We have long called for legislation that would give powers
to the information commissioner to force companies to inform customers when
security and data breaches occur which involve personal data.
At a conference in London
yesterday on “Big Brother Britain”,
the main credit checking company Experian has flatly rejected the idea of
automatically informing the UK
public when their ID details may have been hijacked.
Gillian Key-Vice, Experian’s director of regulatory affairs,
said that while she recognised why people might “think it’s a good idea”, such
a scheme could cause “unnecessary concern” amongst individuals where a breach
has already been “managed”.
Trouble with that approach is that the public don’t know
whether it has been well ‘managed’ or badly ‘managed’. We take the view that it
is reasonable that if a data breach has occurred, and their personal details
are in the public domain, then they have a right to know, a right to prepare
for, and try to prevent any potential identity theft or fraud. Not to advise
customers of data breaches fuels the view that the finanancial services
industry don’t care, and would rather cover up breaches in secret.
I think that it is now well documented that companies,
especially financial institutions ‘manage’ data breaches only in as much as it
protects their own bottom line and reputation, with the wider consequences to
the customer being ignored unless it is likely to involve liability to that
Not to advise customers of data breaches only adds fuel the
view of cover ups and secrecy.
Anna Fielder, policy consultant at the National Consumer Council, said the UK
should follow the example of California,
where companies who expose individuals’ data have to contact and notify the
She added that the UK
should adopt another US
trend, where customers have the right to lock or freeze their credit records,
with companies only able to access records on the individual’s say so.
Dr Ian Forbes, a consultant social scientist at Fig One
Solutions, said the regulations in California
amounted to a “continuous public plebiscite” which meant customers could choose
to avoid companies that were sloppy in their protection of customer data.
That can only be a good thing for individuals in protecting
their personal information.
Experian, and other companies who hold and process personal
data must now drag themselves into the level of debate where the individual is
taking responsibility for their own identities seriously, and companies such as
Experian can no longer ‘manage’ people in secrecy.