Crime and Punishment

Posted by Pete Feb.10, 2014 in Passwords & Security

Have you ever ‘bleached’ a desk to get rid of DNA evidence? At work? Or, maybe it was to cover up a failed home project from your spouse?

Nope, neither have we.

Barclays

An article in the Mail Online quotes a former broker as saying that he was ordered by a former boss to do just that. While not saying that this is standard broker operating procedure, this action was judged to be called for because their shady and illegal dealings – strangely not seemingly unusual or uncommon (at least in the investment industry) – were catching up with the brokers, and they had to scram before they were discovered by the people they had conned and the authorities.

[And all this time we had thought that the incredible storylines for British TV shows like Luther and Sherlock were all made up!]

The unnamed broker quoted by the Mail Online is coming forward to blow the whistle on the shady practices and ‘dodgy schemes’ of [London] City investment traders.

Why, you may ask, are we writing about this in a blog that has to do with passwords and technology security?

Up to 27,000 Barclays’ customer files were stolen and misused by unscrupulous traders. The ‘loss is a breach of [Barclays’] obligation under the Data Protection Act [of the United Kingdom] to keep personal information secure.’

Note that while the files are in digital format, there hasn’t yet been any suggestion of a technology exploit being the reason for the files getting into the wrong hands.

Leading question: If there had been a hint that the files had been nicked by cyber bad guys, would the authors of the article be calling this just a violation of the Data Protection Act, or would they be calling for new laws and fines?

Would the damage to the injured parties be any greater or less simply because of the way their trust had been violated and their data had been stolen and misused?

The 27,000 victims would still be victims, regardless of whether an employee of the bank walked out with a flash drive, or someone had broken through a firewall.

So, what’s the point? The article mentions that this will result in fines for the bank.

So often have we heard about corporate fines that you’ll forgive us for suspecting that corporations considering these ‘penalties’ to be part of standard operating procedure, i.e. the cost of doing business. Consider a few fines mentioned in the article:

–          in 2009 HSBC was fined £3 million (approximately $5 million) for being ‘careless’ with customer data – they ‘lost’ disks in the mail

–          in 2010 the UK branch of Zurich Insurance was fined £2.275 million ($3.8 million) after ‘losing’ the data of 46,000 customers

–          in 2011Barclays was fined £290 million ($490 million) for interest rate rigging

It does seem that UK banks aren’t all that careful with customer data. (Note to UK-based friends: you might want to consider other banking options.)

Then another – staggering – number caught our attention: Barclays is preparing bonuses with ‘as much as £2.4 billion ($4.1 billion) set to be handed out to staff.’ (Does that include the partners?) Now that’s real money!

Leading questions: If you have £2.4 billion to give out as bonuses, do you even flinch over a £290 million fine!?

For Barclays, the tally is £2.69 billion ($4.6 billion) paid out – after tax – just in the last couple of years.

In our humble opinion, fines aren’t going to create an increased level of responsibility by employees of these corporations. We noticed that in the list of examples of fines given in the article, there is no indication that any individual at the banks was even fired, much less charged with a crime (such as criminal negligence).

We humbly submit that new or higher fines aren’t going to protect our personal data from the realities of cybercrime. If nothing else, a fine is not collected as a remedy that goes to the victims, but rather is an inadequate penalty to corporations that goes to agencies and bureaucracies.

Let’s have serious laws that protect our personal data. Just as a company is liable for ‘losing’ our files when someone breaks into their offices, the same should apply in the realm of digital data and the Internet.

Why shouldn’t the law support criminal charges against a corporate officer when a worldwide corporation ‘loses’ its customers banking details?

The same applies to civil suits taken by victims of corporations who have violated the written and implied contracts to protect their customers’ personal data.