Privacy and Data Protection

Conviction for Privacy Breach
Asia Pacific

Privacy Commissioner for Personal Data (PCPD) Allan Chiang has announced that membership sales company OnCard Limited has been convicted in the Eastern Magistrates’ Court of breaching the Personal Data (Privacy) Ordinance. The company pleaded guilty and was fined HK$1,000. The breaches arose when OnCard Limited continued to make marketing phone calls even after the complainant had asked not to be contacted, and the matter was referred to the police.

Mr Chiang said that the case was the third of its kind in 2011, and expressed disappointment at “direct marketers ignoring customers’ opt-out requests and showing a total disrespect for their data privacy rights”. Mr Chiang further said he hoped that the conviction would be a salutary lesson to other companies engaging in direct marketing.
PCPD’s media release (26 July 2011)
(Source: PCPD;

Murdoch Media Hacking Scandal Gets Serious, Goes Global

Bloomberg reports that Labour party lawmaker Tom Watson has requested the UK’s Serious Fraud Office to investigate News of the World (NoW) journalists for corruption. NoW is reportedly already the subject of two police investigations, the first into allegations of widespread phone hacking, and the second into claims that the company bribed police for confidential information.

Meanwhile, the New York Times (NYT) reports that the US Federal Bureau of Investigation have commenced a preliminary investigation into allegations that News Corporation journalists hacked the phones of victims of the September 11 terrorist attacks in 2001.
ABC News: Former News of the World editors arrested (8 July 2011)
NYT: F.B.I. Opens Inquiry Into Hacking of 9/11 Victims’ Phones (14 July 2011)
Bloomberg: U.K. Fraud Prosecutors Receive Phone-Hacking Probe Request (18 July 2011)

The Economist reports that the current News Corporation scandal has placed political pressure on the ethics of a private enterprise to an extent not seen since the 19th Century winding up of the East India Company.

The Age reports that company directors faced a parliamentary inquiry on 19 July 2011, denying any knowledge of, or involvement in a culture of impropriety. Deputy director James Murdoch reportedly defended his approval of out-of-court settlements previously paid for privacy breaches, but denied that the practices were widespread.

According to Transparency International, the unfolding crisis raised doubts over the government’s ability to deal with a corrupt media enterprise that they are so closely connected with.
The Economist: An empire at bay (14 July 2011)
The Age: ‘Most humble day of my life” (20 July 2011)
Transparency International: Corruption crises requires coordinated response (18 July 2011)

The Independent reports that the scandal has damaged the media empire’s reputation so severely that investors are planning to appoint a new chief executive in September. According to The Independent, this move is supported by analysis suggesting that the company would be valued between 30-50% higher without Mr Murdoch at the helm, suggesting that his mishandling of unethical behaviour could see him toppled from the top job within his longstanding media empire.
The Independent: David Prosser: Investors look forward to change at the top of News Corp (20 July 2011)

The scandal has reportedly highlighted the need for a general privacy right in Australian, with Privacy Minister Brendan O’Connor announcing that the federal government will release a public issues paper seeking responses on a possible “statutory cause of action for serious invasions of privacy”.

The Age reports that media companies are keen to participate in the consultation process, despite historically opposing the introduction of such a right.
Privacy Minister’s media release (21 July 2011)
The Age: Canberra to move on privacy law (21 July 2011)

(Source: ABC News; NYT; Bloomberg; The Economist; The Age; Transparency International; The Independent; Privacy Minister)

Firms Focused on Saving Face, Unphased by Fines

PCWorld reports that a recent CyberSource and Trustwave survey has found that companies are less concerned about being fined for data breaches and more worried about reputational damage. The survey reportedly found that only 26% of respondents were motivated by fines for non-compliance, but 70% cited a need to “protect the brand”. According to PCWorld, damaged reputations can lead to increased costs like lost revenue, customer loyalty and lowered stock valuations.

Notwithstanding these potential costs, respondents were reportedly disinclined to “proactively invest in better information security technologies, or be more diligent about protecting the data they are entrusted with”, as the threats are not perceived as sufficiently significant. According to PCWorld, data security legislation and industry standards are necessary to address this dissonance by driving companies to adopt a compliance culture.
PCWorld: Businesses More Concerned With Reputation Than Fines (21 July 2011)
(Source: PCWorld)

Customers’ Unencrypted Personal and Financial Records Lost

 SC Magazine reports that Morgan Stanley Smith Barney (Morgan Stanley) lost CDs containing unencrypted tax information on 34,000 customers, en route to the New York State taxation and finance department. Affected clients were reportedly notified in June 2011, and advised that the information included “some clients’ account numbers and social security numbers, as well as interest earned on tax-exempt bonds and funds”.

Security experts have reportedly criticised Morgan Stanley for failing to use encryption, with Dtex Systems managing director Mohan Koo saying that such a lapse is “a sign that financial services organisations have the wrong attitude to securing client data”, particularly when the data is in transit. Mr Koo reportedly added that all financial institutions needed to improve control over personal data and should be able to detect when proper practices are not being followed, or customers will cease to entrust them with their details.  
SC Magazine: Morgan Stanley loses 34k customer records on unencrypted CDs (9 July 2011)
(Source: SC Magazine)

Annual Report Notes Value in Audits
Europe, Middle East and Africa

The Information Commissioner’s Office (ICO) has released Information Commissioner’s Annual Report and Financial Statements 2010/11: Information is the currency of democracy (5 July 2011). Information Commissioner Christopher Graham released the report with a recommendation that businesses “should be more willing to undergo data protection audits”, particularly given that the private sector accounted for more data security breaches in 2010-2011 than any other sector. Mr Graham also observed that private sector organisations are much less likely to agree to an audit than public sector counterparts (19% versus 71%).  Mr Graham said that agreeing to an audit “should count as a badge of honour, showing that the business takes data security seriously”.

The Daily Mail reports that banks were the most commonly complained about group, although official statistics are likely to underestimate the problem as there is no obligation to report complaints to the ICO.
Further information from the ICO
ICO’s media release (6 July 2011)
Daily Mail: Banks face more privacy complaints from customers than any other group (7 July 2011)
(Source: ICO; Daily Mail)