Earlier this month, my ISP (PlusNet) got hacked, exposing its webmail system to spammers. The volume of spam I receive doubled overnight as a result, even though I don’t use their online email system.
This kind of security breach is nothing new. In fact it happens on a frequent basis, though the news is often buried by companies fearing a consumer backlash.
These problems will continue to plague users until firms start taking privacy seriously. In practice this will only happen once it makes economic sense for them to invest in better security.
In late April, a US Government identity theft task force recommended federal legislation requiring companies to disclose security breaches that expose private information. The aim is to make failing to protect customer privacy more expensive than burying the problem.
This will work because it incentivises those who are in a position to improve security to take action.
If the recommendations become law, I think we can expect all kinds of interesting privacy innovations from the US market. An example appeared in my RSS reader today, suggesting that companies should appoint a Chief Privacy Officer (CPO) (via SecGuru).
A CPO is responsible for identifying information that should be protected (the “what”); Chief Security Officers (CSO) are then responsible for securing it (the “how”). The two roles complement each other.
In the UK, companies that handle private information are already required to comply with the Data Protection Act 1998. A Data Protection Officer – similar to a CPO – often takes responsibility for this within an organisation. However there are currently no requirements for breaches of privacy to be published, so Data Protection Officers regularly operate reactively, in contrast to the proactive CPO. This is especially true in smaller companies that can’t afford to employ a dedicated person in the role.
In the article, CPO Chris Zolads highlights the growing economic incentives for companies to take seriously the management of private data (or “custodianship”, as he sees it):
“Good privacy is good business. The stakes in this area are constantly getting higher and higher . . . now weโre reading about [data breaches] in major media outlets,” he said. “Thatโs done a lot for consumer awareness . . . and has raised the consciousness and awareness of our managers. Thatโs a positive move forward.”
It seems unlikely that laws similar to the US proposal will be passed in the UK anytime soon. Data protection legislation is harmonised across the EU – an organisation that moves more slowly than the landmass on which it sits. However if such laws prove successful abroad, the pressure on industry and the UK Government to act will increase.
I certainly hope that PlusNet take a leaf from this new US book of customer privacy – and that’s a phrase I never thought I’d see myself type!