Whose data are they anyway?

What a difference two days make!

First, T-Mobile in the UK informed the Information Commissioner’s Office that some of its own rogue employees had sold on the firm’s contract customer data to third parties. These third parties then ring the contract customers just before their contract expiry to offer deals that may or may not be kosher, or the best deals on the market.

So exactly what data might a mobile network operator hold on a contract customer? These data include the customer’s name, address, date of birth, and bank account details or credit card details for collecting bills. A credit check is also run before contracts can be agreed. While the identity of the said “third party” is unclear, there is of course no compensation for any mishaps. So much for our famed data protection code that prevents more things from happening than it enables!

A day later, Iceland’s deCODE Genetics filed for asset protection under Chapter 11. The firm’s customer testimonials include one from Dorrit Mousaieff, Iceland’s first lady. The firm offered personalized DNA testing through its deCODEme website too.

Under Chapter 11, deCODE is now looking to sell its assets. These “assets” include the genetic data of 140,000 Icelanders. And DNA samples of an undisclosed number of customers, their identification details, possibly the reports of the analyses conducted on the DNA samples. All held under contracts which prevent the sharing of the data or the information with third parties such as insurers etc. But will that hold when one contracting party goes bust? Who is the custodian of that contract? Who will uphold it and what recourse exists for customers whose DNA and data are hanging in the balance?

Meanwhile, it was reported that a credit card processor in Spain was being investigated for enabling a major credit card scam. The scam has affected over 100,000 cards in Germany. While their credit card contracts protect them against fraud, someone will end up paying for it. Depending on where the PCI-DSS compromise is found and how the liability is established, any or more of the players in the payment value chain – the issuer, the acquirer, the processor, the retailer or the customer – may end up suffering the real monetary loss.

Note the commonalities? All three industries are highly regulated but so different from one another that one may be tempted to ignore any possibilities of transposed learnings. Two major themes emerge:

  • These incidents point to some of the many complex challenges that unite otherwise disparate, highly regulated businesses: customer data ownership, data security, privacy breaches, liability, recourse and compensation.
  • They also illustrate while human beings – employees, third parties, contractors, service providers – remain the weakest link in data protection, the more fundamental questions are often missed. These could be related to the business’s survival and how regulatory complexity may mean that resolving data breaches is not really straightforward.

As a large number of consumers sit in limbo in fear of their data falling into the wrong hands, it has to be asked: When the custodians fail, who protects the consumer?

These test cases will all provide fascinating insight and may well set the precedent. Not least set the stage for the essential reform to remove all the unnecessary information that businesses insist on collecting from customers, when they have no way to guarantee the security of the data.

Four For Friday (4)

This occasional series appears when the week’s readings have been good and should be shared. The themes are strategy, technology, investment and regulation, but sometimes they just cannot be separated. Sometimes the readings have been so good that I have a hard time picking just four. That is why this issue appears on Saturday this week instead of Friday. This week’s readings are also focused on social media conversations and the changing role of the customer. 

Albert Einstein reportedly said ““If you can’t explain it simply, you don’t understand it well enough”. This week Dina Mehta presents an apparently simple, but quietly powerful, model for measuring the value of social media conversations

JP Rangaswamy’s reflective post on customer participation in business innovation, titled Faster Horses in the Age of Co-creation, generated so much conversation that he followed up with a post that identifies the trends all innovative businesses would do well to heed. This second post is titled Whoa! Reining in the Faster Horses. Both resonated with me because I am involved with a couple of clients at the moment who are doing this right. I get to test the learnings, so to speak. 

Fred Wilson shares his views on Adeo Ressi’s criticisms of the Venture Capital model, and then revisits an old and clear lesson on what makes some VCs greater than others. Both good reads. 

Over at GigaOm, a post that combines technology, innovation and regulation and offers a strategic puzzle: Will 4G networks get sidetracked by patent problems?