Call me cynical, but your personal information is no longer safe . . . with any company.
Especially e-payment firm Octopus Holdings. The company has admitted to selling its customers’ personal information since January 2006 and making a pretty penny off it — a whopping HK$44 million ($5.7 million USD). The personal data of 1.97 million customers was sold to six different companies, including Cigna Worldwide Life Insurance.
Octopus CEO Prudence Chan, who was speaking at a private hearing with the Hong Kong Privacy Commission, was quoted as saying the company has pledged not to provide personal data to other companies in future. Octopus had earlier denied it sold customer data, until it was called up by the Commission to testify at an official investigation of the company’s practices, noted a report by Apple Daily. Chan then retracted the denial.
As one would expect, Chan is now facing pressure to resign for her mismanagement and deceiving statements.
Something good can actually come from this, however. Hong Kong’s Privacy Commissioner, Roderick Woo, proposed introducing a law to make it a criminal offense for companies to sell customers’ data. Let’s hope that proposal is taken seriously and that similar laws are proposed here in the U.S.
For your enjoyment (or to merely raise the level of mistrust you may feel towards businesses and/or individuals), here is a short list of instances when the shameful act of selling customer data has occurred:
- In July of 2007, a subcontractor working for a company that fills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers.
- In 2004, the FTC charged Gateway Learning Corporation with violating federal law when it rented consumers’ personal information to marketers.
- In August 2008, the FBI busted a former Countrywide Home Loan worker who was suspected of downloading the personal information of roughly 20,000 customers a week over a period of two years and then selling it to third parties.
- In March of this year, a Houston bank teller plead guilty to bank fraud, admitting that while employed as a bank teller, he sold customer account information leading to the theft of $53,000 from customer accounts.
- In November 2009, T-Mobile UK has admitted to a breach of the Data Protection Act after its customers’ private details were sold to other companies for a profit.
Of course, these are just a few examples of stolen customer data. If there were a master list, it would be too large for this blog. Though the U.S. has enacted the Children’s Online Privacy Protection Act, the Health Insurance Portability Act and the Fair and Accurate Credit Transactions Act, there is no all-encompassing law regulating the acquisition, storage or use of personal data. Let’s hope that changes soon.
The above article is reprinted from the Risk Management Monitor - the official blog of Risk Management magazine.