Tag Archives | Data Protection Legislation

Consumers Need More Information During a Data Breach – Necessary Consumer Protection Legislation (5 of 5)

Consumers Need More Information During a Data Breach – Necessary Consumer Protection LegislationThis is the last in my series of 5 blog posts about some extensive changes proposed for consumer rights legislation announced by Minister for Jobs, Enterprise and Innovation, Mr. Richard Bruton, TD back in May 2015. The 4 earlier posts were as follows:

This final post is slightly tangential to the proposed legislative changes, but is inspired by the consumer information gaps I highlighted in the most recent post, (title).

In that post, I highlighted that in the spirit of facilitating better purchasing decisions through the provision of better information, it is my view that any contract change notifications should tell customers not only what the new contract terms were, but also what the previous terms were as well.

By clearly and promptly providing giving this information to consumers, businesses would be giving enough information to allow consumers decide how they want to act in light of the new information – i.e. the amended contractual terms.

Extend to That Information Imperative

It’s my view that a similar change should be applied within data protection legislation in Ireland. It should be required of any organisation that is impacted by a data protection issue – a breach, a leak, any kind of data screw-up – should be mandated to contact ALL their customers after any incident. Currently, only those directly impacted (supposedly) by such a data protection issue could be contacted after a data protection breach.

I believe that a mandate on businesses and organisations to provide a wider communication should indicate to each customer whether they have been impacted, they definitely haven’t been impacted, or whether it’s not known yet one way or the other.

Assuming any current communications to impacted customers gives times and dates of any impact, and the data impacted, then this additional information would either put some customers on notice that they may still be impacted, or would provide ease of mind to customers who definitely weren’t interested.

Assumption Contact Would Be Made

I should add in here, the above paragraph assume that the impacted business or organisation would actually be making contact with any of their customers that are impacted by a data breach.

This is actually a big leap, since the Data Protection Commissioner, in their “Breach Notification Guide”, merely required:

that data controllers who have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected data subjects

Ridiculously, the business or organisation impacted could very well “consider” contacting the impacted customers, but actually decide not to bother contacting them at all.

Remove Uncertainty

So, mandating that contact be made – and to all customers, and not just those impacted – would certainly remove the unnecessary uncertainty the exists currently when a data protection breach is publicised. Frequently, when a data protection breach is identified by a company, where the breach becomes public, there is for a period of time an information vacuum where customers of the business don’t actually know what’s going on.

They’ll know there’s been a breach, but they won’t be told whether they HAVE or HAVE NOT been impacted, and in the absence of this confirmation, they can’t take any definitive action to protect themselves.

While I acknowledge that they can take certain protective, or preventative, measures – i.e. monitor their matters more closely, they don’t know whether they need to start cancelling cards, or closing accounts, or any other definitive protection measures.

Even the current requirement where impacted customers are mandated to be contacted can give rise to uncertainty. Imagine your bank is impacted by a data breach, it’s gone public, and they’ve confirmed they’ll contact impacted people as soon as possible.

You don’t hear from your back after a week. Does that mean you’re not impacted? Does that mean you are impacted but they just haven’t gotten around to contacting you? Or does it mean you’re not impacted at all?

A requirement to contact every customer of an impacted business or organisation would significantly improve the lot of consumers / customers.

Invidious Information Gap

The current solution to this information gap is where a special customer service helpline is provided by the impacted business or organisation where their customers can ring in to ask if they’re impacted by the incident.

This then crosses into a separate area of interest for me – the provision of 1890, 1850 and 0818 contact numbers by most businesses and organisations.

These contact numbers, for those who need to find out if they’re impacted it or not, and call from a mobile (let’s face it, pretty much everyone now) cost more than they should, and minutes on such calls are not deducted from mobile minute bundles.

So, not only might a customer be impacted by a data breach, or even if they’re not, they’re additionally impacted financially by having to pay out of pocket for the phone call made to try to find out if they’re actually impacted at all.

Profiting from a Breach?

This financial impact could be even more galling, if, like SuperValu did a number of years ago, the contact number provided is an 0818 phone number rather than an 1890 or 1850 number (they eventually provided a non-0818 number, but only after the initial panic died down).

It is possible that the business or organisation who is providing an 0818 number will actually earn money on the back of each call a customer would make to that number. So, the longer you’re on hold, or kept talking on a call to an 0818 number, the more money the organisation you’re calling is making.

(This is why, for example, most high profile organisations who provide 0818 contact numbers will make it difficult to find geographic alternative numbers. It would impact their earnings from their telephone calls).

Mandating that impacted organisations contact all their customers would remove the need for these phone calls. I will come back to this topic later on on my SayNoTo1890.com website.

No big deal

As I said in my other post, it’s not like most organisations that we deal with today don’t already have our phone number, or our e-mail address, stored somewhere in their systems.

It is also quite likely that they have a comprehensive marketing platform in place, that assuming we let them, would pump out marketing blurb to us on a regular basis to try to get more and more of our business.

It would take very little for these organsiations then to arrange communications to all their clients to give them an update. They have to do It anyway for impacted customers, so it’s not a big leap to send a different message to the remaining customers to assure them there’s no impact.

0

What happens when your credit card is put “at risk”?

Another article in the recent Sunday Tribune details a persons problem with AIB after their credit was apparently skimmed, and they had €3500 taken from their account.

Lets get past the fact that someone can have so much money in their account that they don’t notice €3500 being taken over a period of a couple of months, and look at some of the issues here – some of which I’ve experienced myself.

We know for a start that this AIB customer is never going to be told where his credit card was skimmed. This is because AIB and the Irish Payments Service Organisation (IPSO) will lie to him and tell him that it’s against Data Protection regulations to reveal where the card was skimmed. There are no such regualtions, and this like is only intended to protect the business or bank that allowed the card to be skimmed.

I’m in the middle of such a “discussion” with my bank at the moment. They called me recently to tell me that because my card was “compromised” it was going to be cancelled and reissued. They wouldn’t tell me where or how it was compromised or what transactions triggered their “suspicions”. After 3 months of queries, emails and letters, I have still received no information.

My arguement is that I used my credit card “somewhere” that caused the credit card companys suspicions to be aroused enough for them to cancel my credit card.

Yet, when I try to find out where it was that I used my card so that I can avoid using it in the future, they won’t give me that information.

Like most banks when it comes to “responding” to customer complaints, they have taken over 3 months of rejecting my requests for information in the hope that I’ll forget about it and move on – and saving them having to actually answer any real questions.

Which is all fine and good – they’ve probably bored me into submission on this one as well. That, or else my next step will be to send in a data request to their Data “person” where I’m allowed request all the information that they hold about me on their files.

But I know that’s not possible in this case since my credit card company actually uses a foreign company to process my credit card transactions and it is on their computer records that any information about “suspicions” that caused my credit card to be cancelled are stored. And I have no legal backing to allow me get that information.

And the best bit – none of our consumer protection organisations have any jurisdiction in this matter. And that’s despite that anyone who now banks with Ulster Bank, National Irish Bank or Halifax and have credit cards with them could find themselves in similar regulatory “no mans lands”.

1

IPSO misled consumers during credit card skimming fiasco

Back towards the end of August, I wondered what particular data protection regulations were being invoked by the Irish Payment Services Organisation (IPSO) following a number of credit card skimming incidents in the country. Data protection rules were used as the reason IPSO, nor the credit card providers, could not reveal the names of businesses targeted by scammers who installed bogus credit card terminals in a number of shops around the country.

As it turns out, IPSO were misleading Irish consumers. I have had this confirmed by the Data Protection Commissioners (DPC) office. There are no data protection regulations that would prevent the publication of the names of the impacted shops – unless the shops were sole traders, which the DPC doesn’t believe isn’t the case in any of the businesses impacted recently.

I guess that this deception was primarily intended to protect the names of the idiotic shop owners and credit card providers, and their businesses, who were caught out by this scam – at the expense of protecting the consumer. I can only guess here because IPSO did not respond to 4 e-mail requests for information on this issue over the past couple of weeks.

What should have happened here was that the names of the impacted shops should have been published immediately to allow consumers check their credit card accounts, and take precautions to ensure that they weren’t scammed. Instead, the whole country was left wondering if they could have been impacted.

What should also happen now, is that the organisation that allegedly “aims to defend consumer interests and to embed a robust consumer culture in Ireland”, the National Consumer Agency, should follow up on this with IPSO and the banks to ensure that this misleading of consumers doesn’t happen again.

Well, that’s what should happen, but what are the chances the fuckers* will do anything?

2

Data Protection versus Consumer Protection – round 2

Update to my post below about data protection regulations not protecting the consumer.

There was an article (linked here) in yesterdays Sunday Business Post that contained the sub-headline of “Payments group claims data protection law prevents naming of shops and restaurants”. But unfortunately, the article doesn’t really detail the reasoning behind this bizarrely anti-consumer aspect of data protection legislation.

From the article, Jennifer Chamberlain, marketing manager of IPSO, said that “the exact locations and retailers in which the incidents occurred could not be made widely available due to data protection issues”.

I still stand by my assertion below that this should not be the case (if in fact this is actually a specific data protection regulation) as their silence is more to protect the retailers and credit card providers reputations rather than protecting customers.

1

Consumer Protection versus Data Protection – and consumers lose!

I was listening to Newsbalk this morning where they were talking about another credit card skimming incident, this time in Galway.

What struck me again about this incident, as well as the original story last week, was the failure of the banks, the Gardai or IPSO – “the representative industry body, the voice and guardian of the payments industry” – to let potential victims of these scamming incidents know which credit card providers were impacted, and which shops the skimming took place in.

We were told that the banks would be following up with the impacted consumers – but we know what the banks are like here so you wouldn’t put much faith in that happening quickly.

So, the only way people will know that anything is up is through the limiting of their credit limits – presumably then when the customer rings up, the bank will inform them of what’s going on and what should happen next.

And why aren’t we told that our credit cards are at risk of being skimmed – data protection regulations apparently. I can’t find any information online at least as to why this is the case, but it seems highly ridiculous to me.

It’s apparently against data protection regulations to let consumers know that they are potentially at risk of having money stolen from them. It’s against data protection regulations to give consumers the information that they would need in order to allow them protect themselves against being ripped off by credit card skimmers.

Or is it that somewhere there’s an agreement that in the interests of protecting the businesses impacted and the credit card suppliers that their names won’t be published in the media. If a shop is announced in the media as having been stupid enough to allow scammers install a skimming mechanism right under their noses, how likely are customers to go back into the shop in the future – their business would go down. And if a credit card supplier is found to be susceptible to skimming, how likely are people to continue to be, or to continue to be, their customers.

This is nuts!!! Data protection is about protecting the data of individuals – not the reputation of businesses who are sloppy in their actual data protection responsibilities.

On the other hand, if there is some data protection law that is preventing this information from being published – someone should do something!!!

Maybe we could have the the fuckers* at the National Consumer Agency which was set up to “defend consumer interests at the highest levels of national and local decision making” write a nice letter to the Data Protection Commissioner to get changes made to allow the names of impacted shops and credit card providers be named in public.

This is something that would definitely be a positive move that would be of benefit to the consumer – but that would cause the first instance, I think, where one arm government would be expected to go up against another arm of government in order to defend the rights of consumers – something that from Day 1 I and many others never expected to happen.

0

Powered by WordPress. Designed by WooThemes

hit counter