Another week, another Data Protection Act breach.
Yesterday, the ICO reported on a former employee of an online gambling site who pleaded guilty to selling the personal data belonging to over 65,000 players. As a result of his guilty plea, Mr Ben-Ezra was given a conditional discharge and ordered to pay his former employers £1,700 and pay £830.80 court costs.
Information Commissioner, Christopher Graham, said: (emphasis ours)
This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.
I am grateful to Cashcade Limited and Gala Coral for their work in exposing this unlawful practice. However, we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.
The Information Commissioner makes a valid point and, as discussed previously, this is one of the driving factors behind calls for greater powers.
From a purely economical sense, Mr Ben-Ezra has made an estimated £25000, out of which he has been ordered to pay a total of £2530.80, leaving him with a profit of around £22000. While this is not Earth-shattering and is unlikely to cover the loss of income he will now suffer, it is a clear sign that currently, there is a strong financial incentive for people to misuse personal data.
As the current legislation allows for much more significant fines, it is not clear why such a small sum was enforced here. While it is easy to agree with the Commissioner that there needs to be a realistic deterrent available, the full weight of the current powers should be utilised before new punishments are sought after. If there was evidence that Mr Ben-Ezra had profited in the region of £25,000 then this is, really, at least what he should have been fined.
Also, and of more general public interest, is the fact that there are now 65000 people who have had their personal data placed at risk (of identity theft, according to the ICO) who may never know what has happened and certainly wont get anything in the way of compensation. This is a significant failing of the current Data Protection Act enforcement which is unlikely to be remedied in the near future.
From an organisational perspective things are pretty bad as well.
When an organisation experiences a data breach of this nature, there are few choices: You can notify all your customers and suffer the reputational damage in the hope that doing the right thing will retain some loyalty; You can invest significant resources to determine which records were compromised and only identify those customers, which is costly and risky; You can choose to notify no one and accept that if customers find out there is likely to be a significant backlash.
Remember, mishandling customer data can completely wipe out the time, effort and money you have spent on advertising and brand awareness. For some companies it can even close you down (for example, ACS Law).
While it is impossible to totally remove the risk that a rogue employee will try to sell your customer’s data, through the implementation of sensible security measures you can significantly reduce the probability and even mitigate some of the impact.
The important lesson to remember is that it is always better to prevent the breach than deal with it afterwards.