The Straw (Data Breach) that Broke The Camel’s Back

This appalling loss of 25 million personal data records by Her Majesty’s Revenue and Customs has to become the tipping point for a marked increase in respect for personal data across all of UK government and beyond.

And this on the back of last weeks revelation that the Foreign and Commonwealth office had breached the Data Protection Act.

More resignations please and then some strong proposals on how to transform the situation……

….This is unlikely to be based on an ‘honest we’ll do better next time’ approach, or even bringing in Data Breach legislation after the horse has bolted – Project VRM and User-Centric Identity Community….please help!!!!

Data Breach Laws Rejected in UK – Now We Know Why..

Contrary to House of Lords recommendations, the UK Government are refusing to introduce data breach notification laws.

According to a House of Lords spokesman, Lord Errol, the UK government ‘does not get the threat to the internet posed by cybercrime’.

‘The powers would apply to government as well as the private sector. We think that’s why [the government] is resisting it, said Lord Errol.’

A very timely quote, given that on the same day it is announced that Revenue and Customs have ‘lost’ a CD with personal details of 15,000 customers of Standard Life.

12 Components of Trust – In relation to personal data

Over on the Project VRM mailing list there is a developing discussion around the different variants of ‘trust’ that relate to CRM or its VRM counter-point. From that discussion it’s clear that this is a complex area with people coming from multiple different perspectives.

To try to help that debate along, here’s a view from the Trust Index assessment – which tackles only the ‘should I trust you with my personal data’ aspect (*), but does so in some detail. Before delving into that, it is worth reminding that this assessment is based on European grade Privacy Legislation and its underlying principles, and then further enhanced with additional questions arising from good customer management practice. The principles themselves are very solid and based on many years of applied thinking (its only the deployment that does not work well).

When Privacy Officers answer these questions to complete an assessment, they select from 5-point scale answers which are backed with detailed compliance text to help clarify any queries they may have on scoring. Additionally, each question/ score is weighted based on input from experts as to the relative impact of problems in each of the 12 areas.

(*) At present we take the view that to tackle more than one trust component would be too difficult as their definition is less solid than ‘privacy’ which has legal underpinnings. Should string definitions of ‘trust’ occur across other areas of the VRM discussion then this index can be extended.

Trust Index Assessment

1. How would you describe the overall approach your organisation takes to managing personal information?

2. What safeguards does your organisation have in place around the collection of personal information?

3. Does the organisation have processes and controls in place to ensure that my personal information is used only for the purposes I have agreed to in providing it to you?

4. To what extent does the organisation deploy the principle of retaining the minimum information to support the use being made of it?

5. How does your organisation ensure that the accuracy of my personal information is maintained?

6. Does the organisation have a comprehensive, accessible policy around how long it retains personal information, and how it disposes of it on completion of use?

7. How does the organisation approach the principle that I should be able to access the personal information stored on me?

8. How does the organisation ensure the security of my personal information when it is their hands?

9. How does your organisation ensure the security and integrity of personal data when you share it with other your suppliers, partners and other third parties?

10. How does your organisation enable me to understand the risks that exist around your management of my personal information, where liabilities lie and what remedies will be brought to bear in the event of a data breach?

11. Does the organisation have a process in place to proactively contact me if an information breach occurs that exposes personal information about me to risk?

12. To what extent does the organisation enable me to access/ download/ utilise the information within your systems to add value to me?

Can I Own My Data?

(Cross post from Right Side Up)

Ownership sounds like such a simple idea…..

At first glance, the ownership of “my” data seems straight forward. I created it (or at least was involved at the beginning), it’s about me, so I own it. But personal data is a slippery concept. For one thing, a lot of the time it’s co-created – by me and my supplier, including my government. And tying down the legal specifics of data ownership is a bit of a minefield. Hence the recent and continuing debate on the Project VRM mailing list about whether an individual does, can or should ‘own’ personal data relating to them.

I take the view that individuals will ultimately have a form of ownership rights to data that relates to them. So far so good, but the word “ultimately” there is important, and frustrating. This will take some time to happen, and will relate to only some of the data in question. My view is that ‘ownership’ of personal data will come about through a combination of issues and events; and that this will all pan out over the next few years.

Firstly, the sensitivity of individuals to problems with firm’s use of data is rapidly increasing. The way most organisations gather and use data is often invisible to the individual, and almost always annoying to them. For one thing, there are regular and sizable breaches in data security. One example is the TK Maxx breach – which has now doubled in size from that originally admitted. Plus there’s a growing identity theft problem, with little sign of a solution in sight. And as we all know there are ongoing problems with spam to compound the everyday irritation of poorly targeted, invasive direct marketing. In the same ‘worrying’ space are large corporate acquisitions or investments (e.g. Flickr/ Yahoo or Facebook/ Microsoft) in which access to identity data initiated by and important to the subject are traded for a few dollars per record.

This increasing pain, without legal recourse, will drive some firms to offer commercial services to reduce that pain. These will include ‘who has data about me’ services such as Garlik, reverse-marketing services such as Pureprofile, transparency enablers such as The Trust Index (disclosure – this one is one of my hobby horse projects) and some plays from more traditional players in the personal data space such as Experian, Equifax or CallCredit. All are now beginning to explore how they can sell personal data back to the data subjects.

Another driver will be data breach notification legislation. It will be deployed in the EU and in many other countries. I expect it will be watered down, and won’t do too much in practice to change the accessibility of stolen customer data. The going rate, by the way, is £140 for 1000 credit card records – with security codes – or so I heard the last time I checked. But no matter, such legislation will at least build some additional legal rights on the side of the individual in the personal data space.

Next, opt-in-based direct marketing is going to become the norm across ALL communications channels – upping the value of ‘permissions’ data. This will be a sensible approach for large organisations to adopt commercially, largely for environmental reasons. And user-centric identity technologies (such as open ID, Infocard and i-names) will start to become more popular. They’ll impact b2c (or more accurately c2b) electronic relationships. People will want to restrict the flow of personal data into organisations, though people will see a clear trade off in offering personal data to get improved customer experience.

Meanwhile, the next generation of personal information management services will emerge. These alternative ‘single views of the customer’ will be available for organisations to tap into — with permission, and usually at a cost. This will be the trigger point for real change. For the first time, data sourced FROM an individual will be more valuable commercially than data gathered ON an individual. In practice, this is about “pull”: the commercial value of these new data sources comes from the higher response rates that come from the much improved relevancy of communications. ‘Pull’ beats ‘push’ every time at the micro, one-to-one level.

When this new value is created within the PIMS, commercial law swings into gear. Individuals and suppliers will build robust contracts around these new services and at last, we have something akin to ownership of our personal data.

In short, the point at which I will ‘own’ my personal data is the point at which I can actively manage it. If I have the choice over whether to sell it to someone, and can cover that sale with a standard commercial contract, then I clearly have title. But – and this is crucial – this doesn’t mean that I ‘own’ all the personal data that relates to me. Lots of it will still be lying around in various supplier operational systems that I won’t have access to (and probably don’t want to – much of it is not worth me bothering about).

Technically we can just about do this now. As ever, I think we’ll have to wait a bit longer for all this to build a mass market for personal data ownership and management. That said, I think we’ll start to see little signs of life in this space over the next 12 months. Watch, as they say, this space.

Talking of which, do any of you database marketers out there want to buy my ‘intention to buy’ data for the next 6 months? I’ll break it down by product / service category, add likely purchase dates, indicative amounts and existing preferences of various types… and send it in a format that feeds straight in to your CRM system. £10 per category for a one off use, and I can GUARANTEE that my data will be more predictive of what I’m going to buy than your own analysis or what you can buy in from other external data providers.

Iain Henderson

Some Useful Research

Here’s some useful input from Experian; we’ll be looking to take this down several evels of detail with The Trust Index over the next few months.

Consumer threat to blacklist unsecure brands

The majority of UK consumers have threatened to go out of their way to spread brand-owners data protection failings, following a sharp rise in firms failing to keep personal information.

According to a new study by how businesses store and use personal data is a crucial factor in whether a person is likely to buy from an organisation or not.

Sixty-five per cent of respondents in the survey claim they would not buy again from a company that did not keep their personal information absolutely safe.

The survey also found that car dealers are the organisation consumers are least likely to trust – 46 per cent of respondents would not rely on them to keep personal data safe, closely followed by insurance and Internet companies.

Google Calls for Global Privacy Laws

This is nice, no sooner do we get The Trust Index up and running and Google kindly set out the case for it – albeit indirectly.

Yes, there is a need for a global approach to privacy standards. But that won’t happen for a long time – too many vested interests. In the meantime The Trust Index will do what it can to bring transparency to the current mess.

Interesting however that Google point to the APEC guidelines – not setting the bar very high as this article points out.

The Trust Index – Introduction

Welcome to The Trust Index – a VRM (Vendor Relationship Management*) tool that aims to help individuals differentiate between organisations that they should trust with their personal information, and those who they might not be so comfortable with.

* VRM, or Vendor Relationship Management, is the reciprocal of CRM or Customer Relationship Management. It provides customers with tools for engaging with vendors in ways that work for both parties. CRM systems until now have borne the full burden of relating with customers. VRM will provide customers with the means to bear some of that weight, and to help make markets work for both vendors and customers — in ways that don’t require the former to “lock in” the latter.

The goal of VRM is to improve the relationship between Demand and Supply by providing new and better ways for the former to relate to the latter. In a larger sense, VRM immodestly intends to improve markets and their mechanisms by equipping customers to be independent leaders and not just captive followers in their relationships with vendors and other parties on the supply side of the marketplace.

The chart below shows a sample output from the Trust Index – showing an overall Trust score and then the breakdown by component parts.