Whose data are they anyway?

What a difference two days make!

First, T-Mobile in the UK informed the Information Commissioner’s Office that some of its own rogue employees had sold on the firm’s contract customer data to third parties. These third parties then ring the contract customers just before their contract expiry to offer deals that may or may not be kosher, or the best deals on the market.

So exactly what data might a mobile network operator hold on a contract customer? These data include the customer’s name, address, date of birth, and bank account details or credit card details for collecting bills. A credit check is also run before contracts can be agreed. While the identity of the said “third party” is unclear, there is of course no compensation for any mishaps. So much for our famed data protection code that prevents more things from happening than it enables!

A day later, Iceland’s deCODE Genetics filed for asset protection under Chapter 11. The firm’s customer testimonials include one from Dorrit Mousaieff, Iceland’s first lady. The firm offered personalized DNA testing through its deCODEme website too.

Under Chapter 11, deCODE is now looking to sell its assets. These “assets” include the genetic data of 140,000 Icelanders. And DNA samples of an undisclosed number of customers, their identification details, possibly the reports of the analyses conducted on the DNA samples. All held under contracts which prevent the sharing of the data or the information with third parties such as insurers etc. But will that hold when one contracting party goes bust? Who is the custodian of that contract? Who will uphold it and what recourse exists for customers whose DNA and data are hanging in the balance?

Meanwhile, it was reported that a credit card processor in Spain was being investigated for enabling a major credit card scam. The scam has affected over 100,000 cards in Germany. While their credit card contracts protect them against fraud, someone will end up paying for it. Depending on where the PCI-DSS compromise is found and how the liability is established, any or more of the players in the payment value chain – the issuer, the acquirer, the processor, the retailer or the customer – may end up suffering the real monetary loss.

Note the commonalities? All three industries are highly regulated but so different from one another that one may be tempted to ignore any possibilities of transposed learnings. Two major themes emerge:

  • These incidents point to some of the many complex challenges that unite otherwise disparate, highly regulated businesses: customer data ownership, data security, privacy breaches, liability, recourse and compensation.
  • They also illustrate while human beings – employees, third parties, contractors, service providers – remain the weakest link in data protection, the more fundamental questions are often missed. These could be related to the business’s survival and how regulatory complexity may mean that resolving data breaches is not really straightforward.

As a large number of consumers sit in limbo in fear of their data falling into the wrong hands, it has to be asked: When the custodians fail, who protects the consumer?

These test cases will all provide fascinating insight and may well set the precedent. Not least set the stage for the essential reform to remove all the unnecessary information that businesses insist on collecting from customers, when they have no way to guarantee the security of the data.