Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
This ‘Privacy Fail’ is probably best summed up as ‘allowing unauthorised access to personal information’. Now, this covers a wide range of sins. From allowing online customers to view other customers’ account information, to leaving staff appraisals on the printer, and everything in between.
The reason that this ‘Privacy Fail’ is such a biggy is that there seem to be a lot of significant fines imposed in this category. This may be due to the consequences of getting it wrong being so damaging to individuals, combined with the fact that the regulators believe that, given the will, it is a relatively easy ‘Privacy Fail’ to avoid.
A privacy statistic
Most privacy complaints in Ireland in 2019 were due to unauthorised disclosure (which includes allowing unauthorised access). Allowing unauthorised access was in the top five data breaches notified to regulators in both the UK and Ireland in 2019.
Real life examples with real life consequences
1 & 1 Telecom Gmbh – fined €9,500,000 for its call centre requiring only name and date of birth (which could easily be found online) to gain entry to customer information.
Haga hospital – fined €460,000 for allowing dozens of hospital staff to access the health records of a well known Dutch person.
Unicredit Bank SA – fined €130,000 for allowing payer personal information to be seen by payees.
Sergic – fined €400,000 for allowing customers to see other customers’ personal information by making simple changes to the URL in the browser.
Bouygues Telecom – fined €250,000 for allowing customers to see the invoices and contracts of other customers by making simple changes to the URL in the browser.
Active Assurances – fined €180,000 for a catalogue of failures. Even after being informed about and remedying the fact that access could be gained by one customer to another customer’s account by changing the details at the end of the URL, Active Assurances still allowed customer accounts to be indexed by search engines.
How to avoid this privacy fail
Train your staff on the importance of ‘privacy by design and by default’. All your staff should know what a data protection impact assessment is and when to consider using one. Our Privacy Guy has written about this in a previous article. He has also appeared on camera to discuss it.
Don’t let human error cause your organisation to be fined. Make your team understand the consequences of getting it wrong and the benefits in terms of product quality and customer trust in getting it right. Make them care by explaining the possible consequences of complaints to the regulator. And make them do what they are trained to do. This is all part of creating any culture of continuous privacy compliance.
Adequately test all product releases. Consider third party penetration testing. It seems inconceivable that any of the examples discussed above would have occurred if proper testing had been undertaken.
Take security seriously. Again, our Privacy Guy has written and spoken about this. Make sure that your IT team is up to date in its security knowledge. If not, send individuals on specific security training, or bring in third party support.
Obviously, given that three of the fines handed out in the cases summarised above involved allowing simple changes to URLs to give access to personal information, probably best to make sure that doesn’t happen in your organisation!