CyberSecurity: Personal Risks Arising from Privacy Breaches in Business

Modern computer technologies enable the handling of an unprecedented amount of private and public information exposing customers to a number of potential risks.

 

The TalkTalk cyber attack saw the personal details of 157,000 customers, including credit card details, being disclosed in October 2015. As a result, the company lost an estimated £60m and over 100,000 customers, but customers were also open to potential identity fraud: in some cases, fraudsters used the data to allow them to pose as TalkTalk engineers, contacting customers and persuading them to install malware on their machines.

This kind of data breach is a type of unwanted disclosure - the disclosure of personal data to parties not intended to receive it. Unwanted disclosure can happen when businesses interact with third parties, such as in the case of outsourcing operations, and also covers disclosure of secondary information: for example, partial information about user activities.



The following personal risks can arise from such data breaches:

• Secondary use of information refers to the use of information for other purposes than the one originally intended at the time of collection. For example, data collected to provide a service is later used to target a customer in adverts.
• Leakages. Personal information of customers can be leaked or lost via a variety of ways such as at the network or server ends.
• Identity theft or fraud. This happens when an imposter gains key pieces of personal information that enable them to impersonate the victim.

How do privacy laws govern how companies do business?
Question 1
EU law restricts how companies and organisations collect, manage and process personal data. But what is personal data?

 

The EU definition is broad - any information relating to an identified or identifiable natural person.

 Which of the following do you think would be personal data. Select all that apply.

• Their name and salary details
• Their social security number and address
• Their email address and record of online purchases 

Question 2EU and UK law limit the amount of information that can be collected. It needs to be relevant to the purpose.

Consider this example from the UK Information Commissioner’s Office (ICO)



A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations.

A person applying for an office job has to fill out this questionnaire.

Would it be appropriate for the recruitment agency to request and store this information?

• Yes
• No  

Question 3
Once personal data is collected companies have a duty to protect this against loss and unauthorised access.



What do you think this duty would include?

• ensuring that personal data is only avariable to those who need to see the data
• ensuring that IT systems are managed to reduce risk
• paper copies of digital information are handled appropriately
• employees are trained in their responsibilities relating to personal data that the company holds
• personal information should not be stored on unprotected mobile devices

Question 4
Organisations need to make it clear why they are collecting personal information and use this in a fair manner.

Let’s consider another scenario from

A medical doctor discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation.

What makes this unfair?

• The person running the travel agency has gained an unfair advantage on other travel agencies
• Patients have given their information to the doctor in so that he can look after their health. Disclosing these details to a travel firm is incompatible with the purposes for which it was obtained.

 Question 5
Under EU law individuals already have a right to find out what information is held about them.



Do you think companies should be able to charge people to access this information?

• Yes - I think they should be able to charge a fee.
• No - I don’t think they should be able to charge a fee.

Question 6
In many countries privacy laws place additional responsibilities on organisations handling personal information about children.



In the USA the Children’s Online Privacy Protection Act (COPPA) applies to websites and online services that are directed at children. It stipulates that parental consent is required when collecting personal information from children.

How old do children have to be in the USA to before they can use services without parental consent?

• 13
• 14
• 16