Opening up on privacy

5 Apr 2007

Last week’s theft of 45.7 million TK Maxx customers’ transaction details was not only a harsh reminder of credit card fraud but also a timely reminder of how every business is obliged to protect their customers’ private information.

Ultimately, not only does this experience bring to light how companies protect credit card details but it also raises the question of what on earth was a company doing holding on to so much personal information that dated back five years?

Bobby Healy, chief technology officer with Irish car hire technology firm, which works with 450 car hire firms in 134 countries, was surprised that a firm like TK Maxx could have allowed itself to be compromised. It is a lesson he says for businesses everywhere. “We generally discard information safely once it is no longer necessary. There’s too much at stake if storing data the customer hasn’t asked us to store.”

Just how much inadvertent exposure of customer data is considered an abuse was seen in January when the UK’s Financial Services Authority slapped a €1.4bn fine on the Nationwide Building Society after a laptop containing confidential customer data was stolen from a Nationwide employee’s home.

Privacy abuse and the protection of personal information among businesses is not confined to hacker attacks or lost computers. It is about what companies do with the information the public entrusts with them. Last year, the Data Protection Commissioner of Ireland reported on a number of complaints it received from irate consumers. In one case complaints were levelled against Stein Travel over the marketing of a Stein Travel/MBNA credit card. It transpired that Stein Travel had provided all the relevant contact data of its customers to MBNA.

A complaint was also made against AIB when a customer was asked for personal data relating to employment and salary when they were opening a deposit savings account. Deemed excessive by the Data Protection Commissioner, AIB sent training manuals to all branches highlighting the difference between mandatory information and excessive information.

Premium rate phone firm 4’s A Fortune, run by Irish Psychics Live boss Tom Higgins, was the first company in the State to be prosecuted for data infringement. It was fined €1,500 for sending unsolicited calls to consumers. The company was found to be making calls to consumers, then hanging up, and the unwitting consumers would end up ringing back a premium rate number relating to a quiz game.

In another case, a Dublin nightclub was tackled for breaching regulations by collecting mobile numbers of patrons for text marketing purposes.

The Data Protection Commissioner says it will name and shame companies that fail to protect the data they gather. Under present guidelines a business that breaches the Data Protection Act the maximum fine on summary criminal conviction of such an offence is set at €3,000. On convictions or indictment, the maximum penalty is a fine of €100,000. If individuals found themselves compromised by a business failing to meet its data protection obligations they can also take a civil case against the offender.

Deputy Data Protection Commissioner Gary Davis agrees that the problem of privacy and the obligations of businesses to protect their customers’ information are exasperated by the internet but not exclusive to the internet. “Outside of following data protection principles as a business, the only difference I see with the internet space is the obligation to keep the information safe behind a firewall,” says Davis. “Once data on your customers starts to build, a business has to ask itself why it is still keeping that information and what could happen if it is lost or stolen. The fundamental principle of data protection is to only keep information for as long as is necessary.”

Referring to the TK Maxx situation where information beyond just transaction details were stolen, Davis said: “There is no basis for a company to hold on to details if a person was just buying a jumper. If a person gives over their credit card details, once the transaction is processed those details should be deleted.”

Davis says consumers are basing their decisions on whether a business has respected their privacy or not. “And if you don’t respect their privacy they will exercise the ultimate choice and your bottom line will suffer.”

Sean O’Connell, a security consultant with software firm CA, agrees that customers will walk if there’s any doubt about the safe-guarding of their private data. “It could mean huge loss of reputation. Consumers will vote with their feet (or mouse) if a compromise is found. Authorities such as the Securities Exchange Commission are ‘hungry’ to make an example of companies not protective of their consumer data.”

UCD law lecturer and Digital Rights Ireland lobbyist TJ McIntyre says there are two extremes to data protection in the business world. At the top end you have businesses that are aware of their obligations, while at the other end businesses that are blissfully unaware of these obligations. “That is, of course, until it comes back to bite them.

“The problem of privacy is going to be acute particularly among small businesses. They don’t necessarily have the technological expertise to secure access to their computers and encrypt laptops.”

But it is the subject of what you do online and what can be found out about the individual that fascinates McIntyre. In September, Digital Rights Ireland took a High Court case against the Irish Government challenging the law on data retention by internet service providers (ISPs) and telcos contained in the Criminal Justice (Terrorist Offences) Act, 2005 and the European Data Retention Directive passed in 2006. The State is currently preparing its response.

The legislation obliges all telcos and ISPs to retain all voice, fax, email, internet and mobile records for up to five years. McIntyre reckons that if this information got into the wrong hands it could have dire consequences for individuals. He referred to the case of Euro Millions lottery winner Dolores O’Mahony where it has been alleged a number of social welfare officers and Revenue Commissioners employees decided to snoop through her files and then someone went and sold that information to a tabloid newspaper.

“In a situation where hordes of data are being kept on file there are multiple points of failure and it only takes one person in the chain to be disgruntled,” says McIntyre.

Ireland is home to a burgeoning community of internet retailers and, says Irish Internet Association CEO Fergal O’Byrne, there needs to be greater education of companies’ responsibility when it comes to safeguarding customer information.

“Information is the new currency. You no longer need to steal jewels, you steal laptops for the inherent value of the data. How much is that worth to a business? Can you insure yourself against that?”

O’Byrne says the Data Protection Commissioner’s website is not only recommended reading for any business but it also needs to be better promoted. He believes that the risks are greater than people appreciate. “If a business is broken into and a laptop stolen with private customer information it can be devastating to a business and its customers. Also, if a business was to fall on hard times and it sold databases or laptops containing customer databases to make some money it is equally dangerous.

“Privacy in a business sense is not given the same precedence as security. But the two are inherently linked,” warns O’Byrne.

Log jam cleared?

In recent weeks search giant Google, which employs over 1,000 people in Dublin, was praised by privacy groups for deciding to make anonymous personal data it receives from users’ web searches.

The search giant previously held information about searches for an indefinite period but will now anonymise it after 18 to 24 months.

Google’s global legal counsel Peter Fleischer explains the rationale behind this. “Privacy is important both as a legal issue but fundamentally as a trust issue.

“We’re in a business where people need to trust Google with their personal data otherwise they won’t use our service.”

Fleischer says that the principle of being transparent about the information you keep on customers is as relevant to any business as it is to a search engine giant.

“Every business collects data about its customers. It has an obligation to protect the privacy of its customers. This means ensuring that the security measures are adequate to protect that information against hacks and leaks,” says Fleischer.

The website of the Data Protection Commissioner contains vital guidelines as well as reports of data protection offences
Combines security labelling with a no-nonsense, 24/7 return service, plus a finder’s return incentive, to maximise the chances of recovering lost or stolen laptops
From last Sunday, Irish businesses that fail to include company name and registration information on emails and on website could face fines of up to €2,000.

By John Kennedy

Pictured – Fergal O’Byrne, Irish Internet Association