Tag Archives | Data Protection Commissioner

Consumers Need More Information During a Data Breach – Necessary Consumer Protection Legislation (5 of 5)

Consumers Need More Information During a Data Breach – Necessary Consumer Protection LegislationThis is the last in my series of 5 blog posts about some extensive changes proposed for consumer rights legislation announced by Minister for Jobs, Enterprise and Innovation, Mr. Richard Bruton, TD back in May 2015. The 4 earlier posts were as follows:

This final post is slightly tangential to the proposed legislative changes, but is inspired by the consumer information gaps I highlighted in the most recent post, (title).

In that post, I highlighted that in the spirit of facilitating better purchasing decisions through the provision of better information, it is my view that any contract change notifications should tell customers not only what the new contract terms were, but also what the previous terms were as well.

By clearly and promptly providing giving this information to consumers, businesses would be giving enough information to allow consumers decide how they want to act in light of the new information – i.e. the amended contractual terms.

Extend to That Information Imperative

It’s my view that a similar change should be applied within data protection legislation in Ireland. It should be required of any organisation that is impacted by a data protection issue – a breach, a leak, any kind of data screw-up – should be mandated to contact ALL their customers after any incident. Currently, only those directly impacted (supposedly) by such a data protection issue could be contacted after a data protection breach.

I believe that a mandate on businesses and organisations to provide a wider communication should indicate to each customer whether they have been impacted, they definitely haven’t been impacted, or whether it’s not known yet one way or the other.

Assuming any current communications to impacted customers gives times and dates of any impact, and the data impacted, then this additional information would either put some customers on notice that they may still be impacted, or would provide ease of mind to customers who definitely weren’t interested.

Assumption Contact Would Be Made

I should add in here, the above paragraph assume that the impacted business or organisation would actually be making contact with any of their customers that are impacted by a data breach.

This is actually a big leap, since the Data Protection Commissioner, in their “Breach Notification Guide”, merely required:

that data controllers who have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected data subjects

Ridiculously, the business or organisation impacted could very well “consider” contacting the impacted customers, but actually decide not to bother contacting them at all.

Remove Uncertainty

So, mandating that contact be made – and to all customers, and not just those impacted – would certainly remove the unnecessary uncertainty the exists currently when a data protection breach is publicised. Frequently, when a data protection breach is identified by a company, where the breach becomes public, there is for a period of time an information vacuum where customers of the business don’t actually know what’s going on.

They’ll know there’s been a breach, but they won’t be told whether they HAVE or HAVE NOT been impacted, and in the absence of this confirmation, they can’t take any definitive action to protect themselves.

While I acknowledge that they can take certain protective, or preventative, measures – i.e. monitor their matters more closely, they don’t know whether they need to start cancelling cards, or closing accounts, or any other definitive protection measures.

Even the current requirement where impacted customers are mandated to be contacted can give rise to uncertainty. Imagine your bank is impacted by a data breach, it’s gone public, and they’ve confirmed they’ll contact impacted people as soon as possible.

You don’t hear from your back after a week. Does that mean you’re not impacted? Does that mean you are impacted but they just haven’t gotten around to contacting you? Or does it mean you’re not impacted at all?

A requirement to contact every customer of an impacted business or organisation would significantly improve the lot of consumers / customers.

Invidious Information Gap

The current solution to this information gap is where a special customer service helpline is provided by the impacted business or organisation where their customers can ring in to ask if they’re impacted by the incident.

This then crosses into a separate area of interest for me – the provision of 1890, 1850 and 0818 contact numbers by most businesses and organisations.

These contact numbers, for those who need to find out if they’re impacted it or not, and call from a mobile (let’s face it, pretty much everyone now) cost more than they should, and minutes on such calls are not deducted from mobile minute bundles.

So, not only might a customer be impacted by a data breach, or even if they’re not, they’re additionally impacted financially by having to pay out of pocket for the phone call made to try to find out if they’re actually impacted at all.

Profiting from a Breach?

This financial impact could be even more galling, if, like SuperValu did a number of years ago, the contact number provided is an 0818 phone number rather than an 1890 or 1850 number (they eventually provided a non-0818 number, but only after the initial panic died down).

It is possible that the business or organisation who is providing an 0818 number will actually earn money on the back of each call a customer would make to that number. So, the longer you’re on hold, or kept talking on a call to an 0818 number, the more money the organisation you’re calling is making.

(This is why, for example, most high profile organisations who provide 0818 contact numbers will make it difficult to find geographic alternative numbers. It would impact their earnings from their telephone calls).

Mandating that impacted organisations contact all their customers would remove the need for these phone calls. I will come back to this topic later on on my SayNoTo1890.com website.

No big deal

As I said in my other post, it’s not like most organisations that we deal with today don’t already have our phone number, or our e-mail address, stored somewhere in their systems.

It is also quite likely that they have a comprehensive marketing platform in place, that assuming we let them, would pump out marketing blurb to us on a regular basis to try to get more and more of our business.

It would take very little for these organsiations then to arrange communications to all their clients to give them an update. They have to do It anyway for impacted customers, so it’s not a big leap to send a different message to the remaining customers to assure them there’s no impact.

0

More consumers helpless at the hands of negligent Bord Gais Energy and HSE

This week has seen two more instances of customer data losses by two more Irish organisations. These are the 12th and 13th incidences of data loss tracked in this running total I’m keeping – Who has lost their customers personal data?

The Health Service Executive (HSE) in Roscommon were the first to be outed. This is the 4th entry of the HSE on the list. According to this article:

Yesterday it was revealed that the Health Service Executive (HSE) and gardai were investigating the theft of 15 laptops in Roscommon town.

The HSE confirmed tonight that information on one unencrypted laptop contained sensitive details relating to a social worker’s case notes involving nine families.

The larger second incident affected Bord Gais Energy, and many of their new electricity customers. According to the same article:

A laptop containing the bank account details of 75,000 Bord Gais electricity customers has been stolen, it was revealed tonight.

The energy company confirmed that the laptop – which was not encrypted – was one of four taken during a burglary at its Dublin offices 12 days ago.

The usual questions have to be asked here – and unfortunately, many of us watching such data losses and data protection screw ups are tired of asking them.

While it’s understandable that a social worker would have case notes on a laptop, it’s ridiculous that the laptop wasn’t encrypted. Last September, the HSE was impacted in exactly the same way – this is the reporting from that occasion:

The Office of the Data Protection Commissioner said it is surprised that people still carry around laptops with sensitive information, which is not encrypted.

That’s 9 months ago. Why weren’t the remaining laptops in the HSE encrypted since then? I know there’s a lot of laptops in such a big organisation, but surely 9 months was enough time to protect them all.

The more egregious foul up here is that of Bord Gais Energy. There is no legitimate reason that would necessitate a company such as this to store the personal banking details of their customers on a laptop.

The fact that the laptop wasn’t encrypted compounds this balls up. And the fact that the laptop was stolen from inside their office doesn’t negate that fact. Any responsible company nowadays ensures that no sensitive data is stored on portable devices at all, and where this unavoidable, precautions are taken to ensure that devices are encrypted, and further, other measures can be taken to ensure such data is deleted either automatically or remotely.

I have a couple of serious concerns here.

Firstly, the Data Protection Commissioner was complicit with Bord Gais Energy here in keeping this data theft secret and leaving 75,000 customers hanging out to dry and left blissfully unaware that their bank details were in the hands of criminals.

Secondly, from the coverage that I heard on RTE Lunchtime news, it’s most likely that Bord Gais Energy are unlikely to get anything more than a slap on the wrists from the Data Protection Commissioner for this negligence. The DPC, who have been helpful to ValueIreland.com and our information requests in the past, are unfortunately doing the classic National Consumer Agency cop-out of “working with” Bord Gais Energy rather than actually defending the interests of consumers – the primarly purpose of DPC.

2

How safe is your data and identity?

Last week saw a further incidence of a financial institution losing client information, this time on a USB memory stick. This time, Bank of Ireland lost the bank account numbers, first line of address and contact details of nearly 1000 clients.

Hands up how many amongst you have their own personal sensitive details on a USB sticks like that and then carried it around with you in public? How many of you are careless enough to lose the USB sticks that you carry around with you?

Unfortunately, there’s not a whole lot that we consumers can do about the clowns that work in the financial institutions and other organisations that are losing our data at an increasingly alarming frequency. Well, apart from hoping that the Data Protection Commissioner will do a little better than the National Consumer Agency, ComReg or IFSRA at being a regulator.

Inspired by these growing number of personal data loses, we’ve put together a set of Top Tips that we consumers can follow to make sure that we at least do everything we can do to protect our own personal data and identity. Click here for more.

1

IPSO misled consumers during credit card skimming fiasco

Back towards the end of August, I wondered what particular data protection regulations were being invoked by the Irish Payment Services Organisation (IPSO) following a number of credit card skimming incidents in the country. Data protection rules were used as the reason IPSO, nor the credit card providers, could not reveal the names of businesses targeted by scammers who installed bogus credit card terminals in a number of shops around the country.

As it turns out, IPSO were misleading Irish consumers. I have had this confirmed by the Data Protection Commissioners (DPC) office. There are no data protection regulations that would prevent the publication of the names of the impacted shops – unless the shops were sole traders, which the DPC doesn’t believe isn’t the case in any of the businesses impacted recently.

I guess that this deception was primarily intended to protect the names of the idiotic shop owners and credit card providers, and their businesses, who were caught out by this scam – at the expense of protecting the consumer. I can only guess here because IPSO did not respond to 4 e-mail requests for information on this issue over the past couple of weeks.

What should have happened here was that the names of the impacted shops should have been published immediately to allow consumers check their credit card accounts, and take precautions to ensure that they weren’t scammed. Instead, the whole country was left wondering if they could have been impacted.

What should also happen now, is that the organisation that allegedly “aims to defend consumer interests and to embed a robust consumer culture in Ireland”, the National Consumer Agency, should follow up on this with IPSO and the banks to ensure that this misleading of consumers doesn’t happen again.

Well, that’s what should happen, but what are the chances the fuckers* will do anything?

2

Powered by WordPress. Designed by WooThemes

hit counter