terms of Service state clearly that by using their site you consent to D&P "...collecting and using technical information about the devices you use and related software, hardware and peripherals..." This would seem to mean they can harvest at will "technical" things like serial and IMEI/IMSI numbers, WiFi network and speed information, accelerometer and location data, names and types of Bluetooth devices you may have connected ... anything they want, including the names of other software you have installed on your machine, should they like. It reads as if it could just be a license to take everything down to your phone's flashlight.
If that weren't enough, they also would seem to give themselves in their Cookies policy full license to harvest tech data through the advertiser cookies, saying they will automatically collect information about you, "as you browse our website(s), such as type of browser, operating system, domain name or IP address."
By the way, it's not just the information you've given them that they get - they also get information that they get by using the information that you have given them. To be clear, you're asking them to monitor your credit and seek ID theft, which means, naturally, they must have access to your credit. So, in the End User Agreement, you tell them they can get the information in your credit files:
"You understand that by accepting this Agreement you are providing “written instructions” to our service provider, CSIdentity Corporation (“CSID”) and its employees, agents, subsidiaries, affiliates, contractors, third-party data and service providers, and all other credit reporting agencies under the Fair Credit Reporting Act, as amended (“FCRA”), including Experian, TransUnion, Equifax and affiliated entities, to access your credit files from each national credit reporting agency and to exchange information about you with each national credit reporting agency in order to verify your identity and to provide the Services to you.
That's normal. I raise it because, well, my relationship with this company hasn't begun well, and now I see that in order to consummate it, I have to grant them full visibility into everything in my credit file. Can they sell this large and growing trove of data it seems they're asking you to agree to provide them? Well, for the credit data, the answer is generally "No," but for the other information they get, derive, or infer, the answer is, "probably."
Frankly, I'd rather pay the $100 for credit monitoring myself, thanks. And despite the fact that Vertofore did in fact lose my personal data in this breach, thanks anyway, pahdna, but that's exactly what I will do.