Who's to blame for the ID theft epidemic? Surprisingly, given all the attention the subject receives, we know strikingly little about the root causes of the problem. ID theft is often called the fastest-growing crime in America, but there's precious little research into which companies have the worst security measures and which suffer the most data leaks.

Researcher Chris Hoofnagle thinks it's high time we started pointing fingers.

Hoofnagle recently undertook a laborious task: He scoured thousands of ID theft complaints filed with the Federal Trade Commission, looking for company names. His simple question: How often do people tell the FTC that their accounts or information have been stolen from particular companies, and which companies are named most often?

The answer to his query is Bank of America, which averaged 1,117 complaints in the three months he surveyed. Two cell phone companies -- AT&T Wireless and Sprint -- were second and third on the list.

Since BofA is America's biggest bank, and an obvious target for fraud, it's no surprise that it ranked high on the list. Ditto for the large cell phone firms. In fact, Hoofnagle freely admits that his results need to be taken with a big grain of salt.

"The results suffer from a lot of weaknesses," Hoofnagle said. "But it's a start."

Because the data is self-reported, it's likely full of mistakes, he conceded. Also, just because a consumer says their Bank of America account was compromised does not mean the crime began with the bank. It could have started when the customer filled out a phishing e-mail, for example. And it's not fair to compare banks of different sizes, because largest banks would naturally be expected to be named more often.
Hoofnagle tried to normalize the data in a variety of ways, to account for the varying size of the institutions. Eventually he settled on comparing only banks by using total deposits and dividing the number of incidents by a dollar amount.

From another angle, HSBC is No. 1
Even using that trick, Bank of America still ranked high – no. 2 on the list -- with 17 incidents per $1 billion. But using that formula, HSBC ranked first, with 21 incidents per $1 billion.

Betty Reiss of Bank of America said the firm hadn't yet fully analyzed the study, but she pointed to its high potential for errors.

"We take identity theft very seriously, and we provide consumers with tools to fight it," she said.

HSBC declined to be interviewed for this story, but it did issue a statement to MSNBC.com criticizing the study's methodology.

"We can say that customer protection around identity theft is of paramount importance to HSBC. We take fraud of any kind very seriously," the statement read. "We have a range of robust fraud detection and monitoring systems in place for the early identification and prevention of fraud to protect our customers and their accounts."

One could criticize Hoofnagle's list as being basically a list of America's largest companies. As such, perhaps it isn't very useful.

But it's not because Hoofnagle didn't try. A year ago, he began a campaign to get banks to disclose more information about fraud and security. Banks "wouldn't engage on the issue" he said.

Hoofnagle released the study partly in an attempt to goad banks into releasing more data. Consumers have a right to know about fraud rates at banks, he said, because without this information they can't make intelligent decisions about their financial institutions.

"Currently the issue is mediated by commercials, with banks portraying themselves as being more effective against ID theft than other banks," he said. "But none of that is based in reality. It's all based on public relations. And that's not fair to consumers."

Hoofnagle, who is a senior fellow with the Center for Law & Technology at UC-Berkeley, says his goal is to create a real marketplace for identity theft protection.

"I think the disclosure of these problems will drive some competition among banks," he said.

Consumers 'flying in the dark'
Avivah Litan, a researcher with consulting firm Gartner, is equally frustrated by the lack of fraud information from banks. In the past, she has released studies that estimate the losses from identity theft and phishing based on consumer telephone surveys -- another attempt to read the tea leaves of fraud in the absence of real data.

"(Hoofnagle) is frustrated as any researcher or policy influencer would be," she said. "You can't get any data out of the banks. And consumers are flying in the dark right now."

Other results from Hoofnagle's survey:
• Small credit unions barely register in the FTC data, suggesting credit union customers might be at a lower risk of identity theft.
• While great attention is paid to bank ID fraud, wireless firms also suffer from high fraud rates. According to the FTC data, 8 percent of all new account fraud involved telecommunications firms. That's an area which deserves added attention, Hoofnagle said.
• Many consumers blame collection agencies for their bouts with ID theft, probably because often their first indication of the crime is a call from an agency. The AFNI Inc. collection agency cracked the top 20 companies in the FTC data, receiving more complaints than eBay or PayPal. To Hoofnagle, that represents an opportunity. "The collection agencies could act as an early warning sign for identity theft," he said.

If interest rates are going down, why are credit card rates going up? Consumers around the country are undoubtedly asking that question after receiving notices from many major issuers with some very bad news: their credit card rates are about to rise -- in some cases more than tripling.

But consumers don't have to put up with it. Kevin McPhail of Austin got his Texas-sized rate increase lowered recently by calling to complain -- but only through old-fashioned persistence. His story, experts say, highlights an important lesson for credit card users: If at first you don't succeed, try, try to lower your rate again.

McPhail, 43, called Citibank to complain as soon as he received a notice last month that his interest rate would climb to 15 percent. He was told the rate was the lowest available.

"Three times (the bank representative) told me there was not a lower rate," he said.

Undeterred, McPhail at last said the magic words that got Citibank's attention.

"I asked her to close the account," he said. Immediately, McPhail was transferred to an "account specialist" who was able to knock 5 percent off his rate. He even got a temporary discounted rate of 1.9 percent for the next six months.

A critical element to McPhail's success was this: When he called, he was holding an ad for a competitor's card. While he negotiated with the credit specialist, he read off the competitor's terms, giving him great bargaining power.

McPhail had a happy ending, but it left him with a bad taste in his mouth.

"I don't think I should have to threaten quitting to get their best rate," he said. "I felt like there was some level of dishonesty at the first (customer service) tier. I wonder how many people just walk away at that point."

Citibank, in a statement, said that the initial representative who talked to McPhail, "may have not followed our standard protocol."

Wave of rate hike letters
But financial experts say it's common for consumers to hear a quick "no," when they call their credit card companies.

And persistence is more important than ever, said personal finance writer Liz Weston, because many card issuers have recently imposed blanket interest rate hikes on consumers -- even those with good credit.

"The stories are fairly consistent. People who haven't paid late, with good credit scores, who haven't done anything that would typically trigger a rate increase are getting these letters," said Weston, author of "Easy Money: How to Simplify Your Finances and Get What You Want Out of Life." She said one consumer she spoke to recently was hit with an increase from 7 percent to 24 percent.

Credit card rates are running in the opposite direction from interest rates set by the Federal Reserve because banks are struggling to shore up balance sheets in the wake of other financial troubles, such as the mortgage meltdown, Weston said. Still, the sweeping nature of the interest rate hike notices is a new twist.

"This is difference from business as usual," she said.

Must be in writing
One version of these "Dear Customer" letters, sent by Bank of America in January, tolds consumers they must provide the bank with written notice that they reject the rate increase by Feb. 19, and must stop using the card by that date.

"If your account is used at any time after this date, the above changes will apply to your account even if you sent us timely notice rejecting the change," the letter reads.

Remember, the new higher rate applies to the entire outstanding balance even if most of the purchases were made -- and the money borrowed -- while the rate was lower.

Bill Hardekopf, who runs the credit card information Web site LowCards.com, said it's important for consumers to check their bills carefully to look for surprise interest rate hikes.

"Don't assume your rate is decreasing," because the Federal Reserve lowers interest rates, as many cardholder agreements give the banks broad license to raise rates "at any time for any reason," he said.

While some card rates are tied to the "prime" interest rate -- which does move in lock-step with the Fed, 3 percentage points higher than the Fed funds rate -- many card issuers are raising the "spread" above the prime rate to compensate. In McPhail's case, that meant an increase from prime plus 3.9 percent to prime plus 8.9 percent.

Get a better deal
The good news, Hardekopf said, is that customers with good credit can almost always get a better deal by speaking up.

"The strongest recommendation we have for people who experience an increase is, if you feel your rate is too high, call your credit card company and ask them to lower your rate," he said.

It may seem simplistic, but it really does work because the credit card industry is very competitive, he said."If you are a good customer, they don't want to lose you."

Hardekopf said any consumer with good credit shouldn't be paying more than 12 percent on credit cards. If you're paying more, you should get on the phone right now, he said.

Weston said consumers should be able to find a card with a rate at about 10 percent -- or get their existing bank to match a competitor's 10 percent rate.

But card rate bargain hunters have got to be ready to listen to a few "no's" first. They also need to be ready to threaten to close their accounts.

"The people who answer the phone, they are being paid to get people off the phone as fast as possible. They might not know about all the options you have," Weston said. "That's why you must go through that dance of saying you are going to close the account, and then you get someone who can help you."
McPhail didn't like that dance, and he told Citibank so in a stern letter dated Feb. 14.

"Why is it your company's practice to literally lie to your customers about what rates are available to them?" he wrote. "Why should a customer have to threaten to close their account to get a better rate, which they are actually qualified to receive?"

The form letter response he received offered no explanation, stating simply, "We regret any inconvenience or difficulty you may have experienced."

For most people, saving 5 percent on credit card interest is worth a lot of inconvenience.

Add this to the list of hidden fees you need to worry about when renting a car: an unpaid tolls collection charge. Rental car companies are collecting hefty fees from consumers who drive through electronic toll collection booths without paying -- in some cases nearly 10 times the amount of the original toll.

For example, Advantage Rent A Car customers who accidentally drive through electronic toll booths on roads like the new Texas Highway 121, which has no human toll collectors, without the proper equipment can expect to eventually receive a bill stating that they owe the state 60 cents – and $5 to a company named Violation Management Services. At Avis, drivers who do the same can be billed $25 for each transgression, in addition to the toll charge.

The problem is twofold: Some drivers purposely drive though toll stations, figuring the rental car company will have to deal with problem if anyone does. But others are innocent victims who fail to pay simply because they aren't familiar with an electronic toll collection system and end up driving through the wrong booth, or find themselves on roads where there is no cash option for those who lack the required electronic-payment device. This problem is expected to get worse as more toll roads are built. According to Advantage, some 70 e-toll only roads are in the planning stages in Texas alone.

Governments and rental car companies aren't helping the situation. Many toll roads have confusing or hard-to-see signs guaranteed to confuse visitors.

And while some rental car offices let customers borrow the devices needed to pay e-tolls for a small fee, such services are not yet widespread and aren't compatible with every toll collection system. And with unpaid tolls increasing, many rental car companies are turning to third-party firms, which sometimes add hefty fees to the bill they send to the customer.

The rental car industry insists that it's only trying to recover the cost of going after intentional deadbeats who cost rental car companies "tens of millions of dollars" each year, according to industry analyst Neil Abrams of Abrams Consulting.

Abrams said that rental car companies generally pay the violations and then attempt to collect later from consumers. Even with the steep fees, he said, firms still lose money on unpaid tolls and tickets.

Profiting from violations?
But marketing materials from Violations Management Services, a third-party firm that helps rental car companies track down toll evaders and other violators, suggest violation collections can be profitable. The company indicates on its Web site that it can turn "a costly customer service headache into a profitable customer service solution."

Also on its site, VMS indicates it shares the spoils with rental car companies, saying it offers them a "summons incentive (up to $10 net) for each service fee collected."

And last year, when Violation Management teamed up with rental car software firm TSD, TSD CEO Charles Grieco said in a press release that rental car firms are "working with VMS to convert what is normally a cost center for the rental car company into a profit center."

Violation Management Services didn't respond to repeated requests for comment. During a brief conversation, company founder Dennis Round insisted that his firm is not a collection agency, but rather a billing agency, akin to the sort of firms utilized by doctors and other professionals.

The idea that companies might profit from government-issued violations may be unnerving, but it's not new. Municipalities have been outsourcing parking ticket collections for years. And rental car companies have long assessed fees for parking and speeding tickets.

Tollway agency doesn't limit add-on fees
Advantage's $5 fee for a 60-cent toll mishap may sound steep, but it's actually an improvement. When the new Texas 121 toll road first opened last year, service fees were as high as $40, according to Advantage spokesman Sean Buck. The company's service agreement warns consumers it could charge up to $100 for each violation, but the firm has yet to charge anyone that much, he said.

Gaby Garcia, a Texas Tollway spokeswoman, said consumers who don't have the electronic gadget needed to pay on Highway 121 are photographed and later get an invoice from the state with a $1 service fee charge tacked on. If a rental car is used in a toll violation, the rental agency receives the bill, she said. The agency does not limit the fees the rental agency can add on.

"We do encourage the rental car companies to be up front about their charges," she said.

Buck says the Advantage fee is disclosed multiple times to consumers before they drive off the rental lot. He also defended the amount of the $5 charge, saying the company merely covers the cost of tracking down the renters and processing the necessary paperwork.

"This is definitely not a revenue generator for us," he said.

'A very serious problem'
Abrams agreed. He said collecting a 60-cent toll violation could cost a rental agency $10, particularly because the firms often have to front the money to municipalities and then later try to recoup it from consumers.

Given the thin margins in the rental car industry -- firms are lucky to make $20 on the average $180 rental, he said -- companies are now forced to aggressively pursue violation collections, Abrams said.

"It is a very serious problem for the industry. ... It's a no-win situation for them," he said. "A lot of people when they get a ticket say, 'Screw it, it's the rental car company's problem.'" On the other hand, the firms risk ill will from consumers when they try to collect the charges, he said.

Other rental car companies charge much more than Advantage. Avis, for example, typically charges drivers a $25 "administrative fee" when it is forced to pay fines and collect later from drivers, spokeswoman Alive Pereira said.

"The administrative fee is neither a profit center nor revenue stream for us. It is an effort to minimize our loss," she said.

RED TAPE WRESTLING TIPS
One invisible victim of all this: due process. It's very difficult for consumers to get a copy of underlying citations in rental car violations, giving them little or no chance to invoke their rights to adjudication. It is alarming to think private companies can act as enforcement agents for municipal authorities without having to abide by normal due process procedures.

It's also alarming to think about the perverse incentives created by the "summons incentives" paid by firms like Violation Management Services. Parking tickets are already often abused by local governments as hidden taxes; privatizing that process and adding even more to the cost seems positively un-American.

In some cases, consumers are innocent and helpless – such as when they find themselves on Texas Highway 121. Driving through confusing electronic-only toll booths should not enrich any company or government agency.

Car renters should keep in mind, however, that they can settle up directly with the agencies involved and avoid service charges. If you know you've skipped a toll or received a parking ticket, contact the agency involved and pay up. The rental car company will leave you alone.

No one should drop off a rental car after incurring tickets and violations, hoping the company won't find them. That's naive, given our electronic age, and unfair.

Rental car consumers should closely watch their bills in the months after a trip, looking for erroneous violation charges.

And anyone who's uncomfortable with the notion of private companies profiting off of statutory violations should contact their elected representatives and complain.

Credit bureau Experian is suing the identity theft prevention firm LifeLock, accusing it of deception and fraud in its familiar advertising campaign, which includes a spot in which CEO Todd Davis reveals his Social Security number and then brags about the effectiveness of the company's protections.

In the lawsuit, filed in U.S. District Court on Feb. 13, Experian contends that LifeLock's advertising is misleading and that the firm is breaking federal law in the way it goes about protecting consumers.

Lifelock CEO Davis, in an interview with msnbc.com on Wednesday, called the lawsuit baseless and said that Experian is simply upset that his firm is challenging its business model.

"This lawsuit is not about helping consumers," he said. "They just want to make more money selling their data."

LifeLock's ubiquitous marketing campaign has been stepped up in recent months, Davis said, thanks to a new infusion of investments in the company. In January, the firm announced it had raised $25.5 million in funding orchestrated by Goldman Sachs Group. The advertising has apparently paid off: Lifelock has 700,000 customers, each paying about $10 per month for the service.

Experian contends that LifeLock's chief ID theft prevention tool -- the placing of continuous fraud alerts on consumers' credit files – is illegal because, under the Fair Credit Reporting Act, fraud alerts can only be requested by the individual consumer or an individual acting on behalf of the consumer.

"The FCRA does not permit the placement of an initial fraud alert by corporations such as LifeLock," the lawsuit reads. "Despite this prohibition, LifeLock has surreptitiously placed hundreds of thousands of fraud alerts on Experian's files by posing as the consumer."

The fraud alerts, which last for 90 days and warn companies checking a consumer's credit to be on alert for imposters, can only be placed when there is suspicion of imminent fraud, Experian says. Placement of fraud alerts by LifeLock for any consumer who requests one asks also runs counter to federal law, the firm says.

LifeLock's service includes an automated request for a new fraud alert every 90 days, to create an indefinite fraud alert. Experian calls these "illegal fraud alerts."

Deceptive advertising accusations
The credit bureau also claims that LifeLock's advertising is deceptive to consumers.

Peg Smith, Experian's executive vice president, told msnbc.com that LifeLock is attempting to profit off a free service established by Congress in the Fair Credit Reporting Act.

"There is inadequate disclosure to consumers that these services are free," Smith said.

Experian itself has been the target of criticism that it sells a service that Congress mandated should be free. Its FreeCreditReport.com site has been targeted by the Federal Trade Commission, which expressed concern that the site could be confused with AnnualCreditReport.com.

FreeCreditReport.com is a for-profit site, and consumers must pay for a subscription service to obtain their reports. AnnualCreditReport.com is a free site mandated by federal law which allows consumers to see their credit reports once each year.

The service provided to Experian's FreeCreditReport.com customers, a credit monitoring service, could be considered a competitor to LifeLock.

Doesn't stop all ID theft
According to the Experian lawsuit, LifeLock also misrepresents the effectiveness of its identity theft prevention tools, Experian alleges.

"LifeLock … creates the overall net impression that LifeLock can protect against all types of fraud including computer hacking and accessing a bank account using stolen passwords," the lawsuit says. "Fraud alerts only are effective against fraud that requires accessing a credit report."

In one ad cited in the lawsuit, LifeLock claims "you'll find out how to lock down your identity, making it virtually impossible for identity thieves to wreak havoc on your good name."

But, Experian contends, the company's tools provide no protection against identity theft that's already in progress, or against unauthorized use of a credit card.

LifeLock's systems in many cases can't stop an undocumented worker from using a consumer's Social Security number to obtain employment, one of the more common forms of identity theft, Davis conceded Davis in an interview.

"We make it virtually impossible to for identity thieves to open new accounts in your name," Davis said, adjusting the wording slightly when asked about the advertisement. He denied the ad was deceptive, because of the inclusion of the word "virtually."

Most services are free
In addition to continuous fraud alerts, LifeLock provides three other basic services to consumers: It helps them stop junk mail and the mailing of pre-approved credit card offers, and it offers a copy of their credit report.

All three services are free; so are fraud alerts, though few consumers would take the time to continually request fraud alerts every 90 days. Consumers can also obtain credit freezes in many states, but these typically cost $10-$20 to implement.

Stop prescreened offers here.
Learn about stopping junk mail here
Get your free credit report here
Add a fraud alert at Experian, Equifax, or Trans Union

Experian also claims in the lawsuit that Lifelock is deceiving the credit bureaus. When it contacts a bureau and asks for fraud alert, LifeLock is "actively concealing that its requests are being submitted by a corporation." Instead, LifeLock represents that it is the individual consumer, Experian says.

LifeLock also takes elaborate steps to circumvent efforts to block its calls by Experian, the lawsuit says.

LifeLock initially placed thousands of calls to Experian's toll free number from Canada, causing the firm excessive telephone charges, it said. When those calls were blocked, LifeLock routed calls through a phone bank in Pennsylvania, which also was subsequently blocked. The calls were then routed through other phone banks, which Experian is currently unable to block, the lawsuit says.

Davis said he was unable to comment on specific allegations of the lawsuit, but said the company believes its placement of fraud alerts is legal, and "in the spirit of the Fair Credit Reporting Act."
LifeLock also utilizes AnnualCreditReport.com, a free site, to obtain credit reports on behalf of consumers, and then effectively charges for these reports by including them as part of LifeLock's monthly subscription service.

LifeLock consumers, unaware of this, then try to get their own credit reports from AnnualCreditReport and are denied because LifeLock has already used their once-a-year benefit, Experian says.

Davis told msnbc.com that LifeLock provides credit reports to any consumer who wants them free of charge.
The flooding of Experian's systems with thousands of fraud alert requests each month also presents a hazard to consumers, Experian argued, threatening to clog the system with stale, unnecessary alerts when

LifeLock "cries wolf" on behalf of consumers. The LifeLock fraud alerts cost Experian "millions of dollars," the firm says. And its advertising creates among consumers a false impression that they must pay for fraud alerts, which are free, it adds.

Davis said consumers are very happy with Lifelock, and said the service has successfully blocked many potential identity thefts. The firm offers a $1 million guarantee that it will help restore customers' credit reports if they suffer an identity theft, but only 51 of 700,000 customers have invoked the guarantee, Davis said.

He also said he has not received complaints about deceptive practices.

"We are doing something positive for society," he said. "People are hungry for this protection."

Davis said he is still working with Experian and hopes to team up with the company to improve methods for protecting consumers against identity theft.

"But if they don't want to do that, we will vigorously defend out rights," he said.

How much compensation does a consumer deserve for the loss of a laptop computer loaded with personal information? Raelyn Campbell figures it's $54 million -- if you throw in a little extra for lost time and frustration.

Six months after bringing a damaged laptop computer into a Best Buy electronics store for repairs, and three months after the firm admitted losing it, Campbell filed the whopper of a lawsuit recently in Washington, D.C., Superior Court.

Best Buy has told Campbell that her demands are unreasonable, and has tried to settle for far less. But Campbell said she didn't start out making astronomical demands. Months of stalling and brush-offs by the company led her to the drastic measures, she said.

Best Buy spokeswoman Nissa French said the company couldn't comment on Campbell's story, citing the ongoing litigation. A lawyer for Best Buy did not return phone calls or e-mails.

When Campbell bought her new laptop in 2006 at a Best Buy store near her D.C. home, she said a clerk talked her into paying $300 for an extended warranty. She thought that was a fortunate choice when the computer's on/off switch broke about a year later.

In May, she brought the computer back to the store and was told repairs would take two to six weeks. That wasn't terribly convenient for Campbell, who works for a nonprofit Asia research firm and travels frequently overseas.

But six weeks turned out to be a wildly optimistic estimate.

The run-around
By late August, when she returned from a trip to Asia, she still had heard nothing from the company and started to get anxious. Her Aug. 24 complaint letter to the firm was filled with exasperation.

"On July 11, I contacted the (store's) helpline and was instructed by 'Agent David Goodfellow' that it would be 'ready within days,'" she wrote to the firm in a letter dated Aug. 24. "I called the service line again on July 19, and was told by a female agent that the computer appeared to be at the 'Louisville Services Center since July 4.' On July 25, I called again and spoke to Brenda, who transferred me to Daniel. Daniel confirmed that a 'part had just been ordered. It should leave Louisville soon.' …When I heard nothing further, I called yet again on Aug. 7 and spoke with Ashley. When she could not confirm any additional information, I asked to speak to a manager. I was told the manager, 'Marsha,' was in a meeting. I asked her to call ASAP. My call was not returned, so I called again on Aug. 9. I explained the whole situation yet again to 'Cicero,' who indicated that there seemed to be a problem."

The problem was severe: "It never appears to have left the store," she recounted Cicero as telling her. A few days later, he called back and admitted that the computer had been lost. The way she sees it, the other company clerks had been lying to her all along.

Raelyn Campbell

Cicero was considerate, Campbell said, and told her she would be compensated. But two weeks passed, and she hadn't heard anything from the company.

After several more weeks of fruitless phone calls, she received an offer she calls insulting: $900 for her trouble -- in the form of a store gift card. Her blood boiled. She had paid more than $1,100 for the computer and the warranty. And she'd also lost thousands dollars worth of music and thousands of irreplaceable photos.

"It wouldn't even cover the cost of replacing the computer, let alone the software, or my time," she said of the gift card offer. "And why would I want to go spend money at their store again after the way I was treated?"

Campbell rejected the offer, instead demanding $2,100 in cash. She said her request went unanswered. In October, she urged family and friends to write to the store saying they wouldn't shop there until the matter was resolved. To her surprise, the store's general manager, Robert Delissio, replied to two of them.

"For every customer that has had an unpleasant experience I can show you hundreds who have had a great experience. I have been in retail for a long time and the one conclusion I have come to is that not every customer can be satisfied," he wrote in an e-mail supplied by Campbell. "Does my store have opportunities? Absolutely! What I can say is that we strive to deliver the experience that every customer deserves to receive."

Delissio didn't respond to requests from msnbc.com to discuss the situation; Best Buy wouldn't comment on the authenticity of the note.

Her frustration mounting, Campbell contacted the Washington, D.C., attorney general's office, which in turn contacted the store. In November, the store increased its compensation offer, this time offering a $1,100 refund to her credit card and a $500 gift card.

A bigger problem: ID theft
At the same time, she visited a legal aid office and was asked by a lawyer there whether she had any personal information on the computer?

"Of course I did," she replied. "My tax returns were on there."

Campbell was informed that she had a bigger problem than a lost computer – the potential for identity theft. She also learned that Best Buy was in violation of the district's security breach notification law, which requires companies that have lost a consumer's data to tell them. To date, she has not received that notification.

Campbell immediately enrolled in a $10-a-month identity theft monitoring service.

She also had reached the limit of her patience. In November, she filed her $54 million lawsuit against Best Buy -- by herself, without legal representation.

The amount intentionally echoes another lawsuit that made headlines last year -- a case involving a D.C. judge who sued a dry cleaner for $54 million over a lost pair of pants. That case was eventually dismissed.
Campbell freely admits she picked the same amount in an effort to attract media attention.

The lawsuit apparently got company's attention, too. On Dec. 20, it offered $2,500 -- in addition to the refund and the gift card -- if she would withdraw her lawsuit and sign a confidentiality agreement.

But that's not enough, Campbell said, because she has yet to hear any explanation for the lost computer.

"It shouldn't take a $54 million lawsuit to motivate Best Buy to address these issues," she said. Her initial offer to settle for $2,100 has been withdrawn because her expenses have risen, including time spent filing a police report and consulting with lawyers about her case, she said. Concerns about identity theft also add to her potential damages, she said.

Wants an explanation
While Campbell has no expectation she will win a multimillion-dollar judgment, she feels she is entitled to damages related to store negligence and an "explanation as to how my computer could have been stolen from a secure area" of the store.

She also wants a promise from the company that it will train employees on privacy issues and on procedures for preventing loss or theft of returned items.

"I can't help but wonder how many other people have had their computer stolen (or) lost by Best Buy and then been bullied into accepting lowball compensation offers for replacement expenses and no compensation for identity theft protection expenses," she said.

Editor's note: Due to the volume of comments on this story, commenting has been moved to a separate page. You can click here to read the comments or add your own. Comments left on this page will not be published

Raelyn Campbell's tale of frustration over her lost laptop has generated a high volume of comments, so the original story and the comments it solicited have been moved to this page to provide readers with easier access.

How much compensation does a consumer deserve for the loss of a laptop computer loaded with personal information? Raelyn Campbell figures it's $54 million -- if you throw in a little extra for lost time and frustration.

Six months after bringing a damaged laptop computer into a Best Buy electronics store for repairs, and three months after the firm admitted losing it, Campbell filed the whopper of a lawsuit recently in Washington, D.C., Superior Court.

Best Buy has told Campbell that her demands are unreasonable, and has tried to settle for far less. But Campbell said she didn't start out making astronomical demands. Months of stalling and brush-offs by the company led her to the drastic measures, she said.

Best Buy spokeswoman Nissa French said the company couldn't comment on Campbell's story, citing the ongoing litigation. A lawyer for Best Buy did not return phone calls or e-mails.

When Campbell bought her new laptop in 2006 at a Best Buy store near her D.C. home, she said a clerk talked her into paying $300 for an extended warranty. She thought that was a fortunate choice when the computer's on/off switch broke about a year later.

In May, she brought the computer back to the store and was told repairs would take two to six weeks. That wasn't terribly convenient for Campbell, who works for a nonprofit Asia research firm and travels frequently overseas.

But six weeks turned out to be a wildly optimistic estimate.

The run-around
By late August, when she returned from a trip to Asia, she still had heard nothing from the company and started to get anxious. Her Aug. 24 complaint letter to the firm was filled with exasperation.

"On July 11, I contacted the (store's) helpline and was instructed by 'Agent David Goodfellow' that it would be 'ready within days,'" she wrote to the firm in a letter dated Aug. 24. "I called the service line again on July 19, and was told by a female agent that the computer appeared to be at the 'Louisville Services Center since July 4.' On July 25, I called again and spoke to Brenda, who transferred me to Daniel. Daniel confirmed that a 'part had just been ordered. It should leave Louisville soon.' …When I heard nothing further, I called yet again on Aug. 7 and spoke with Ashley. When she could not confirm any additional information, I asked to speak to a manager. I was told the manager, 'Marsha,' was in a meeting. I asked her to call ASAP. My call was not returned, so I called again on Aug. 9. I explained the whole situation yet again to 'Cicero,' who indicated that there seemed to be a problem."

The problem was severe: "It never appears to have left the store," she recounted Cicero as telling her. A few days later, he called back and admitted that the computer had been lost. The way she sees it, the other company clerks had been lying to her all along.

Raelyn Campbell

Cicero was considerate, Campbell said, and told her she would be compensated. But two weeks passed, and she hadn't heard anything from the company.

After several more weeks of fruitless phone calls, she received an offer she calls insulting: $900 for her trouble -- in the form of a store gift card. Her blood boiled. She had paid more than $1,100 for the computer and the warranty. And she'd also lost thousands dollars worth of music and thousands of irreplaceable photos.

"It wouldn't even cover the cost of replacing the computer, let alone the software, or my time," she said of the gift card offer. "And why would I want to go spend money at their store again after the way I was treated?"

Campbell rejected the offer, instead demanding $2,100 in cash. She said her request went unanswered. In October, she urged family and friends to write to the store saying they wouldn't shop there until the matter was resolved. To her surprise, the store's general manager, Robert Delissio, replied to two of them.

"For every customer that has had an unpleasant experience I can show you hundreds who have had a great experience. I have been in retail for a long time and the one conclusion I have come to is that not every customer can be satisfied," he wrote in an e-mail supplied by Campbell. "Does my store have opportunities? Absolutely! What I can say is that we strive to deliver the experience that every customer deserves to receive."

Delissio didn't respond to requests from msnbc.com to discuss the situation; Best Buy wouldn't comment on the authenticity of the note.

Her frustration mounting, Campbell contacted the Washington, D.C., attorney general's office, which in turn contacted the store. In November, the store increased its compensation offer, this time offering a $1,100 refund to her credit card and a $500 gift card.

A bigger problem: ID theft
At the same time, she visited a legal aid office and was asked by a lawyer there whether she had any personal information on the computer?

"Of course I did," she replied. "My tax returns were on there."

Campbell was informed that she had a bigger problem than a lost computer – the potential for identity theft. She also learned that Best Buy was in violation of the district's security breach notification law, which requires companies that have lost a consumer's data to tell them. To date, she has not received that notification.

Campbell immediately enrolled in a $10-a-month identity theft monitoring service.

She also had reached the limit of her patience. In November, she filed her $54 million lawsuit against Best Buy -- by herself, without legal representation.

The amount intentionally echoes another lawsuit that made headlines last year -- a case involving a D.C. judge who sued a dry cleaner for $54 million over a lost pair of pants. That case was eventually dismissed.
Campbell freely admits she picked the same amount in an effort to attract media attention.

The lawsuit apparently got company's attention, too. On Dec. 20, it offered $2,500 -- in addition to the refund and the gift card -- if she would withdraw her lawsuit and sign a confidentiality agreement.

But that's not enough, Campbell said, because she has yet to hear any explanation for the lost computer.

"It shouldn't take a $54 million lawsuit to motivate Best Buy to address these issues," she said. Her initial offer to settle for $2,100 has been withdrawn because her expenses have risen, including time spent filing a police report and consulting with lawyers about her case, she said. Concerns about identity theft also add to her potential damages, she said.

Wants an explanation
While Campbell has no expectation she will win a multimillion-dollar judgment, she feels she is entitled to damages related to store negligence and an "explanation as to how my computer could have been stolen from a secure area" of the store.

She also wants a promise from the company that it will train employees on privacy issues and on procedures for preventing loss or theft of returned items.

"I can't help but wonder how many other people have had their computer stolen (or) lost by Best Buy and then been bullied into accepting lowball compensation offers for replacement expenses and no compensation for identity theft protection expenses," she said.

Some e-mail and Google users might not feel quite so lucky right now. Search engine spam is the latest technique for getting unwanted online advertisements in front of Internet users' eyes, and it appears to be an overnight success. The key to this new trick, researchers say, is outwitting Google's "I'm Feeling Lucky" feature.

With traditional spam finally losing traction among e-mail users, spammers have stepped up their pace of innovation. Last year, they adopted new techniques like image spam, .pdf spam and even audio spam. These disappeared as quickly as they came. But starting in January, spammers began flooding inboxes with a new kind of spam that uses a much simpler form of deception. In the body of these e-mails, recipients see what looks like a link to Google search results -- and in fact, that's what it is. There's trouble, however, on the other side of that link.

The attack combines two tactics. First, spammers game Google so the Web site they want recipients to visit ranks at the top of the search engine results. Second, they alter the URL pasted in e-mails so users who click on the link go directly to the top result via Google's "I'm Feeling Lucky" feature – bypassing a stop at Google's Web site.

Symantec Corp.

Here's what one of the specially crafted URLs looks like:

The technique apparently works. One-fourth of all spam sent in January was "search engine spam," according to e-mail security firm MessageLabs.

Spam filter software often works by blacklisting domains that are known haunts for spammers, or by directing e-mail with links to those domains into junk mail folders. But these tools can't filter out every e-mail with a Google link -- that would send too many legitimate e-mails to the trash.

"When you first hear this is you think, 'What an easy way to (get around) blacklists,'" said Mark Sunner, chief technology officer of MessageLabs. "It is indicative of the back and forth security firms have with bad guys."

Sunner said the firm detected virtually no search engine spam in December, but has seen a huge spike since New Year's Day.

Officials at security firm Symantec first saw evidence of the Google spam trick in November, but it wasn't widely exploited until last week, when use of the technique doubled almost overnight, said Doug Bowers, director of anti-abuse engineering.

"This is the next iteration of something we've seen for a while, this approach of hiding in spam a link to something that looks legitimate," Bowers said. Consumers have largely become immune to suspicious-looking Web links in e-mail, Bowers said, but a link to Google has an air of authenticity.

"For these kinds of attacks, the more mainstream you can be, the better. And you can't get any more mainstream than Google," he said.

Google says it's got a fix
A Google spokeswoman who asked not to be named said the company has seen "I'm Feeling Lucky" attacks, but added that help is on the way.

"Google began deploying a fix that should block most of these 'I'm Feeling Lucky' redirects, and we will work to reduce such issues in the future," she wrote in an e-mail.

While MessageLabs says hackers have tried similar techniques with other search engines, Google is the principal target.

So far, the search engine attacks are limited to annoying spam, according to Symantec. But officials there are worried that the technique will be used by criminals to trick users into installing viruses on their machines.

Google is already fighting other sinister tactics employed by virus writers. Late last year, criminals developed "Google poisoning," which tricks the search engine into displaying links to virus-laden Web sites.

Google has countered by displaying a warning to users in its search results, and in some cases, preventing users from clicking on links to infected sites.

RED TAPE WRESTLING TIPS

Be skeptical about links that appear in your e-mail. Only on rare occasions would someone send you a link to Google search results, and that should be obvious from the context: "Hey, look at all the places that link to Alan Boyle's excellent Cosmic Log science blog": http://www.google.com/search?hl=en&q=%22cosmic+log%22+alan+boyle

Otherwise, ignore such links in e-mail. And of course, you can always re-create the search manually by typing in the search term in Google on your own. You might still get the same spammy results, but at least you'll get a preview of them on the Google search results page.

You can't click on what you can't see. Symantec's Bowers suggests using a spam filter that keeps such tricky e-mails out of your inbox in the first place.