This is the last in my series of 5 blog posts about some extensive changes proposed for consumer rights legislation announced by Minister for Jobs, Enterprise and Innovation, Mr. Richard Bruton, TD back in May 2015. The 4 earlier posts were as follows:
- Part 1 – Consumer Protection Legislation – some good but some pointless changes proposed
- Part 2 – Consumer Protection Legislation – gift voucher proposals not worth the effort
- Part 3 – Consumer Protection Legislation – proposed 30 Day Refund Period is good for consumers
- Part 4 – More communication of more information to consumers is required – Consumer Protection Legislation
This final post is slightly tangential to the proposed legislative changes, but is inspired by the consumer information gaps I highlighted in the most recent post, (title).
In that post, I highlighted that in the spirit of facilitating better purchasing decisions through the provision of better information, it is my view that any contract change notifications should tell customers not only what the new contract terms were, but also what the previous terms were as well.
By clearly and promptly providing giving this information to consumers, businesses would be giving enough information to allow consumers decide how they want to act in light of the new information – i.e. the amended contractual terms.
Extend to That Information Imperative
It’s my view that a similar change should be applied within data protection legislation in Ireland. It should be required of any organisation that is impacted by a data protection issue – a breach, a leak, any kind of data screw-up – should be mandated to contact ALL their customers after any incident. Currently, only those directly impacted (supposedly) by such a data protection issue could be contacted after a data protection breach.
I believe that a mandate on businesses and organisations to provide a wider communication should indicate to each customer whether they have been impacted, they definitely haven’t been impacted, or whether it’s not known yet one way or the other.
Assuming any current communications to impacted customers gives times and dates of any impact, and the data impacted, then this additional information would either put some customers on notice that they may still be impacted, or would provide ease of mind to customers who definitely weren’t interested.
Assumption Contact Would Be Made
I should add in here, the above paragraph assume that the impacted business or organisation would actually be making contact with any of their customers that are impacted by a data breach.
This is actually a big leap, since the Data Protection Commissioner, in their “Breach Notification Guide”, merely required:
that data controllers who have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected data subjects
Ridiculously, the business or organisation impacted could very well “consider” contacting the impacted customers, but actually decide not to bother contacting them at all.
So, mandating that contact be made – and to all customers, and not just those impacted – would certainly remove the unnecessary uncertainty the exists currently when a data protection breach is publicised. Frequently, when a data protection breach is identified by a company, where the breach becomes public, there is for a period of time an information vacuum where customers of the business don’t actually know what’s going on.
They’ll know there’s been a breach, but they won’t be told whether they HAVE or HAVE NOT been impacted, and in the absence of this confirmation, they can’t take any definitive action to protect themselves.
While I acknowledge that they can take certain protective, or preventative, measures – i.e. monitor their matters more closely, they don’t know whether they need to start cancelling cards, or closing accounts, or any other definitive protection measures.
Even the current requirement where impacted customers are mandated to be contacted can give rise to uncertainty. Imagine your bank is impacted by a data breach, it’s gone public, and they’ve confirmed they’ll contact impacted people as soon as possible.
You don’t hear from your back after a week. Does that mean you’re not impacted? Does that mean you are impacted but they just haven’t gotten around to contacting you? Or does it mean you’re not impacted at all?
A requirement to contact every customer of an impacted business or organisation would significantly improve the lot of consumers / customers.
Invidious Information Gap
The current solution to this information gap is where a special customer service helpline is provided by the impacted business or organisation where their customers can ring in to ask if they’re impacted by the incident.
This then crosses into a separate area of interest for me – the provision of 1890, 1850 and 0818 contact numbers by most businesses and organisations.
These contact numbers, for those who need to find out if they’re impacted it or not, and call from a mobile (let’s face it, pretty much everyone now) cost more than they should, and minutes on such calls are not deducted from mobile minute bundles.
So, not only might a customer be impacted by a data breach, or even if they’re not, they’re additionally impacted financially by having to pay out of pocket for the phone call made to try to find out if they’re actually impacted at all.
Profiting from a Breach?
This financial impact could be even more galling, if, like SuperValu did a number of years ago, the contact number provided is an 0818 phone number rather than an 1890 or 1850 number (they eventually provided a non-0818 number, but only after the initial panic died down).
It is possible that the business or organisation who is providing an 0818 number will actually earn money on the back of each call a customer would make to that number. So, the longer you’re on hold, or kept talking on a call to an 0818 number, the more money the organisation you’re calling is making.
(This is why, for example, most high profile organisations who provide 0818 contact numbers will make it difficult to find geographic alternative numbers. It would impact their earnings from their telephone calls).
Mandating that impacted organisations contact all their customers would remove the need for these phone calls. I will come back to this topic later on on my SayNoTo1890.com website.
No big deal
As I said in my other post, it’s not like most organisations that we deal with today don’t already have our phone number, or our e-mail address, stored somewhere in their systems.
It is also quite likely that they have a comprehensive marketing platform in place, that assuming we let them, would pump out marketing blurb to us on a regular basis to try to get more and more of our business.
It would take very little for these organsiations then to arrange communications to all their clients to give them an update. They have to do It anyway for impacted customers, so it’s not a big leap to send a different message to the remaining customers to assure them there’s no impact.