PL&B UK E-news, Issue 32

  1. HFC Bank breaches Data Protection Act
  2. CEOs fail to act on data security threats
  3. SAP seeks dialogue on RFIDs

1. HFC Bank breaches Data Protection Act

HFC Bank, a subsidiary of the HSBC group, has apologised after an "operator" error exposed the e-mail addresses of 2,600 HFC customers. The breach occurred after an e-mail was sent out to Marble credit card holders requesting them to contact the bank. The e-mail, however, contained the addresses of all customers on the distribution list. According to the Financial Times, the error was compounded by the fact that 'out-of-office' replies from some customers were relayed back to the distribution list, revealing telephone numbers and details on holiday absences.

Director of corporate affairs, Martin Rutland said HFC had contacted the Information Commissioner's Office (ICO) over the incident, although the ICO has since confirmed it will not be taking action against the bank. Rutland said HFC has apologised to customers, credited their accounts with £50, and has looked into how the breach occurred. "We've looked at the particular process that went wrong and we've taken steps to ensure it won't happen again," he said.

The apology and compensation, however, does not appear to be enough for some customers. According to the Financial Times, Brad Green - one of the affected customers - is coordinating a customer action group and may pursue legal action against HFC.

The full story and analysis will be published in the next edition of Privacy Laws & Business UK, out September.

2. CEOs fail to act on data security threats

Although CEOs are becoming increasingly aware of information security, they are failing to adequately address the risks, according to a survey by Ernst & Young. The 2004 Global Information Security Survey - which questioned infosecurity managers from around 1,200 organisations, across 51 countries - found that only 20 per cent strongly agreed that security was perceived as a CEO-level priority. Around 70 per cent of respondents admitted that their board of directors did not receive quarterly status reports on infosecurity.

Lack of awareness among staff was sighted as a key problem area by the survey, with over 70 per cent of respondents failing to list awareness and training as a top priority. This is despite recognition that poor awareness is the biggest barrier to achieving strong security levels. The report states that "more could and should be done to transform an organisation's weakest link - people - into its strongest and most effective layer of defence-in-depth."

The survey also picked out offshore outsourcing as a concern. More than 70 per cent of respondents indicated that they failed to regularly assess whether foreign service providers were compliant with data security regulations. And, over 60 per cent fail to regularly assess vendors' compliance with their own internal security policies. "Companies can outsource their work, but they can't outsource responsibility for its security" said Edwin Bennett, Global Director for Technology and Security Risk Services at Ernst & Young. "Organisations have to demand higher levels of security from their business partners."

The survey stresses that organisations should see security as a business enabler, rather than viewing it as a cost centre. "Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business," said Bennett. "However, this transformation must be led by a visible shift in attitude from the CEO and the boards."

Click here for a copy of the Ernst & Young survey

3. SAP seeks dialogue on RFIDs

Global technology vendor, SAP, has called for open public debate over the benefits and privacy implications of using RFID technology. RFID tags (basically tiny location tracking devices that can be attached to products and packaging) are increasingly being used by retailers and manufacturers to manage their supply chains. But civil liberties groups have been concerned that the technology could be used to track and profile consumer shopping habits. Consumer groups like CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) have launched high profile campaigns against proponents of RFIDs, including companies such as Benetton, Gillette and Procter & Gamble.

SAP, a developer of RFID solutions, plans to host a number of discussion groups over the coming months, bringing together industry and business leaders, political groups, IT vendors and privacy advocates. The discussion groups will run in conjunction with major industry events, including Germany's CeBIT technology conference in March 2005. In October, SAP also intends to launch an online forum for interested parties to discuss and share ideas on RFIDs.

"In order for a new technology to gain widespread acceptance, businesses and the public should be well informed of its advantages and implications," said SAP executive board member, Claus Heinrich. "We therefore intend to facilitate a continuing open discussion among stakeholders to find ways to address concerns through industry standards, accepted guidelines and responsible corporate citizenship."

For further details on the Privacy Laws & Business UK Newsletter, please click here.