The incident this week where an employee of T-Mobile was found to be selling customer data has shown that there is a thriving market for data.
Bridget Treacy, partner at Hunton and Williams, claimed that the incident raises some interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data.
Treacy said: “It appears that T-Mobile had a rogue employee who was doing just that: taking the company's data and selling it to third parties. When the company became aware of this, they contacted the Information Commissioner and have been working with the Commissioner's Office to investigate the matter. It is unfortunate for the company that this incident has become public when, presumably, they are still working to gather evidence to support a prosecution.”
As organisations generally do not have the right to sell their customers' data and T-Mobile have stated very clearly that they do not sell data, organisations have made a virtue of the fact that they do not share customers data with third parties.
Treacy claimed that data is valuable and in T-Mobile's case, their records indicated the expiry date of customers' phone contracts. “This information seems to have been used already to call customers to try to sell them alternative phone deals. Often data theft stories focus on the theft of credit card and bank account details, but the T-Mobile incident highlights the fact that other types of information also have a commercial value,” said Treacy.
“One of the problems we have is that there is no effective deterrent for unlawfully obtaining data. Currently, a successful prosecution through the courts might lead to a fine of £5,000, which is paltry given the likely value of the stolen records.
“The Ministry of Justice is consulting on the introduction of a term of imprisonment for this sort of offence, rather than just a fine. Increasing the penalty might act as a deterrent, particularly as it would apply not just to those who actually obtain the data, but also to those who stand behind, using others to obtain data on their behalf.”
Graham Cluley, senior technology consultant at Sophos, asked who was buying the data? He said: “Technology does exist to help intercept and control the movement of personal data inside organisations - but many firms have still not taken even the most basic steps to halt it dead in its tracks.
“I'm not saying that technology can help prevent any data leaks inside your company - after all, a bad guy in your call centre could write down customer details on paper and put them in his back pocket - but it's only sensible today to take all the precautions you can, and reduce the risk.”
Treacy agreed, claiming that companies must be ever more vigilant about safeguarding their data assets. She said: “It is difficult to guard against a rogue employee, but organisations are expected to have strong controls, policies and training programmes in place to mitigate these risks.”