By now, thanks to the horror of last year's hurricane season, most people know that standard homeowner's insurance doesn't cover flood damage.  And so, as this year's storm season approaches, it makes sense for you to consider purchasing flood insurance for your home.

But before you buy, you would do well to read up on a wide-ranging lawsuit that's being heard in a Maryland federal court. Plaintiffs in that case – hurricane victims who paid for flood insurance -- would warn you that contrary to what many believe, even those who have flood insurance are often unable to rebuild flood-damaged homes.

"When they buy flood insurance, here's what they buy. They're buying the right to sue," said Steve Kanstoroom, a self-appointed Hurricane victims' advocate and vocal critic of the National Flood Insurance Program (NFIP) and the Federal Emerency Management Agency, which administers the program. Kanstoroom runs Web site FEMAInfo.us, which chronicles the bureaucratic troubles facing hurricane victims. "They are not buying peace of mind. They are buying a false sense of security."

Kanstoroom's advocacy work forms the backbone of a lawsuit filed last year against FEMA officials and others involved in administering the flood insurance program. The case hits its first big milestone this week, as a federal judge in Greenbelt, Md., entertains a defense motion to dismiss the lawsuit.

The lawsuit doesn't stem from last year's Katrina nightmare. Instead, it was filed by Maryland-based victims of the 2004 Hurricane Isabel, but its claims could have far-reaching implications for all hurricane victims.

Victims of Isabel have sued FEMA officials, including former director Michael Brown, government contractor Computer Sciences Corp., and others, claiming flood insurance marketing was misleading. 

How covered is covered?
The issue is simple: Is flood insurance intended to restore victims to "pre-flood" condition, to pay for complete restoration of damaged homes, or simply to serve as a form of financial assistance?

Kanstoroom, himself a victim of Hurricane Isabel, and the plaintiffs in the Maryland case argue the former.  According to attorney Marty Freeman, when the plaintiffs purchased flood insurance, they were led to believe that they would be "made whole" in the event of a flood disaster.

"To induce (homeowners) to purchase (flood insurance), they were told by each of the defendants … that, in the event of a flood loss to their primary residence, benefits would be paid to them which would make them whole (after satisfaction of the deductible), and which would be in an amount sufficient to return their property to its pre-flood condition, up to the policy limits," Freeman writes in his complaint.

The defendants say that Congress – when it created flood insurance in 1968 -- never expected it would pay for every eventuality and was simply intended to supplement victims' rebuilding efforts.   

"It is irrefutable that CONGRESS KNOWS THAT NOT EVERY FLOOD LOSS WILL BE COMPENSATED BY JUST THIS ONE PROGRAM," the defense motion to dismiss says, making its point in all capital letters. Congress has made changes to the flood program through the years which "undercut any reasonable contention that the Congress actually intended back in 1968 that all (flood insurance) participants be completely restored to their 'pre-flood condition' after every flood loss," it says.

'Will make you whole'
But victims allege that flood insurance sellers said otherwise. Flood insurance can be bought directly from the federal government, or through insurance firms like State Farm and Allstate. Kanstoroom says consumers were regularly told flood insurance would pay the full costs of damage repair.

"Their marketing materials say that," says Kanstoroom, a retired fraud detection expert. 

In fact, FEMA seemed to say so on at least one occasion, Kanstoroom claims. A FEMA press release that Kanstoroom says he copied from FEMA's Web site, dated Oct. 16, 2003, describes flood insurance this way: "Flood insurance can make you whole again." Kanstoroom says public statements by FEMA officials and other marketing materials make similar claims.

The distinction is hardly trivial to any who's just lost their home in a flood. Plaintiffs in the Maryland case think claims in the wake of Hurricane Isabel were underpaid by about $2 billion because of this distinction. 

Why the steep difference?  It in part depends on the price scales adjusters use when settling a victim's claim.

Prices for basic building materials skyrocket after a hurricane hits as materials quickly become scarce. Often, fixing a damaged home after a storm can be more expensive than constructing a new home before a storm. Those who pay extra for flood insurance -- as they are advised and sometimes required by the federal government -- expect to get a check to cover the cost of rebuilding their homes, just as those who file a car insurance claim expect their car to look like it did before the accident.

Claims of conspiracy, fraud
While the "restored to pre-flood conditions" premise is simple, the Isabel victims' lawsuit is quite complex, and its assertions go much farther than misunderstanding. Plaintiffs claim rampant fraud; the lawsuit claims the misunderstanding was intentional.

"The defendants conspired to tell the prospective (insurance) purchasers they would be paid (for full restoration) when the defendants knew otherwise, having already (put) in place the machinery to pay pennies on the dollar of what would be due," it says. 

In fact, the lawsuit claims government contractor Computer Sciences Corp., which helps administer the flood program, simultaneously trained its adjusters and its sales force to deliver opposite messages. 

"While CSC instructors are instructing the (flood program) marketers to inform prospective insureds that their primary residences damaged by flood will be restored to their pre-flood condition, other CSC employees are simultaneously training and instructing claims adjusters and those responsible for training claims adjusters to allow only narrowly defined coverage in limited amounts – contrary to the sales agent training," it says. "In fact, the CSC adjuster training teaches those persons authorized to adjust flood loss claims … to employ and teach the employment of systematic 'low-balling' and high pressure tactics, as a result of which flood victim claimants, including plaintiffs herein, receive only a small fraction of the amount necessary to place their primary residences in their pre-flood condition."

The defense
A call to CSC's public relations office was not returned, and a FEMA public relations official said the agency could not comment on the lawsuit. The motion to dismiss says the fraud accusations are baseless, and claims years of settled cases make clear that victims can only sue to challenge the amount of their settlement.

"Every other aspect of the complaint is nothing beyond an effort to wage politics in a judicial forum," the defendants say in their motion.

The motion also argues that victims have already received payouts for their flood claims, and should not be demanding additional payments as well as premium refunds.

"This is no different than asking for your money back after buying a car, and also asking to keep the car," it says.

Finally, the motion also asserts that national flood insurance is a special kind of insurance – purchasing it forms a direct relationship between the federal government and a private citizens, rather than between a consumer and a company. As a result, citizens are required to understand the law that governs flood insurance, which is published as part of the Federal Register. Similar to the well-worn line, "ignorance of the law is no excuse," the burden is on consumers to know and understand the terms of flood insurance. Even misrepresentations by flood insurance resellers give hurricane victims no right to sue because buyers have a responsibility to look up provisions of the federal program for themselves, the defense argues.

It is hard to sue Uncle Sam, making the case incredibly complex for any who attempt to brave the documents. The most immediate issue before the judge is whether or not the plaintiffs can in fact sue FEMA and its agents, or if the agency has immunity that insulates it from certain kinds of lawsuits. 

Freeman, the attorney for the plaintiffs, counters that federal immunity does not apply to federal employees who are acting outside of their duties – and conspiracy would constitute such outside activity. That's one reason the lawsuit targets individuals within FEMA, and not he agency as a whole.

Success in the lawsuit would open a Pandora's box for FEMA, and open a window of opportunity for all hurricane victims.

"This will have a definite impact on hundreds of thousands of claims sitting around waiting to be determined," Freeman said.  "But it not only will impact thousands of claims, it may have impact on how the insurance industry works."

The progress of the fraud claims will be watched closely by FEMA and by journalists, but consumers considering flood insurance also should take heed. For now, the message is clear: Even if you buy flood insurance, you should not expect full compensation for the cost of rebuilding your flood-damaged home. After the storm, you might get some help, but you might be on your own. 

One year ago, information giant LexisNexis revealed that hackers stole data on about 310,000 of its customers. As compensation, the company offered all those victims a year's worth of a free credit- monitoring service.

But only 18,000 consumers -- just shy of 6 percent of those affected -- took the company up on the offer, a surprisingly low acceptance rate for a pretty valuable gift.

Credit monitoring, which lets consumers look up their credit report any time they want and provides e-mail alerts any time a new account is being opened, can cost $200 a year. While it's not a service I would pay for, I would jump at it if offered to me for free -- particularly if I knew my personal information had just been stolen.

LexisNexis' experience is not unique. Last year some 60 million people had their identities exposed because of some kind of data leak, and almost all of them were offered free credit monitoring. But in case after case, a tiny percentage of consumers signed up.

While the notice letters informing them that their data has been compromised are compelled by law, the offer of free credit monitoring is not. It is the de facto penance companies perform after a data leak, a gift from companies meant to alleviate the wrong that had been done.

ChoicePoint, which last year revealed it had accidentally sold 145,000 dossiers on U.S. consumers to criminals, says only 10-15 percent of victims called in response to a warning letter. About half of those who called signed up for free monitoring.

Citibank send nearly 4 million letters to consumers last year after a data backup tape was lost in transit to a credit bureau. Only about 135,000 consumers -- or less than 4 percent -- signed up for free credit monitoring, the company says. Wells Fargo, which experienced several data losses, said it had a "relatively low" response to its offer.

Why the reluctance?
The critical question is: Why? After all, free monitoring is the only tangible compensation consumers receive after becoming data loss victims. Why would they consistently thumb their nose at such a perk?

At a recent conference I attended, consumer advocates from major financial and Internet companies lamented that sometimes it's impossible to get consumers to do anything to protect themselves. They can't get be bothered to read brochures, to take a few minutes to educate themselves about fraud or even to sign up for free products.

I think it's a fair point. Ultimately, consumers need to take responsibility for their own protection. But there are plenty of potential explanations outside sheer laziness or disinterest.

Beth Givens, executive director of the Privacy Rights Clearinghouse, says that many consumers whose data was leaked probably didn't read the disclosure notice because they thought it was junk mail. (In fairness to LexisNexis, the firm went to the extraordinary and expensive step of manually pasting real stamps on its letters - rather than run them through a postal meter -- to get the attention of recipients.)

Others may not have read all the way through the notice to get to the point where the free monitoring was offered, Givens said.

"People are accustomed to ignoring pieces of paper with a lot of dense print on them," she said. "My guess is a very small percentage of those who received the letters actually read the letters. Or they may have read them so quickly they missed the part where it said you get (credit monitoring) for free. You have to be a pretty careful consumer to realize this is something you should read."

Consumer confidence an issue
Some victims were probably scared off by the sign-up process, which could require divulging a Social Security number. After all, who wants to fork over personal information to a company that's just lost it?

Larry Ponemon, who operates the research firm The Ponemon Institute, found in a recent survey that 1 in 9 adult Americans received a data-loss disclosure notice last year. But most recipients told his firm they spurned free credit monitoring -- in many cases because they did not trust the company that was making the offer.

"More than half of the respondent group who were offered credit-monitoring services was suspicious about the 'free' offer," Ponemon said. "Many respondents told us that they thought this was likely to be a gimmick that would ultimately cost them in the future. Others refused out of principle, and didn't want their goodwill to be purchased. "(They) were simply angry with the organization that reported the breach and did not want to accept any tokens or gifts."

Victims demonstrated a greater willingness to accept a cash payout, Ponemon said. In one instance, consumers more readily accepted a $10 credit to their phone service than an offer of free credit monitoring, he said.

Credit bureau Equifax Inc., one of the firms that offers free monitoring on behalf of companies that have leaked data, has in the past year created a swat team to deal with such breaches. The company has so far offered credit monitoring to customers affected by leaks at more than 100 companies, including LexisNexis, and Equifax's Steve Ely said one-third of all its credit-monitoring customers received the service as the result of a security breach.

Acceptance rates on the rise
Levy said last year, most consumers did reject the offers made by companies like LexisNexis. But acceptance rates are on the rise, he said, as more consumers become familiar with the importance of their credit reports.

Also, leaks by companies with more tech-savvy consumers tend to result in more sign-ups -- in some cases as high as 30 percent. A month ago, Fidelity reported a laptop with 200,000 records of Hewlett-Packard employees had been stolen. Ely said the sign-up rate after that incident was "significantly higher" than the LexisNexis rate.

What to make of this? I've always thought credit monitoring was a good idea, particularly for anyone who has reason to suspect they are a victim of recent identity fraud. But I've been reluctant to recommend it because I firmly believe consumers shouldn't have to pay for access to their own data.

In a case of a good result from a bad incident, data leaks have given millions of consumers a chance to use the services for free, and it's too bad more of them haven't signed up. Looking at your credit report is a bit like finding an old photo album in your grandmothers' house -- it's an intriguing walk down memory lane. As long as no one asks for your credit card number -- and you're sure you're not paying for it -- you should accept an offer of free credit monitoring when it comes your way.

On the other hand, it's understandable that more consumers haven't signed up. There have been some questionable presentations, which seemed more like marketing than a mea culpa. For example, Wells Fargo was criticized for offering its own credit-monitoring service after data leaks.

Not a perfect tool
And it's important to know that credit monitoring, while an effective tool, will not pick up every incidence of ID theft. It does little to alert consumers whose Social Security numbers are the only thing stolen, discussed previously in this blog. And it wouldn't ring any alarm bells for ID theft that doesn't involve financial theft, such as using someone's else's identity to escape arrest.

Finally, it doesn't include the most powerful tool consumers have been given to stop ID theft -- a credit freeze. Freezes allow consumers to lock up their credit report so it's impossible for a criminal to open a new account in their name. More than a dozen states now allow freezes, but they are spendy – a freeze can cost between $50 and $100 a year. In a perfect world, victims of a security breech would get an offer of a free credit freeze, and perhaps in some cases would have their credit reports automatically frozen to prevent theft and be given the opportunity to unfreeze their credit at their will.

While I have spoken to companies who I believe are trying to sincerely do the right thing after a data leak -- and I do think consumers bear some responsibility for reading their own mail -- more still needs to be done to protect victims. Something's wrong when only 5 percent sign up for the only service they are entitled to as compensation for the loss of their personal information. More should be done to make it right.

When it came to light last year that tax preparation firms were sending thousands of customers' returns to India for processing, a small firestorm ensued. But during the discussions that followed, it became clear that such international outsourcing of private information is now common practice for U.S. firms.

One year later, despite the negative reaction outsourcing evokes, one researcher says consumers may be warming slightly to the idea of globe-trotting data.

Obviously, if it's cheaper to do the work overseas, the information has to go overseas. So it's now standard practice that telephone operators in Ireland or Canada have access to intimate details about Americans' lives. Ditto for transcribers who type in medical records.

Privacy wonks raise alarm bells about such practices. After all, a company that loses data in India may not be subject to American laws. This raises troubling questions. For example, there are no international data loss disclosure requirements of the sort that exist in California, which forced the revelations that made us all aware of what happened at ChoicePoint Inc. last year.

Nor are the concerns about information outsourcing just theoretical. In one celebrated case, a Pakistani transcriber who felt she hadn't been paid for her work threatened to expose a wide swath of Americans' medical records unless her company paid up. Such criminal acts couldn't be prosecuted in the U.S., even if U.S. data was involved.

Researcher Larry Ponemon of The Ponemon Institute recently set out to find out just how much this data outsourcing bothers a typical American. The answers he got are a bit surprising. While there was universal concern about the outsourcing of personal medical information, people were a bit less bothered by the shipping of financial information and other kinds of data overseas.

And in perhaps the most surprising result of the survey, India ranked third as the country consumers feel most trustworthy for outsourced information, behind only Ireland and Canada. The least-trusted countries were the Philippines, Mexico and Haiti.

Given the negative publicity surrounding India and outsourcing, even Ponemon was surprised at the result -- so surprised that he wasn't quite sure it could be trusted.

"It seems like people might have a more positive view of India than my initial hunch," he said. "It is puzzling. I don't think this tracks against the gut test."

What those surveyed said
One possibility, Ponemon said, is that most Americans are familiar with India as a major outsourcing center for American companies. Familiarity can sometimes breed trust. On the other hand, those who gave negative marks to India indicated very strong negative scores, Ponemon said, so it may be that India evokes strong sentiments on both sides of the conversation.

Some of the supplemental comments supplied by survey respondents shed a bit of light on this dichotomy.

From those who distrust India came comments like this:

"In the 800-pound gorilla category for outsourcing, India is King Kong. Why should they care about me, my family and our personal information?"

And this:

"I never trusted them (China and India). ... I think that their cultures are all about greed and corruption. All they want are our jobs."

Positive perceptions
On the other hand, people's personal experiences clearly color their broader perceptions. One respondent who scored India as very trustworthy did so because of someone she knew:

"My daughter's boyfriend is from India and his grandfather owns a huge textile company in Hyderabad. They are pretty honest people with strong family values. I don't worry much about it."

Another knew several Indian-born professionals, which gave her a favorable impression:

"In my experience as a teacher these people (Indians) are very smart, hard-working and have excellent technical training. I think they are very practical in business too. ... It doesn't make sense for them to sell my data."

For yet another, language commonality also led to reassurance.

"I tend to trust countries that speak my language. ... I favor Canada, England, Ireland, and India, over most others with my personal information."

Ponemon's study, which was conducted using an Internet-based sample group and claims an accuracy of plus or minus 2 percent, had other surprising results. The chief one: While still a minority, a large percentage of people said they had few problems with international data sharing. More than one-third said they had no problem with companies sharing basic personally identifying information; 25 percent said it was OK to share data on Internet behaviors and 22 percent said it was OK to share employee records.

And while three-quarters of people said they were strongly against most information sharing, only 10 percent said they'd be willing to pay companies more to keep their information from flying beyond American borders.

Can people make informed choices?
To understand these results, I spoke to economist Alessandro Acquisti, a professor at Carnegie Mellon University. He's one of the few scientists currently researching the economics of privacy. In his research, Acquisti consistently shows that consumers simply don't have enough information to make judgments about their own privacy or to evauate bargains they make with companies regarding their privacy. For example, when consumers sign up for a loyalty card discount program at a grocery store, they know they may be receiving regular 20 and 30 cent coupons. But they do not know what they are trading away -- perhaps more junk mail, perhaps a future data leak causing identity theft, perhaps nothing.

As a result, it's very hard for consumers to make informed privacy choices, and it's very hard for researchers to interpret privacy sentiment surveys, he said

One thing that's consistent in all his surveys: A certain group of Americans have little interest in the issue of privacy. They're called "the unconcerned," and can be counted on to give researchers some version of "it's not a big deal" when asked a question like, "Are you concerned about your private information being shared with foreign companies?"

The first to identify this group was Dr. Alan Westin, publisher of Privacy & American Business. In a 2003 Harris Survey, 10 percent of adults were identified as "privacy unconcerned."

Perhaps that's apathy; or perhaps that's pragmatic. Michael Corbett, executive director of the International Association of Outsourcing Professionals, thinks it doesn't really matter where personal information is processed. All that matters is how it's handled, he said.

"You can create just as safe an environment overseas as in the United States and, as we've seen, the information can be mismanaged in the U.S.," he said, referring to last year's string of data leaks by major U.S. companies.

Legislative efforts stall
Corbett thinks Ponemon's survey shows Americans have increased sophistication about the outsourcing of personal information and, in some areas, increased comfort levels with the practice.

That seems like an optimistic interpretation. One thing that survey respondents made very clear is the whole idea still makes many of them queasy in certain circumstances. For example, 83 percent said they did not want a U.S. organization to send their patient health records to a company in another country.

That's why laws dealing with information outsourcing continue to bubble up in state legislatures. Both California and Illinois, for example, have entertained laws that require call center employees to disclose their locations when talking to customers (most now won't admit they are overseas when asked). In 2004, the California Legislature passed a measure that would have attempted to extend state privacy consumer protections to companies that process California citizens' medical information overseas. It was vetoed by Gov. Arnold Schwarzenegger, who said the law was too vague. The bill has not been reintroduced.

Inevitable or simply unexamined?
In a world where the Internet makes it roughly equal to process information down the hall or half-way round the world, where most of the world's computers are really one big computer, perhaps it's inevitable that consumer information will globetrot. And perhaps, as Ponemon's survey suggests, consumers are becoming more comfortable with that. Or perhaps, as Acquisti suggests, confusion and apathy complicate the issue. But whatever the current conventional wisdom, it would be far better to think about the implications of outsourced private information now, before this sharing becomes the de facto.

For that, readers would do well to dive into a report issued last fall by Rep. Ed Markey's office about offshore processing of information and privacy laws. Markey's office ranked the privacy protection laws in 20 countries that do the bulk of the overseas information processing for U.S. companies and concluded that in 14 countries (including India), privacy laws are weaker than U.S. law.

That leads to an important but rarely asked question: If there was an international data leak on the scale of last year's ChoicePoint incident, would we ever find out? Has such a leak already occurred? Such questions are better asked sooner rather than later.

If you are a procrastinator, electronic tax filing sure sounds like a good idea. And with online versions of TurboTax and  running for around $20 a pop, it's a pretty good value, too.

But beware, procrastinators. Online programs like Intuit's TurboTax and H&R Block's TaxCut may sound cheap, but prices can rise steeply if you aren't careful. There are tack-on fees that sneak up on you right at the end, right when you're just about to file the return and celebrate your newfound riches in the form of a tax refund. That's just when you are most likely to miss a sneaky fee.

At TurboTax.com, for example, the wrong clicks sent a come-on price of $15.95 soaring all the way to $90. At H&R Block's site, TaxCut.com, the standard $30 premium package jumps quickly to $50 if you don't carefully watch your mouse. And that's without opting for extra services like professional tax reviews, which can add another $50-$100 to the price.

Here's what to watch for:

Both TurboTax and TaxCut are cleverly designed to let consumers fill out most of the paperwork before paying anything, a "try it for free" model. That's good, because you can see if the interview-style tax preparation system works for you ("OK -- now tell us about any investment income you have."). Payment is only required when it's time to print or e-file the forms you've been working on.

On the other hand, once you've done all the work clicking around in one of these sites, of course you are likely to whip out your credit card and pay.  And I hope you do.

Because each of these programs offers a silly benefit that lets you pay for their software through a deduction in your refund.  That would keep you from having to pay with a credit card, but it's a costly error.  TurboTax charges $29.95 for this service; H&R Block charges $19.95. 

At Block, the "Simple Pay" service fee is checked by default, making it easy to accidentally fork over the extra $20 right as you are about to file.  That's a 66 percent increase in the cost of the software, for nothing.

At TurboTax the fee is even higher -- $29.95.  The good news is, it's not selected by default. The bad news is filers are presented with two buttons, and "Deduct From My Refund" is about twice the size of the alternative. To its credit, Turbo Tax puts the word "additional $29.95" in bold in the explanation on top of the page. Still, I suspect some people don't quite realize what they're doing and how much they are paying when they selected the refund deduction.

After spending all this time fighting for every deduction you can find, what a waste of money!  It may be simple, but it's foolish.  So be careful what you are clicking right through the very end.

'Please do not worry'
But refund-based payment is not the only way the price of cheap online tax prep software can sneak up on you.  When I used TurboTax, I landed there through an ad from my online brokerage company, which promised 20 percent off  the regular $20 price.  For $15.95, how could I lose?  So I began the interview process, answered all the questions, took some of the advice and right as I was about to file, I was told the charge would be $31.95.

I was tempted to just pay it, but I resisted, and instead sent an e-mail to the TurboTax help center asking for an explanation.  I did get a quick response, but it wasn't reassuring.

"We understand your issue. Please do not worry , we request you to go ahead and e-file your returns and contact us later. We will help you in refunding the discounted charges back. Respectfully, Samuel."

I'm sure Samuel is a nice man, but I have my questions about how much help he'd really provide when it came time to get a refund. So I sent him a follow-up note, asking for something in writing. I never heard from him again.  But in the interim, something happen to the price of filing my return. When I logged onto TurboTax a few days later, having decided to pay the higher fee -- it had jumped even more. This time to $60. 

It was only then I noticed this small note on the front of the TurboTax download page that's quite worth noticing. It's right under the advertisements with the great prices.

"Prices determined at time of print or e-file and are subject to change without notice.'"

I tried to get answers out of TurboTax about why my purchase price rose so sharply, but I never did get a reply to my e-mail to customer service. I have a suspicion that accepting offers of extra help along the way kicked me up a notch from their regular product to their "premier" product.  Perhaps I was warned somewhere along the way that doing so would incur an extra cost. If there was a warning, I missed it.

Can still be a good deal
Despite these foibles, tax preparation software still works remarkably well, and should take the fear out of filing for most folks.   Not long ago, the prospect of digging around IRS boxes for a Schedule C form at a library or post office on April 14 could send any procrastinator into convulsions.  Today, all those forms are readily available online, and interview-style software makes it possible to file taxes without ever touching a tax form. Web filing is a good alternative for procrastinators.

I should mention that I did not examine the third major online preparation software, TaxAct.  The most rigorous product test I found online was conducted by About.com's William Perez.  General consensus on TaxAct is it really is the cheapest alternative, but doesn't provide quite as much handholding as Intuit's TurboTax and H&R's TaxCut.

But whatever your do, even if it's Monday evening at 11:59 p.m., keep your wits about you, and watch carefully when it comes time to make payment.  A good deal can go bad  very quickly when working with online tax preparation software.  Also, be sure to avoid checking any boxes that give your tax software provider the right to share your personal information with its affiliates -- or with anyone.  Even when you are tired and anxious to finish, be sure to click carefully.

Last year, a hospital in Hawaii lost one of those tiny USB thumb drives and gained a big headache.  The drive contained personal information on some 120,000 past and present patients. The data, in the wrong hands, could easily lead to identity theft.   

This week, it appears the U.S. military has lost control of a series of similar tiny thumb drives, with far more serious implications. According to a story first reported by the Los Angeles Times, drives sold at street markets in Bagram, Afghanistan, contain intimate details on everything from U.S. soldiers to secret informants. Data that, in the wrong hands, could easily lead to murder.

On Thursday night, NBC's investigative unit and correspondent Lisa Myers took the story a step further. Using hidden cameras, NBC brings viewers right inside a bazaar in Baghram, revealing just how easy it is to find and buy sensitive data.

To computer experts, the problem is called endpoint security. Endpoints can be almost anything -- USB drives, iPods, laptop computers, cell phones, even digital cameras with SD cards. They are all ticking time bombs, and they are all keeping information technology folks from sleeping at night.  Billions of dollars have been spent making sure brilliant hackers can't attack computers from across the globe. But firewalls generally don't stop anyone from attaching a finger-size drive to a computer and stealing gigabytes worth of secrets from a company or government agency.

That's probably not what happened in Afghanistan. Instead, the data probably landed on those drives through normal, but careless, daily operations. Remember the days before networks, when you would share a file with a friend by copying it onto a floppy disk, jogging across the room, and placing it into the second computer? It's called a sneakernet, and sneakernets are back in vogue. With thumb drives so quick and so small, people often use them to transport files around the office, or to take work home.

Of course, their size is also their undoing. Thumb drives are easy to steal, and easy to forget about. According to privacy expert Larry Ponemon at The Ponemon Institute, many companies don't even know how many thumb drives they have in the building. And since they are so cheap, employees bring in their own. So when a drive full of critical data is stolen -- often, no one knows.

"This has caught everyone by surprise," Ponemon said. "We were focusing on centralized data, we bought firewalls, intrusion detection systems, but we were forgetting about sneakernets. ... and at end of day that has become next wave of security nightmares."

All these tiny storage devices can render all those billions of dollars spent on centralized network security obsolete.

"The money spent on network security has given organizations a false sense of security," said Brian McCarthy of Centennial Software. His firm maintains a blog called WatchYourEnd.com which chronicles news reports on data-filled gadget theft. Today's list of stories include an employee who committed identity theft with the help of an iPod, and a laptop computer stolen from Ernst & Young which had personal information on 38,000 BP employees. "This is a gaping hole."

It's not hopeless, just neglected
The situation is serious, but hardly hopeless. There are several technologies that make endpoints much safer. Laptops can be loaded with software that 'phones home' when an unauthorized user connects it to the Internet. Many advanced thumb drives offer encryption tools for just a few dollars more. SanDisk has a nifty product with a small hardware attachment that requires thumbprints before data can be accessed. Centennial sells software called DeviceWall that stops data from ever flying out of the USB port unless a security manager approves it and only allows the data to be read off the USB device by approved computers.

None of those technologies are fool-proof, particularly in a wartime environment.  One expert warned me about the gruesome requirement for a "live test" by fingerprint readers, necessitated by the likelihood that fingers might be chopped off in an effort to defeat fingerprint security.

But when writing about the world of security and privacy, it often feels like there are actually two worlds: one, full of genius mathematicians and hackers, fighting a war on a battlefield few of us can understand; and a second world, where even the simplest safety tips are ignored.

Leaving a list of informants on a data drive that can be read by anyone who happens by and takes it is no different than leaving top secret documents lying exposed on top of a desk. It may be shocking to see sensitive military information handled this carelessly, but it's probably common.

Ponemon believes the vast majority of sloppy endpoint practices are the result of employees who are frustrated by snags in their normal work environment and are just trying to get things done quickly.  A network acts up, or some encryption program gets bogged down, so a worker just goes for the easiest solution.

"It's usually just negligent people," he said.  "But the probability of large numbers suggests sooner or later an endpoint is going to end up in the hands of a terrorist."

Data with no expiration date
But there are other factors that contribute to a broken system, one laid bare by the incident in Afghanistan. The biggest one: Companies and organizations have forgotten about the delete key.
Most are now very much in the habit of copying and keeping data around just for the heck of it.  There are countless examples, just in the past year, of personal information lost when a laptop disappears. In many of those stories, the data lost had no business being on that laptop.

And more important, there is rarely an expiration date on any of this data. So the data just hangs around, waiting to be stolen. It's common to hear about lost laptops with stolen data dating back to the 1990s. Thanks to the plummeting prices of data storage, it's become common practice for organizations to simply keep every bit of data they ever gather. Storing it is cheaper than taking the time to occasionally clean it up.

Imagine how messy your closet would be if you had infinite space for clothes.

Hanging on to data for the heck of it may be human nature, but it's still no excuse. Clearly, companies and government agencies need to implement high-end solutions like fingerprint readers to keep data safe.  But while they are thrashing about trying to select the highest technologies, some low-tech troubleshooting needs to be done immediately.  Thumb drive encryption should be standard policy. Gadgets can be left at the door.  And the delete key needs to find new prominence. Data should never live any longer than it's needed.

Recently, a Red Tape reader named Katherine received a letter from her auto insurance company with an intriguing offer.

"Congratulations on being a preferred Geico customer," it read. "We may be able to offer you a lower rate that could save you up to an additional 10 percent."

Just sign this form, the letter urged, and give us permission to check your credit score. If it's good, you'll get a discount, it said. 

Katherine didn't know what to make of the letter.

"Since when do car insurance companies need your credit rating to determine if you are a good driver and deserve a discount?" she asked.

In fact, auto insurers have for several years been using credit scores to set rates.  It's just not well known.  Unless you live in a state like California or Hawaii, which legally bar the practice, your credit score probably affects what you pay for auto insurance.  Those with low scores pay higher rates; those with high scores presumably get a discount.

How much more might you be paying because of a low score? As a consumer, what score should you shoot for to know you're getting the cheapest auto insurance? I wish I could tell you, but I can't. The insurance industry considers such information as competitive intelligence.  Geico wouldn't discuss Katherine's letter with me, referring questions instead to an industry think tank.

The details remain a mystery, but the low-credit-score penalty is steep, consumer advocates say -- adding perhaps as much as 50 percent to an insurance bill, according Birney Birnbaum, an insurance expert for the Center for Economic Justice in Austin, Texas.

The practice is baffling to Katherine, who threw out the letter, electing to forgo the discount and keep her privacy.

"This is very disconcerting especially when you consider how many errors exist on the average credit report," she said.  "But what I would really like to know is what scale are they using here and what scientific fact they have that relates to necessitate them to send this letter out to all the people who have them as their car insurance?

Marcellus Andrews, an economist at The Insurance Information Institute, says there is, in fact, a tight statistical correlation between credit scores and future auto mishaps. Those with low credit scores tend to be more expensive customers, he said. Of course, no one can use scores to predict what's going to happen to an individual -- but the data do a good job of predicting what will happen in aggregate, he said. That allows the industry to more fairly distribute insurance costs.  After all, without such pricing structures, good customers tend to subsidize bad ones.

What do scores and expensive auto accidents have to do with each other? It's been speculated in the past that people with low credit scores are just careless people, and that carelessness spills over into all areas of life.  The reason for the connection, however, doesn't matter, Andrews says.

"Insurers don't care about why things are correlated, just that things are correlated," he said.

Insurers use as much data as they can to find such correlations and assess risk.  As it happens, credit scores are the data most widely available on the most consumers. Nearly every adult consumer has one; and they are easy to buy and easy fit into an mathematical model.  Thanks to credit scores, instead of a few pricing tiers, many insurers have 30 or 40 tiers, says J. Robert Hunter, a spokesman for the Consumer Federation of America.

Of course, the obvious question is this: Are insurers using the data to more fairly distribute costs, or just as an excuse to charge some people more?  Katherine's letter promised that the offer was a no-lose situation for her -- Geico said her rates could go down as much as 10 percent, but would not go up if she consented to have her score used. 

Birnbaum found that hard to believe.

"It's an interesting representation, but that doesn't really make sense," he said.  "The only way they can give discounts is if they give other people a surcharge."

In fact, Birnbaum said, the 10 percent offer was paltry, compared to the 50 percent increase some consumers can see as a result of a poor credit score.  He is among those who believe insurers are raking in higher profits because of scores, instead of distributing costs better.  He cited one study showing overall costs for consumers rose when credit score pricing was introduced in some markets, but the studies are small and incomplete.  It's challenging to gather data for such a study because insurers are so tight-lipped about their pricing structures.

So we're left to wonder just how much a bad credit score might be costing us. That's particularly maddening when you consider several studies have shown as many as 50 percent of all credit reports have some error in them. And it's terrifically unfair to people who suddenly face a life event that causes their credit score to plummet, such as the aftermath of Hurricane Katrina.

But there is reason to believe help might be on the way.

There are steps individual consumers can take to find out just how much their score impacts their rates; and thanks to a recent federal court ruling, consumers may have even broader rights soon.

The question every consumer should ask their insurer right now is this: What would my rate be if I had the highest possible credit score?  That would determine what your credit score penalty is.  The insurer may or may not comply with the request.  But refusing to do so runs afoul of the Fair Credit Reporting Act, a court has recently ruled.

When consumers are denied a loan or a job because of something in their credit report, they are entitled to notification by the company involved.  Consumers must be sent what's called a "Notice of Adverse Action."  The right, granted by the Fair Credit Reporting Act, stems in part from the fact that many credit reports have errors -- and the notice of adverse action alerts consumers that there is something in their credit file that is hurting their chances at a new car, home, or job.

Two lawsuits recently argued that getting charged extra by an insurer because of a low credit score is in fact an adverse action, and that consumers who don't get an insurer's best rate deserve an adverse action notice.  In August, the Ninth Circuit Court of Appeals ruled in favor of consumers suing Geico and Hartford Financial Services Group Inc. for mandatory adverse action notices, overturning an earlier ruling by a lower court. The court held that any time a company sets a price higher than would have otherwise been charged because of information in a credit report, that falls under the rules of the Fair Credit Reporting Act requiring notice.

Hopefully, you won't have to sue to get your notice. But you might consider it. Knowing what you best insurance rate would be is obviously a valuable piece of information. If you knew, for example, that another 100 points in your credit score could save you a few hundred dollars in car insurance, you might make different credit choices.  Perhaps you wouldn't bother. But, at least, you should have the choice, not your insurance company.

All this sets aside the argument about whether use of credit scores in insurance is fair or not.  Some argue that doing so unfairly disadvantages the poor or minorities,who traditionally have lower credit scores. The practice at a bare minimum sounds unsavory, and smacks of an industry that may be a bit too married to data -- any data.

After all, just because there's a correlation doesn't mean it's fair to charge higher prices. What if there was a correlation between hair color and accidents? In fact, there is, says Hunter.  Several years ago, the California Department of Motor Vehicles ran a test and found that brunettes were more likely to have wrecks than blondes.

"(The industry) said, 'That's ridiculous and arbitrary,'  But is it  any more arbitrary than credit scores?" he said. 

But Andrews argues, convincingly, that Americans better get used to data-based pricing.  More and more information about all of us is collected and stored every day, and without strict controls on how it is used, it's bound to end up as part of complicated pricing models in all kinds of uncomfortable ways. What happens to health insurance rates when we find genes that predicts early illness, or long life?

"Consider the troubles on the horizon once the human genome is well understood and the miracles of modern mathematics and science make it possible to price genetic characteristics and connected risk factors separated by decades," he said.  "I should think that the opportunities and  challenges posed by an information-driven market economy will be with us for a very long time."

For now, auto insurance consumers should know that credit scores are a fact of life.  That makes shopping around all the more important -- and that's something most consumers just don't do when it comes to insurance. Close to 80 percent of consumers just buy the first offer of insurance they receive, Hunter said. 

There are a few things consumers can still control, and shopping around is one of them.  In the end, such bad shopping habits can be even more costly than bad credit scores.

There's only one thing worse than sitting down to pay your taxes every year -- the thought that many other people aren't paying their fair share, and they're getting away with it.

Millions of tax cheaters and deadbeats don't pay billions of dollars they owe the government, raising the tax debt for those who pay honestly. In many cases, the cheaters get away with it because the Internal Revenue Service simply doesn't have the time to make a few phone calls and send a few letters to collect the money. And it's a lot of money. Estimates vary, but the IRS recently guessed that in 2001, taxes paid were more than $300 billion less than taxes owed.  That's enough to pay for many major federal programs.

While much of that money might be in dispute, a lot of it isn't.  In millions of cases, taxpayers concede they owe the IRS but just haven't gotten around to paying the bill.  There's about $90 billion of these "collectible" IRS IOUs lying around, just waiting for someone to send a bill.

Well, finally, someone is doing something about it.  But this is one situation where the cure may very well be worse than the disease.

Starting this year, the IRS will contract with private companies to collect wayward tax payments.  The agency will turn over the debts of 150,000 Americans to three firms and expects to gather up payments of about $100 million during the next 24 months. The program will be expanded to a dozen companies in the coming years, with $1.4 billion in extra revenue collected during the next decade, the IRS hopes.

If you are frustrated by freeloaders who raise your tax load, perhaps you might see this as a good idea. But you may come to regret that someday.

Complaints of harassment
The debt collection industry needs no introduction. It's the most complained-about industry in the country, according to the Federal Trade Commission. 

Despite very clear rules laid out by the Fair Debt Collection Practices Act, collection agencies have a reputation for calling late at night and early in the morning, for harassing and menacing consumers during those calls, for bothering relatives and for making exaggerated threats. 

Here's an example of how mean-spirited the companies can be: According to Federal Trade Commission complaints obtained by MSNBC.com in a 2004 Freedom of Information Act request, one debt collector took retribution against a consumer who didn't pay a $1,000 hospital bill by breaking the bill into dozens of smaller delinquent payments of $25-$100. That way, instead of one default entry on the consumer's credit report, there were dozens of black marks, ruining the consumer's credit score.

And now, very soon, the federal government is set to join forces with this industry.  Tax collectors and debt collectors, a match made in heaven.

Of course, not all debt collectors engage in harassing or illegal behavior.  And not all debtors are innocent victims.  Many deserve more than a nice letter asking for them to pay up.  Part of the sentiment behind this effort -- the desire to make everyone pay their fair share -- is valid.

IRS says it will monitor collectors
IRS officials say there are several factors that make partnering with private collectors safe and productive. 

They will monitor companies involved closely.  They will require background checks on all employees. The information shared with outside firms will be limited to name, amount owed and contact information.

"We're not going to turn over cases to them and just leave them be," said John Lipold, an IRS spokesman. "There will be significant IRS involvement and oversight throughout the entire project. And taxpayers whose accounts are assigned to these agencies will receive written notice … that it's happening."

Most important, private companies will not make any decisions on the amount taxpayers owe, and they won't be doing any audits.  Only the simplest cases -- situations where taxpayers don't dispute they owe taxes.   With that in mind, supporters of the plan believe hiring an outside firm to do the paperwork and split the recovery makes sense.  After all, 75 percent of something is far more than 100 percent of nothing.

That is, of course, crazy talk.

A gift to the collection industry
If the cases are so simple, the federal government can collect the money. It can hire a few more people to send out a few more bills. If the bureaucracy at the IRS can't get it right, fix that. Doing so would cost a fraction of pennies on the dollar, not the quarter on the dollar the IRS is prepared to forfeit.

As currently constituted, this plan is a huge gift by Congress to the debt collection industry. In the next 24 months, the IRS expects close to $100 million to be collected, with about $25 million of that going to the three chosen collection firms. 

Perhaps Congress was in the gifting mood because debt collectors are themselves excellent gift-givers. The industry is among the most avid political donors.  According to the publication Tax Notes, some individual collection agencies have donated well over six figures to congressional candidates, with Diversified Collection Services Inc. topping the list at $480,000.

At least once in the past, a debt collector firm has been too eager to give money to politicians to help gain government collection contracts.  In 2004, two San Antonio city councilmen admitted to taking bribes from debt collectors in exchange for votes to support bids on the city's private contract to collect unpaid fines and fees. The bribes were paid in part by a man named Juan Pena, at the time a partner in the law firm of Heard, Linebarger, Goggan, Blair, Pena and Sampson, based in Texas. 

One of the three collection agencies that won the IRS contracts is Linebarger Goggan Blair and Sampson.  Pena is now long gone, and there is no reason to believe anyone currently at the firm engaged in illegal political contributions. The IRS has issued statements saying the firm handled the incident appropriately.

But it's clear the debt collection industry can be a very messy business. As a nation, we need to think long and hard before we authorize our federal government to get in bed with such an industry, and even harder before we authorize them to call us and ask for tax money. 

Drive to privatize
Of course, what's behind the move, which was originally authorized in 2004 by the American Jobs Creation Act, is the current administration's slavish allegiance to the concept of privatizing all government functions.  There are places where private, profit-driven companies can do a better job performing services than government employees.  But tax collecting is a primary duty of any government, and our government shouldn't shirk that responsibility. Particularly not at the risk of millions of dollars and at the risk of citizens' rights.

There is good news.  Complaints by debt collectors who weren't selected in the first round by the IRS have put a temporary hold on the entire IRS privatization project.  That will give us all time to pause and ponder this unwise plan.  But the delay is only 100 days long, so those who are worried about a marriage between the IRS and debt collectors have one last, short window to speak up. 

As you're signing this year's tax return, now would be a good time to make your feelings known.