Lee & White Consultants

One of the largest corporate insurers was recently fined by Britain's financial regulator, the FSA for the loss of customer data. Zurich Insurance PLC was fined a record £2.3m for losing 46000 customers' personal information which included identification information, details of bank accounts, credit cards and insured assets which could have resulted in significant loss to customers.

The loss of customers' data dates back to August 2008 when Zurich Insurance had outsourced data work to the company's South African unit which lost an unencrypted back-up tape. The loss however, was not discovered until a year later.

Companies would benefit from learning from the mistakes that cost Zurich Insurance PLC not only £2.3m in fine, but also the loss of its customers' trust which is a valuable asset for any company.

"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," said Stephen Lewis, chief executive of Zurich Insurance.

Now, what are you as a company doing to ensure that your customers' personal information is protected? Do you have a Personal Data Protection Policy in place in your company, and are your employees aware of them? It would do you well to look at this seriously and ensure you are protected by protecting your customers.

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

 

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.

So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White Consultants.

About 75% of mail in Belgium is spam, usually associated with shady products or dodgy deals. But spam is just another word for unsolicited publicity mail - an email which you didn't ask for and which is completely useless to you or your business.

If you are sending out emails, be it just one email or in bulk, then consider very carefully if your email is going to be useful to the recipient. The best - and only legal - way is to actually have that recipient ask for the email in the first place - the opt-in. At any time the recipient must be able to revoke his request, and stop receiving further emails - the opt-out.

The law governing this is quite clear, the repercussions of not complying with that law aren't. In Belgium, BIPT - The Belgian Institute of Postal Services and Telecommunications - is concentrating on forcing ISPs - Internet Service Providers - to filter out unsolicited mail. BIPT confirms that they are unable to punish non-compliant ISP's. In any case, it is a useless exercise, as it only protects those companies or individuals who use the ISP's own email service. Those who use external email providers such as Gmail, Live or have their own email server are not benefiting from this.

Companies which send out unsolicited mail are neither targeted nor punished. In practice, the best that Belgium can do is to reprimand non-complying companies.

In the Netherlands, in a landmark case, Opta, the Dutch Independent Post and Telecoms Authority, reprimanded two companies and imposed a total of 510,000 euro fine for sending out unsolicited mail. This seems to be the highest fine ever imposed by Opta for spamming.

Belgium can certainly learn a lesson from its fellow EU member state.

If you worry about your DNA and personal information being used to invade your privacy, now you have something else to add to your worries. According to a research by theElectronic Frontier Foundation (EFF) documents you print on your colour laser printer are able to indirectly identify you by encoding information that is not visible to the naked eye. Tiny dots are scattered on each page of your document. The information encoded includes time, date and the serial number of your printer. These are just the information that the EFF has managed to crack at the moment.

So, who is behind this brilliant system? The U.S. government, of course. They claim the purpose of this tool is to enable them to identify counterfeiters. Is that the only purpose for this tool? It is yet to be discovered.