Fines vs. Compensation
Fines are all well and good, but it's an individual's data that has been let loose, but a fine goes where? Compensation goes to the individual, no?
After years of dire predictions, the problems caused by weak identity management could be about to catch up with businesses across the UK. Their fears have not been caused so much by the criminals as by the bureaucrats, law makers and politicians who have spent years honing the General Data Protection Regulation (GDPR), the …
This post has been deleted by its author
You have to distinguish between civil and criminal cases, particularly as this is European and not US law. The fines are levied because the companies break the law. Compensation has to be applied for separately, ie. the law is not supposed to be invitation for class action suits.
I'm much more interested in something that I've been pointing out for years.
The DPA has ALWAYS said that you should only have access to the data necessary for your job.
Could you then please explain why call-centre agents have my entire records in front of them the second I phone up? I might not even need them to reference anything at all. I might be phoning to ask their sales number.
I've been saying for years that call-centre software should literally give blank entries until the agent clicks the box to request that piece of information. And each click should be recorded and determined whether it's "necessary" or not.
Immediately... you cut out "someone who used to work here stole our database" and "someone checked out the celebrities account and told the papers his home address", not to mention "let's crank-call the guy who was rude to us because we wouldn't help him" (never had it, but I know people who work in call-centres and it does happen).
Such control was always needed under DPA but nobody ever had it. Now we have GDPR, still nobody has it. Can anyone explain why the agent needs my date of birth, home address (at all, I would argue... they can "Send Engineer" or "Print Letter" without ever needing to actually see my address at all!), telephone number (though should have a "Call User" button, and maybe even a way to tell that the CLI matches the account, but do they actually need to see the number, etc.)? I can see it might be *useful* but that can be just as useful *on request*.
Here's hoping that in a few year's time, the case law will lay down the requirements more explicitly about what's "necessary to do your job".
I deal with 1000 customers on a regular basis, and I work in IT. I have no need to know their phone numbers, home addresses or their actual email whatsoever, let alone anything else. I could do my job - with a properly designed system - without access to any of that information, except in rare circumstances where I need change it. So why does ALL the software built for my industry give me all that information by default, and let me wander into it willy-nilly, with almost no control at all?
> "a properly designed system"
You answered your own question.
Proper systems design is not trendy enough these days.
Gone are the days of (heaven forbid) talking to the system's intended users or other stakeholders in the business (such as getting legal advice on data handling practices).
No, these days its all high-speed iterative development, with rooms full of latte-drinking millenials sitting on bean-bags sticking post-it notes on whiteboards. The whole software project is just now one big treadmill with no real design.
And to go with this high-speed development, we have the featureset box-ticking mindset (our competitor has X, so we must have X).
I'm not saying the old-school software development process was perfect. But there is a lot to be said of taking the time to sit down, talk and plan before the coders hit their keyboards.
As they say, the 6 P's. Prior Planning Prevents P* Poor Performance.
Remove great swathes of "prior planning" and you're left with the sorry state of today's software development.
I agree with everything you said. Plus, why do call centres call me up then expect me to prove who I am to them ? I can never seem to convince them that it is arse about face. They called me, out of the blue, uninvited, claiming to be my bank, phone provider, power company etc. Well I know who i am so it's not down to me to prove anything. It always ends with me hanging up.
If they need to talk to me about anything non-trivial they can email, txt or write inviting me to contact them on a number that I'll lookup.
> Can anyone explain why the agent needs my date of birth, home address (at all, I would argue... they can "Send Engineer" or "Print Letter" without ever needing to actually see my address at all!), telephone number (though should have a "Call User" button, and maybe even a way to tell that the CLI matches the account, but do they actually need to see the number, etc.)?
Because, as dodgy as it is, those are the secret questions, and the answers, they use to identify you.
That don't care what your actual DoB, address, etc. are, they've used that information supplied when creating the account automatically as the answers to the "secret questions". So when you contact them, they are reading their secret questions "What's your DoB? What's your Full Name? What's your address?" and matching your answers with the answers they have to those secret questions.
You really aren't identifying who you are, you are really just confirming that you are the owner of the account that is being discussed. A pretty dodgy, easy to social engineer set of answers - if you provided real values.
So if you sign up with random values for those questions, then you can keep using those random values to identify yourself as the owner of the account in question to them. Of course, if it's a legal contract - like a postpay telephone contract, then you have to supply the correct details as you are entering into credit contract.
There are some pro-privacy congressmen in the US who aren't owned by corporations. But they are few in number, so it would take a lot to see anything similar emerge here.
I suspect we're more likely to see some of the corporately-owned politicians whining and screaming when the EU starts levying fines against US companies for violating the GDPR, because their corporate masters will be demanding it and because many of them have an aversion to anyone in the US being subject to the laws of others (but not so much the other way around)
Sorry, I thought the article was about GDPR. If so, what does the FTC have to do with it? In Europe you'll have a lot more trouble trying to get SIMs activated over the phone as the article describes. Indeed SIMs, along with PINs and PUKs, were introduced in Europe partly to limit identity fraud.
Will Americans ever understand that they don't have a monopoly on jurisprudence?
Investigate and fine the big companies first, rather than pick the low hanging fruit of smaller organisations that may not have had the money or even the knowledge to get things sorted in time. The operation of HMRC gives no confidence that this is the way that things will be done.
I have seen far too many examples of sizeable companies virtually offering open access to customer data to far too many people in the IT department, and have been brushed off many a time when raising the issue with managers who didn't want "the burden and unnecessary cost and effort" of having to bother themselves with any potential disasters that would have arisen had someone decided for any reason to exploit the lax state of affairs. Even talk of legal issues was sometimes met with a "yeah, whatever" attitude. Some nice publicised cases with resulting reputational damage may be the only way to properly stir these incompetents into meaningful serious action, which will actually be good for all of us in the end.
"Investigate and fine the big companies first, rather than pick the low hanging fruit of smaller organisations that may not have had the money or even the knowledge to get things sorted in time. The operation of HMRC gives no confidence that this is the way that things will be done."
Your lack of confidence is shared.
Worse, I suspect what we'll see is pretty much more of the same when it comes to the size of fines issued to those who truly deserve it - don't forget the magic words in the amount they can be fined: "Up to".
Please, please start with the Credit Reference Agencies! Though they've wangled dispensations in what they can do with your data, a full audit would be lovely to see.
*Ahem* I mean, both low hanging fruit and high impact if they lose data. You know it makes sense.
Investigating and building a case against large companies will take a lot longer than against small companies, and the stakes are higher for getting it right when there's a billion euro fine to be levied instead of a thousand euro fine.
Even if they start actions against the bigger companies first, they won't be first to completion.
Faced with the choice between admitting a breach and facing large fines, or covering it up, what do you think most companies will do - and have their lawyers advising them to do?
Unless there's something like a x10 multiplier for getting caught after covering up, it's in the company's economic interest to do so. They've already broken the law, so another breach is neither here or there.
Companies that suffer data protection breaches don't tend to be very good at keeping stuff quiet, sort of goes with the territory. In many cases seecurity breaches must already be reported and failure to do so can come with harder sanctions than those the ICO can offer, starting with a couple of nights in chokey.
What GDPR does, as with much recent EU legislation, is establish the principle of being responsible for the behaviour of suppliers. This is going to be painful for many to set up but makes a great deal of sense because large companies will find it hard to wheedle their way out by blaming poorly chosen suppliers.
If only we'd such principles in Seveso or Bhopal…
https://twitter.com/fr3ino/status/1000166112615714816
Because of #GDPR, USA Today decided to run a separate version of their website for EU users, which has all the tracking scripts and ads removed. The site seemed very fast, so I did a performance audit. How fast the internet could be without all the junk! 5.2MB → 500KB
https://twitter.com/fr3ino/status/1000708906434392064
The Verge shows a tracking-consent message when visiting the site from the EU. Most people will click "I Accept" to make it go away, but if you don't and hide the message via CSS, you won't be tracked and the site is way faster: 32 vs 5 secs load time 61 vs 2 JS files 2 vs 1 MB
Sorry JJ - its UK law (Data Protection Act 2018) and is fundemental to getting a data security equivalence decision to keep trading in the EU. Oh and by the way, GDPR applies to anyone world wide holding any EU citizen's Data.
Personally, i feel the fines are a big enough deterent, if the DPAs hit one of the big boys hard early on. But i would have liked the DPA to go further and make directors criminally responsible for their companies privacy and security practice.
"GDPR applies to anyone world wide holding any EU citizen's Data"
No, not "anyone". GDPR does not apply to people processing personal data in the course of exclusively personal or household activity, otherwise your address book would put you out of compliance. Also you may have noticed that you haven't received a privacy notification from any of the various security services in Europe or elsewhere in the world for that matter. I'm not sure if it applies to the scum who are sending me lots of SPAM either. If is does they don't seem to care. I was going to say "they don't seem to know" but quite a bit of if is GDPR phishing.
that if a criminal accesses my data its a breach? therefore hacking, phishing and other compromises become a data issue as well as a data/technical security issue?
If I read that right companies have far more motivation to handle a data loss incident than they usually do by fobbing you off with "you must have given them your password or left it written it down"
I must say I hadn't in my ignorance considered this angle but it seems it could get interesting...
I am, sadly, pessimistic about how effective organisations will be in assuring authentication before people access their own data. Given how the banks struggle with non-standard customers e.g. the visually impaired, or people who have more than one abode (which may be in different countries), I shudder to think how organisations will make life difficult - it's bad enough requiring original copies of utility statements when many organisations have gone 'paperless'.
Some people will really struggle to prove they are who they say they are: many have no passport, and utility bills are all in their spouses name, some have no driving licence either. Not everyone is well known to someone on the list of professions that are allowed to witness that a photograph is a good likeness of the bearer: "be ‘a person of good standing in their community’ or work in (or be retired from) a recognised profession"
I have always thought that a test of a good process is how well it handles valid exceptions. Unfortunately, many processes stop at the 'computer says "no" stage', leaving people with little recourse other than an inefficient and arduous complaints 'process'.
It is also instructive to see how organisations handle recovering from mistakes. Admitting that a mistake can have been made is a good start - and some organisations have exemplary mitigation processes that give you confidence in doing business with them in future. Others, well, not so much. I currently have two financial organisations who have data problems. One pays me dividends approximately every 6 months from shares held in an ISA with them, but when I call them, claim to have no record of me, despite voluminous documentation supplied by me. The other is unable to prevent physical letters being sent out to me telling me that my account has not been accessed for <x>-months, even though the account has been in regular use. I am sure GDPR will not improve things.
Examples - #1: Firms Hosting their own Public-Forums to promote / support their products. But failing to take down Bots posting Malware links quickly or not at all. #2: Firms with post-GDPR permission to send emails, but failing to filter / strip out Malware links or Malware attachments first...
I am very worried that some firms will use this issue as an excuse for storing (and subsequently losing) even more of my personal data! Including some quite sensitive stuff.
For example, there is no need for a retailer to know my date of birth and I always refuse to do business with anyone who requires it (I know some people just lie but I choose who I give my business to). I could imagine that many sites might try to add DOB as part of their "verification/reset" process. If so, they won't get my business.
The main reason for that is the general principle that given the strongly asymmetric power relationship with a commercial company, I need to make sure they know as little as possible about me. That minimises their chance to set prices based on my willingness to pay, or to exchange information with other companies.
Another reason is that although I do not think the government is snooping on me, they do regularly snoop on people I rely on or support such as investigative journalists, trade union organisers, human rights lawyers, etc and those people need to be able to avoid being identified in many of their transactions.
We need to make sure that the concern for data security does not throw privacy, particularly privacy from commercial organisations, out of the window.
The primary effect will be to force companies to be more focused on user privacy and how much user information they collect directly or indirectly. Too many marketing weasels failed to grasp the cardinal of information security: "what you do not know/have you can not blab". So willy-nilly private data collection will stop once a few big boys get nailed by some eye-popping fines. If a company never really considered user data security seriously before they will have a rough time of it for awhile. But in reality they earned what they are getting. There was an old ad tag line may years ago in the US for a car oil filter: "Pay me now or pay me later". Either you pay up front to do things right or you pay much more later to fix the resulting problems.
I have little sympathy for the complainers because they mostly ignored it until too late and they were offenders the law is targeting.