A monster mess
It has been reported that the details of some 4.5million jobseekers have been stolen from Monster.co.uk, the online recruitment company. Information stolen included names, passwords, contact details as well as what the company referred to as other ‘demographic’ information. The company insisted, however, that no CVs or financial information were amongst the stolen data. Reassuring!
This is not the first time that the company has been attacked in this way. In 2007 the US arm monster.com, was infected by a virus which enabled the details of 1.6 million of its customers to be stolen.
While the internet has delivered immeasurable benefits, it has enabled criminal masterminds to access increasingly valuable personal data with seemingly relative ease. Internet users need to be assured that, when a company requires them to give out personal information, the company will take the necessary steps to ensure that the data is looked after.
The Data Protection Act (the “DPA”), places obligations on all companies that process personal data such as names and addresses. In particular the DPA requires that websites which collect personal data must do so in a way that is sufficiently secure, for example by encrypting the data.
Serious breaches are not confined to the private sector. As various security blunders over the last few year have shown, even the government cannot seem to adhere to basic data security measures.
This does then beg the question how safe our personal information is in the hands of the public and private sector alike? To what lengths should companies go to protecting our personal information? The DPA requires only that firms use the most appropriate measures to protect against the harm that may result and the nature of the information that is processed. In light of the fact that monster.co.uk is a company that processes personal information of millions of people, one would argue that their security measures should rank near the top end of the protection scale. Indeed, one might ask how a breach such as this can happen a second time?
The government has taken steps to show that it takes privacy breaches seriously by endowing the Information Commissioner with the power to impose substantial fines on firms for major privacy breaches. It was hoped that the introduction of this power would jolt firms into tightening up their security practices. To give the Information Commissioner some teeth, the government should not delay in bringing these new powers into force and setting the amounts of potential fines at a meaningful level.
The amount of our personal information in the hands of others will vastly increase when the UK implements the European Union’s Data Retention Directive. From 15 March 2009 Internet Service providers will have to keep records of all emails passing through their servers for one year. The justification is to aid in the war against terror and serious crime. However, many argue that this legislation is not only disproportionate and rides rough-shod over an individual’s rights to privacy, but is also not likely to be very effective in preventing or detecting crime. Moreover, based on recent experience, many are justifiably concerned that their data may be not be secure and that it could be illegitimately used for all sorts of other purposes
Will the new data retention regime be a breakthrough in the worldwide fight against crime, or easy pickings for the sophisticated 21st century criminal and a data accident waiting to happen. In a world where one man can infiltrate the systems of the US Army, Navy and NASA, who can we trust with our personal data?
Date: 28/01/2009 | Author: ebizlaw team