/ Technology

Companies, sort out your stolen data plan

Data breaches – when companies fail to keep your details secure – are becoming increasingly common. So how should they respond when the breach happens, and should we be worried about our information?

Over the past months we’ve seen a number of high-profile data breaches of customers’ personal data reported from companies including Sony, Play.com and Travelodge. In fact, there have been data losses from nine high-profile companies already this year.

The details exposed and the numbers affected differ in each case, but there’s one overriding theme here – that consumers’ personal details are being put at risk.

And our recent survey of the general public shows that it’s something many people are worried about. Seven out of ten of those we surveyed are increasingly worried about the safety of their personal information held by organisations.

Varying levels of risk

Now I don’t want to be alarmist here, so to put things in perspective, the type of information breached will dictate the level of risk to those affected, and admittedly this is not always a high one. That aside, I do very much believe we should be able to give a company our details and expect it to be kept safe.

As modern consumers I think we are all quite accepting of the fact that to buy and use products or services, online and otherwise, we need to hand over credit card details and email addresses, often as the absolute minimum information.

The end result is that dozens – potentially hundreds – of organisations will hold at least some of your personal information. This isn’t an issue as long as the companies keep your data safe. So are they?

In our survey 15% were aware of being the victim of a data breach. Of those who had been affected, a quarter had card details exposed and bank account details for one in five. The most common personal information found to have been involved was name, address and username.

Companies need a data breach plan

The reasons for a data breach occurring can range far and wide, from an outside hacking attack on a website to a lost company laptop with confidential data stored on it. If they do happen, we’ve said before that apologetic emails don’t make up for losing personal data but at least it means you are aware.

And that’s the main problem – at the moment, companies are dealing with data breaches in all sorts of different ways. What we want to see is a standard process that all organisations have to follow, including notifying the Information Commissioner’s Office (ICO) of all data breaches.

Have you been contacted by a company to tell you some of your information has been lost, leaked, hacked – or for any other reason? If so what did they tell you – did they provide you with enough information, fast enough? And were you happy that you were given good advice on what you should do next?

Rose says:
17 August 2011

Yes, a standard procedure is definitely needed. Companies should be obliged to contact customers affected within a set period and should also have to financially compensate the people concerned with set amounts according to the degree of risk/severity. It’s not acceptable for companies affected just to apologise.
I haven’t been contacted to tell me my data has been obtained but I am now getting 1 type of spam email (at least several a day) that makes me wonder if my details have been obtained online without my authority. I certainly always select the “no third party contact” option when I have to register my details.

Most emphasis is usually on online data breaches, however, our experience is that non electronic data is far more vulnerable.
We have been embroiled in complaints procedures with the NHS for over three years as a result of this we stumbled across a serious failure of data security.
Prior to the complaints we had needed to get some information on GPs with knowledge of a rare, recently diagnosed condition, of a family member who I will refer to as ‘P’. I ended up talking to the Healthcare Commission who advised that I talk to a local NHS Trust who deal with similar conditions and should have the information that I required. This I did and the Trust promised to ring me back but instead this is what happened.
I will make one thing clear from the start, P was NOT a patient of the Trust and was not referred to it either at this time or later. A manager of the Trust who had never met, talked to or corresponded with P went to our local hospital and accessed P’s medical records (which in this case contained extremely personel, sensitive and confidential information) and discussed them with others, some of whom were of a none medical background.
(The manager even rang P’s GP practice and the GP was quite happy to discuss P’s medical condition – but this is another story.)
We persued this breach through the complaints procedure and even though we had copies of NHS documents that proved what I have described it took the Trust 9 months to admit that they had not complied with the NHS Confidentiality Code. During this period I sent the information to the Information Commissioners Office who ruled that the Data Protection Act was not complied with.
Even with the ICO ruling and the Trust’s admission that they had not complied with the NHS Code the Chief Executive still stated that his staff had “behaved professionally and in P’s best interest”. They clearly do not take data security seriously! Unfortunately the consequences have been far reaching and dire but no one will sort them out. As the Trust had admitted everything and we had an ICO ruling but the Trust would not help rectify the problems they had caused I submitted everything to the Ombudsman, what a waste of time, because the Trust had said ‘sorry’ the Ombudsman accepted this as adeqate and would do nothing. I then went to my MP who made a submission to the Health Minister. We then got a letter stating that his staff had been assured by NHS North West that they complied with national guidelines on data security. This was accepted by the DH even though they had documents that proved otherwise. When this was pointed out the DH just quoted parts of the NHS Confidentiality Code. They clearly are not going to get involved.
What has happened to P is far worse than what has happened to most of those who’s phone’s have been hacked yet there is a total cover up by the NHS and Government. The PM clearly does not mind a data breach in his own ‘back yard’.
A very worrying aspect is that the Trust’s CE acknowledged P was not a patient, that accessing the records was unnecessary and that they had not complied with the NHS Confidentiality Code. But it would appear so what! Because I also have a letter from the Head of Information Governance for the Trust which makes the following quite clear. Any member of staff who has been authorised access patient records as part of their job can access anybody records (even if they are NOT a patient) she then goes on to state that even if you are a patient, and you refuse to let them have access to your records, if they think it is in your best interest they will access them anyway (specifically NOT allowed within the Code). In other words your NHS records are NOT secure; if you have a medic as a friend or neighbour then just remember the next time they are in work they can trawl through your most personal records if they choose and that there is nothing to stop them. And everybody whether NHS or Government will condone it!!!!

Anthony Cooper says:
17 December 2011

In my hotmail account I have been getting a lot of spam in the last 5-6 months such as from Rewards today and many other companies of which I cannot name offering e.cigarettes, PPI insurance, Vodafone products, etc, etc and I don’t know if its because I suffered a data breach of my email address…and if so from whom. I thought it was o2 but it wasn’t them so I don’t know where the source of the leak is coming from.

I get no spam in my yahoo.co.uk account even in their junk mail folder yet I get loads in my hotmail…they are doing nothing about it and I have no way of contacting Hotmail. Fortunately most of it goes in my junk email folder but I am getting fed up with it now.