Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Corporate Privacy Disasters'

Vignettes of Corporate Privacy Disasters

THIS PAGE HAS BEEN SUPERSEDED
HERE'S A FAR LARGER COLLECTION

Roger Clarke **

Revision of 24 March 2007, small rev. 15 June 2007

This page was originally developed as supporting material for:

Clarke R. (2006) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006) 26-31

© Xamax Consultancy Pty Ltd, 2006-07

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/DV/PrivCorp-0609.html


Introduction

Handling privacy badly can do a corporation damage. This page provides several vignettes, showing instances of negative impacts on corporations resulting from bad behaviour.


Lotus Marketplace: Households - 1990-91

In April 1990, the then very successful Lotus Corp., in a joint venture with Equifax, developed a product called Lotus MarketPlace: Households - a CD-ROM containing a vast array of consumer data. Consumer protest killed it in January 1991 (Culnan 1991, Culnan & Smith 1995, Gurak 1997).


Intel's Processor Serial Number - 1999-2000

In 1999, Intel announced that it would include a unique Processor Serial Number (PSN) in its new generation of chips. The PSN's purposes included to identify eCommerce customers.

A movement was quickly developed by Electronic Privacy Information Center (EPIC), JunkBusters and Privacy International. Spoofing Intel's 'Intel Inside' advertising campaign, it used the slogan 'Big Brother Inside'.

The company released some batches of chips into the field, but resistance grew even stronger, and much broader, even including the Chinese Government (Guangming 1999). In April 2000, the company announced that it was dropping the feature (McCullagh 2000).


Doubleclick - 1999-2000

Doubleclick's stock price suffered badly following revelations about its privacy-invasive practices. It was forced to abandon its plans to consolidate personal data with the clickstream data it collected online, surreptitiously and without consent (Fields & Cohen 2003).


Eli Lilly - 2001-02

Pharmaceutical company Eli Lilly manufactures the anti-depressant medication Prozac. On 27 July 2001, an auto-generated e-mail message included all of the recipients' e-mail addresses within the To: line of the message, thereby disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.

The blunder attracted media attention out of all apparent proportion to its small scale, because of the extreme sensitivity of the information disclosed. An ACLU complaint forced the FTC to find against the company (FTC 2002a).


Microsoft - 2002

As Microsoft sought to hold off gathering storms surrounding the insecurity of Windows and Office, EPIC and others forced the FTC's hand in relation to another set of the company's products.

The company was found by the FTC to have falsely represented that it employed adequate security measures in relation to its Passport and Passport Wallet services (FTC 2002b).


Benetton - 2003

On 12 March 2003, Benetton and Philips Electronics jointly announced that RFID chips were to be installed in its Sisley clothing line. RFID tags enable tracking not only along the supply chain (which all parties are enthusiastic about), but also in and beyond the retail outlet. (RFID 2003. Both Benetton and Philips appear to have later withdrawn the Media Release from their sites).

The consumer action group, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), immediately launched a Boycott Benetton campaign. On 4 April 2003, Benetton publicly retreated from its plans (Batista 2003).


ChoicePoint - 2004-07

"In October 2004, ChoicePoint, an Atlanta-based data services provider, discovered it mistakenly issued user accounts to Nigerians posing as a legitimate small business. The scammers potentially gained access to some 140,000 consumer records in ChoicePoint's system. ...

"By February 2005, ChoicePoint's name was splattered across the press in the first of many -- and more serious -- breaches to be revealed under newly adopted state disclosure laws. ...

"The market cap of ChoicePoint ... dropped 22% in the ensuing three months ... Until then, ChoicePoint had been growing its business at a healthy rate of more than 10% a year, but suddenly it became a household term associated with identity theft." ... (all above quotes from Gartner 2006).

A review of the debacle, written for corporate executives such as Chief Information Security Officers, is in Scalet (2005). The company was allowed to settle its liabilities at federal level with $US 15 million in penalties (FTC 2006). A later settlement with the States added a further $0.5 million to the penalties - although the legal costs would have been higher than that of course, and the negative publicity much more significant.

The impact was not felt only by the company concerned: "The U.S. Congress convened hearings on the data brokerage and credit industry's practices in managing sensitive customer data." (Gartner 2006)


Google - 2004-

Since 2004, Google has come under increasing fire from privacy activists. The first major salvo related to its Gmail service (PRC 2004). The inherently privacy-intrusive nature of many of Google's services have been exacerbated by the company's cavalier attitudes, by the freedoms it grants itself through its privacy policy statements, and by its evident intention to cross-link the data from its many businesses by means of its imposition of a single identifier on each user (Clarke 2006).

To date Google has successfully exploited its status as a successful investment and its 'do no evil' mantra as shields against sceptical questioning from journalists. The honeymoon won't last forever.


Hewlett-Packard - 2006

In 2006, senior executives of Hewlett-Packard were deeply implicated in "questionable, and perhaps illegal, subterfuge to obtain phone records of [its own] directors and journalists". It resulted in a U.S. House of Representative Committee writing a letter to the company expressing serious concern about the company using pretexting and data brokers, and initiating Hearings (HoR 2006).

This led to the early departure of the CEO, and forced the company to issue "a statement full of apologies and attempts to restore good relations" (Darlin 2006).

The affair added further fuel to the blaze of publicity about the lack of credibility of the Boards and senior executives of major American corporations. And the inability of the courts to enforce criminal charges undermined the credibility of the law. But HP still paid the state of California $14.5 million in penalties.


Unsolicited Telephone Calls

Faced with an ongoing consumer revolt over unsolicited telephone calls, the US Congress finally passed the Do-Not-Call Implementation Act in March 2003. By the end of the first month of peration in October 2003, over 50 million numbers had been signed up with the US National Do-Not-Call Register, in the expectation that this would prevent marketing calls. That count more than doubled by the end of 2005. Surveys suggest about 75% of the US private subscriber-based has registered.

Some segments of business have made strenuous attempts to have the legislation overturned (but it was found by the courts to be constitutional), and to create loopholes in the Act (so far without success).

As early as November 2003, the FCC proposed to fine AT&T $780,000 for calls to 29 consumers on 78 separate occasions after those consumers had requested that AT&T not call them again (FCC 2003). Miscreants during 2004-05 included American Express, and Dynasty Mortgage which committed 70 violations @ $11,000 each (FCC 2007).

During 2006, DirecTV, a major supplier of satellite TVwas fined $100,000, a commercial book club, a Doubleday affiliate, forfeited $680,000, and Credit Foundation of America paid nearly $1 million for making deceptive prerecorded calls (Smith 2007).

Regulatory action is hotting up in spam and spyware as well, with the FTC forcing companies that install spyware on unsuspecting users' computers to forfeit more than $6.5 million (Smith 2007).


Inadequate Information Security

The UK Financial Services Authority (FSA) fined Nationwide Building Society [[sterling]]980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year" (FSA 2007).


Information Security Breach Notification Laws - 2003-...

In the early 2000s, there was a long succession of media stories about leaks of personal data from company databases, primarily in the USA. For one example, see ChoicePoint above. Many involved credit-card details and other data useful for identity fraud. The US Government added fuel to that particular fire by referring to the risks as being to 'identity theft' (whose consequences are severe, but which is uncommon) rather than 'identity fraud' (which has been commonplace for years, long before the Internet, and indeed long before the intrinsically insecure credit-card facility was invented).

There is evidence that these breaches impact share prices, although usually less spectacularly than occurred with ChoicePoint (Campbell et al. 2003, Telang & Wattal 2005, Acquisti et al. 2006). Despite that evidence, however, many corporations and industry associations fail to take appropriate actions to improve the security of personal data.

The Californian legislature responded in 2003, by passing a Security Breach Notification Law (originally SB 1386, which can be found in California Civil Code Sections 1798.29 and 1798.82). This requires that California consumers be notified when sensitive personal data about them is illegitimately obtained from a server or database (Givens 2003).

"To September 2006, ..., 34 states have passed information breach notification laws similar to California's" (Gartner 2006). The ripple effect has not been restricted to the USA, with the Australian Privacy Commissioner announcing that she was recommending that such a law be passed in Australia (Miller 2006).


References

Acquisti A., Friedman A. & Telang R. (2006) 'Is There a Cost to Privacy Breaches? An Event Study' Proc. Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, at http://weis2006.econinfosec.org/docs/40.pdf

Batista E. (2003) ''Step Back' for Wireless ID Tech?' Wired News, 8 April 2003, at http://www.wired.com/news/wireless/0,1382,58385,00.html

California Civil Code Sections 1798.29 and 1798.82, Available from http://www.leginfo.ca.gov/calaw.html

Campbell K., Gordon L., Loeb M. & Zhou L. (2003) 'The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market' Journal of Computer Security 11, 3 (Mar 2003) 431-448

Clarke R. (2006) 'Google's Gauntlets' Computer Law & Security Report 22, 4 (July-August 2006) 287-297, at http://www.rogerclarke.com/II/Gurgle0604.html

Culnan M.J. (1991) 'The Lessons of the Lotus MarketPlace: Implications for Consumer Privacy in the 1990's' Proc. 1st Conf. on Computers, Privacy and Freedom, Computing Professionals for Social Responsibility, 1991, at http://www.cpsr.org/prevsite/conferences/cfp91/culnan.html

Culnan M.J. & Smith H.J. (1995) 'Lotus Marketplace: Households...Managing Information Privacy Concerns' in Johnson D.G. & Nissenbaum H. (Eds.) 'Computer Ethics and Social Values', Prentice Hall, 1995

Darlin D. (2006) 'Embattled H.P. Chairwoman to Step Down' The New York Times, 12 September 2006, at http://www.nytimes.com/2006/09/12/business/13hewlettcnd.html?ei=5087&en=f932c7413ca7c72d&ex=1173672000&adxnnl=1&adxnnlx=1158090415-IwqEQTFE8ny1LUZfmgqV1A&excamp=GGBUhpnews

FCC (2007) 'Annual Report on the National Do-Not-Call Registry - 2005' Federal Communications Commission, January 2007, at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-07-279A1.pdf

Fields T.D. & Cohen J. (2003) 'Case Study: Doubleclick Inc.' Harvard Business School Case Study 9-103-016, 2003

FSA (2007) 'FSA fines Nationwide [[sterling]]980,000 for information security lapses', Financial Services Authority, London, FSA/PN/021/2007, 14 February 2007, at http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/021.shtml

FTC (2002a) 'Eli Lilly Settles FTC Charges Concerning Security Breach' Federal Trade Commission, 18 January 2002, at http://www.ftc.gov/opa/2002/01/elililly.htm

FTC (2002b) 'Microsoft Settles FTC Charges Alleging False Security and Privacy Promises' Federal Trade Commission, 8 August 2002, at http://www.ftc.gov/opa/2002/08/microsoft.htm

FTC (2006) 'ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress' Federal Trade Commission, 26 January 2006, at http://www.ftc.gov/opa/2006/01/choicepoint.htm

Gartner (2006) 'Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow' Gartner G001142771, 19 September 2006

Givens B. (2003) 'California Security Breach Notification Law Goes into Effect July 1, 2003' Privacy Rights Clearinghouse, 23 June 2003, at http://www.privacyrights.org/ar/SecurityBreach.htm

Guangming (1999) 'Ministry of Information Industry (MII) Advises Government Agencies on Prudent Use of PIII' Guangming Daily, 30 June 1999, at http://jya.com/cn-p3-peril.htm

Gurak L.J. (1997) 'Persuasion and Privacy in Cyberspace : The Online Protests over Lotus Marketplace and the Clipper Chip' Yale University Press, 1997

HoR (2006) Letter to Hewlett-Packard, Committee on Energy and Commerce, U.S. House of Representatives, 11 September 2006, at http://www.nytimes.com/packages/pdf/business/20060913_HEWLETT/HPLetter.pdf

McCullagh D. (2000) 'Intel Nixes Chip-Tracking ID' Wired News, 27 April 2000, at http://www.wired.com/news/politics/0,1283,35950,00.html

Miller N. (2006) 'Data leaks under review' The Sydney Morning Herald, Next Section, 8 August 2006, at http://www.smh.com.au/news/security/data-leaks-under-review/2006/08/07/1154802814975.html

PRC (2004) 'Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail' Privacy Rights Clearinghouse, 6 April 2004, at http://www.privacyrights.org/ar/GmailLetter.htm

RFID (2003) '' RFID Journal, 12 March 2003, at http://www.rfidjournal.com/article/articleprint/344/-1/1/%20

Scalet S.D. (2005) 'The Five Most Shocking Things About the ChoicePoint Debacle' CSO, May 2005, at http://www.csoonline.com/read/050105/choicepoint.html

Smith R.E. (2007) 'FTC Says It's Gonna Cost Ya', Forbes Commentary, 20 March 2007, at http://www.forbes.com/opinions/2007/03/19/ftc-privacy-fines-oped-cx_res_0320privacy.html

Telang R. & Wattal S. (2005) 'Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation' Proc. Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, at http://infosecon.net/workshop/pdf/telang_wattal.pdf


Acknowledgements

Thanks to Ari Schwarz at CDT in Washington DC, Lee Bygrave in Oslo, Anna Johnston in Sydney, Beth Givens in San Diego, Jason Catlett in New York, Mary Culnan in Boston, Ross Anderson in Cambridge UK, Stephan Engberg in Copenhagen, Robert Ellis Smith of Privacy Journal in Providence RI, and to you for sending me additional leads and references.


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 27 September 2006 - Last Amended: 15 June 2007 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PrivCorp-0609.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy