Whose data are they anyway?

What a difference two days make!

First, T-Mobile in the UK informed the Information Commissioner’s Office that some of its own rogue employees had sold on the firm’s contract customer data to third parties. These third parties then ring the contract customers just before their contract expiry to offer deals that may or may not be kosher, or the best deals on the market.

So exactly what data might a mobile network operator hold on a contract customer? These data include the customer’s name, address, date of birth, and bank account details or credit card details for collecting bills. A credit check is also run before contracts can be agreed. While the identity of the said “third party” is unclear, there is of course no compensation for any mishaps. So much for our famed data protection code that prevents more things from happening than it enables!

A day later, Iceland’s deCODE Genetics filed for asset protection under Chapter 11. The firm’s customer testimonials include one from Dorrit Mousaieff, Iceland’s first lady. The firm offered personalized DNA testing through its deCODEme website too.

Under Chapter 11, deCODE is now looking to sell its assets. These “assets” include the genetic data of 140,000 Icelanders. And DNA samples of an undisclosed number of customers, their identification details, possibly the reports of the analyses conducted on the DNA samples. All held under contracts which prevent the sharing of the data or the information with third parties such as insurers etc. But will that hold when one contracting party goes bust? Who is the custodian of that contract? Who will uphold it and what recourse exists for customers whose DNA and data are hanging in the balance?

Meanwhile, it was reported that a credit card processor in Spain was being investigated for enabling a major credit card scam. The scam has affected over 100,000 cards in Germany. While their credit card contracts protect them against fraud, someone will end up paying for it. Depending on where the PCI-DSS compromise is found and how the liability is established, any or more of the players in the payment value chain – the issuer, the acquirer, the processor, the retailer or the customer – may end up suffering the real monetary loss.

Note the commonalities? All three industries are highly regulated but so different from one another that one may be tempted to ignore any possibilities of transposed learnings. Two major themes emerge:

  • These incidents point to some of the many complex challenges that unite otherwise disparate, highly regulated businesses: customer data ownership, data security, privacy breaches, liability, recourse and compensation.
  • They also illustrate while human beings – employees, third parties, contractors, service providers – remain the weakest link in data protection, the more fundamental questions are often missed. These could be related to the business’s survival and how regulatory complexity may mean that resolving data breaches is not really straightforward.

As a large number of consumers sit in limbo in fear of their data falling into the wrong hands, it has to be asked: When the custodians fail, who protects the consumer?

These test cases will all provide fascinating insight and may well set the precedent. Not least set the stage for the essential reform to remove all the unnecessary information that businesses insist on collecting from customers, when they have no way to guarantee the security of the data.

5 Replies to “Whose data are they anyway?”

  1. Good post, timely and valid observations.

    Was just wondering …

    The quick common-sense answer to the question in the title of your post would be – the customer, in the final analysis. If that’s indeed the case, then what prevents contracts from being drafted in such a way that the ownership is at all times unquestionably and irrevocably with the customer, and that the service provider (i.e., bank/ telco) is only ‘licensing’ it for their own use … (and here comes the most critical part) … as long as they are in business? That’s how software products are sold – you don’t own your copy of MS Office, you are only licensed to use it, and that too for specific purposes.

    Or am I missing something?

    @Hemant: Thanks for your comment. Of course, that answer is the naturally correct one. Let’s just assume for the sake of this discussion that the consumer is adequately compensated for licensing this information out in the form of some service delivered by the licensee business. There is another problem with the licensing model. Just like MS-Office, the data are ‘digital’ and can be easily and infinitely replicated and transmitted for negligible cost. The cost to the person whose data privacy is breached is far greater and material. Which means we are back to reliance on trust between business and customer, due process and technology. In the cases mentioned here, contracts are not the problem but the uncertainty of circumstances, predictable or otherwise, that is. How business plans for this sort of circumstances is the million-dollar question.

  2. Hello Shefaly!

    I’d discovered your blog a week back, and have read a few posts. I was very impressed with some of the conclusions you had drawn, but since I’m from a very different background, I did not comment as I did not have much to contribute.

    Even in this post, I might have not grasped the ethical and legal complexities completely.

    The best example I could understand was of deCODE. I think there’s always a joint-ownership of personal ‘data’. Anything the firm would like to do with it would require customer’s INFORMED CONSENT–including transferring it to a new ‘keeper’. If the customer does not consent to it, and the firm is imminently going to lose its existence, I think it becomes (or should become) legally binding on them to transfer the ‘data’ to the individual customers if it is an outcome of some sort of analysis or specialized techniques (as is the case with genomic sequence). After such a transfer is done, the ‘copy’ of data held up with the firm must be destroyed, as the customer is no longer consenting to keep their data with the unsalvagable firm.

    Moreover, I do not think such data is ever entirely ‘owned’ by a firm to enable them to ‘sell’ it.

    But of course, all that I point out is only the technical/legal dilemma under ideal condition, where all the parties concerned are willing to follow law conscientiously. When that condition is not fulfilled, I think you’ve raised a very valid point about how much data should a firm be allowed to collect in the first place.

    Take care.

    @Ketan: Thanks for delurking to comment! deCODEme’s FAQs section says that post-analysis, all DNA samples will be destroyed. The report will be available on their system in a password protected area. The customer can download the report and ask for the information to be deleted. However as you rightly point out, all this is predicated on all parties remaining scrupulous at all times. As in the other two cases, rogue behaviour is not always predictable.

  3. I agree all the three cases are interesting in it’s essence but this might not even be the beginning of what we might see when all patient records are digitised and when all medical history and treatment information is in digital format – e.g. Fitbit – http://www.fitbit.com/ or even a rogue doctor in NHS.

    Let’s consider the T-Mobile case as I understand that best and most furious about as I know the systems in place. It is not easy to break into the systems and take the information in the first place. This is pretty much like a rogue IT guy in a bank 30 years ago. Will similar actions follow? And most importantly the people who bought the data – shouldn’t they be punished? I am thinking drug trade – the supplier and the customer are both punished so should be in this case. We do need class action suits to et the message through to these telcos.

    Back to the generic question of who owns the data and how to regulate in these industries against rogue behaviour and when the company fails. I think the biggest problem comes from the notion these days when anyone starts an online business is that the customer data is the most valuable which can be sold or shared with third parties to build business models. I think we need some regulation to prevent any such selling/sharing or data – full stop. And specially in cases like deCODEme data should be erased as soon as the customer is given the information. Nothing should be held by the company. Is there any reason they should hold this?

    Maybe we need to start considering customer data like currency where no leak is tolerated, allowed or possible. And any damage can be quickly traced and resolved. With digital records of patients now becoming possible we need to be even more careful. Not sure we have answers to nay of the points you have raised but about time we learn from all cases you mention. Though I am not sure anyone is listening.

  4. This is modernity for you isn’t it, and also the frightening power of businesses. The power they have to turn into Big Brother. I am the kind who hates using my credit card, but at times there is no choice! I wonder if there will be a backlash one day. I have a feeling there will. No one should ever underestimate the power of the public and the common man.

What do YOU think?