Mobile data theft penalties must fit the crime

POSTED BY Global Administrator

A rather shoddy (but, unfortunately, not wholly unexpected) tale unfolded yesterday: that the UK’s Information Commissioner, Christopher Graham, was preparing to prosecute an individual or individuals from an undisclosed network operator who had sold customer data on to brokers, who had in turn sold it on third party resellers who had cold called T-Mobile’s customers as their contracts were about to expire, seeking to persuade them to switch to a different service provider.

By a simple process of elimination – “Hands up if it wasn’t you” – it rapidly transpired that the guilty party or parties hailed from T-Mobile. The network had alerted the Information Commissioner’s Office (ICO) after “it reported suspicions of an unlawful trade in customers' data” and that a single employee had been selling customer details. T-Mobile added that the employee concerned has since left the company and that it had “since put systems in place to minimise the risk of it happening again”.

There are two reasons why it happened in the first place. As the UK is pretty well saturated on the mobile front, - nigh on 130% penetration by active SIM cards at the end of Q3 2009 – new subscriptions are at a premium, and thus the third party resellers are paid hefty commissions if they can entice users from one network to another. Thus, there is a substantial financial incentive to obtain data which might facilitate that process, and if obtaining that data involves passing a proportion of that financial incentive on to someone with access to crucial customer data who will then pass that data on to you, well, so be it, because there’s a lot of hefty commission to go round. That is the first reason. The second is that there is no corresponding financial disincentive (let alone the threat of imprisonment) to make the resellers think that, hang on, I might lose the Porsche/ be doing a few years in chokey if I get fingered for this.

It has been widely reported that the maximum fine that can currently be imposed for selling on data is £5,000; small beer. Christopher Graham (and the Ministry of Justice) have proposed that this be increased to £500,000, with the additional sanction of jail terms: maximums to be set at 12 months for summary conviction and two years for conviction on indictment. Well, more power to their respective elbows.

But to return to the specifics of this case. Firstly, T-Mobile itself has done nothing wrong. It became suspicious of an employee and acted on those suspicions in the correct manner. Furthermore, the network probably has some cause to feel piqued at the way in which news of the investigation –which T-Mobile had been asked to keep secret, and had done so – had been revealed to the BBC, which had broken the story. Indeed, there is some feeling that the case was made public simply to reinforce the need for the greater punitive fines in the area (which had only been announced the previous week). If one were to level of criticism at the network, it is that it has acted after the event; has closed the stable door after the horse – or rather several million records of data from thousands of customers – has bolted.

Mobile networks have an awful lot of customer data. Our names, ages, gender, address, bank details; who we call, and for how long; what content we download, and how much of it. In many cases we have had relationships with these networks for several years; we like to think that we can trust them. However, that relationship will be badly damaged, possibly beyond repair, if this incident does not prompt just T-Mobile, but also other network operators and service providers, to assess both their own internal data security measures, but also – and this is crucial – the means by which they acquire new customers. Competition for subscriptions should be fierce; it should also be legal.