By: Sonny Zulhuda
This paper seeks to provide an overview of the legal risk liability issues that arise in the management of personal data in e-security policies. It argues that if personal data is properly managed, not only can legal liabilities be avoided but organizations can transform the practice of personal data management into a corporate asset building exercise. At the end of this paper, the reader should understand how personal data should be managed in a proactive and structured manner in the context of an organization’s e-security policies.
Information assets have become key corporate asset in this information economy and the need for organizations to ensure the security of such information asset has become an imperative. With the growing complexity of information asset management, organizations need to review their e-security policy and reformulate ways and mechanisms to better manage the confidentiality, integrity and availability of information assets. A central issue in the management of e-security policy is the need to ensure the confidentiality and privacy of personal data of individuals related to the business; personal data about employees, business partners, investors and consumers.
The management & protection of personal data has become important issues for organizations for two reasons. First, individuals, particularly consumers, have a right to control the use and flow of information about themselves and organizations must respect this right and accord the necessary legal protection. Secondly, more and more governments throughout the world are legislating to regulate businesses on their use and exploitation of personal data. This paper seeks to highlight the legal risk management aspects of the use and exploitation of personal data.
Why personal data is important to businesses
Personal data of consumers are valuable to businesses and organizations are constantly collecting, swapping, processing, storing and selling personal data as commodity, especially those that belong to consumers. In a networked environment, huge amount of personal data may now be collected from Internet users and aggregated to create a profile of their online activities and preferences. And in some cases, this collection and aggregation may take place without the data owners’ knowledge! In a networked world, ensuring privacy of consumers is much more difficult compared to the physical world.
There are different categories of personal data. The first category is personal data relating to the people within the business organization; investors, directors, employees, and any outsourced or business partners. Anyone who has access to such personal data for instance may be able to assess the financial standing of the organizations based on the financial remuneration that these individuals have. The second category of personal data relates to the public at large, i.e. past, current and prospective consumers of a business entity. Such personal data are critical to businesses as it helps them shape their business objectives and their product marketing strategy.
How the Misuse Takes Place
The availability of bulk of personal data in the networked world has allured businesses and organizations to exploit them for the purpose of their business. These people often take it for granted. The fact is, those personal data are like ‘missing properties’ to which the original owners (or ‘data subject’ as they are technically referred to) may subsequently rise and object to the unauthorized acquisition and use of their personal data and therefore a legal suit may follow. This is the potential glitch that has been overlooked by businesses. Thus it is absolutely important for them to make sure what they do with the personal data of people does not risk their legal liability instead of gaining economic benefit. The discussion that follows highlights the commonest business practices that involve misuse of personal data and expose legal liability risk.
First is business practice in mapping Net users’ IP address. Every time a user connects to the Internet, he or she is assigned a unique IP address. It is possible for a website owner to find out information about a user simply when the user requests information from a website. The user’s IP address and his remote host are identified. Also passed along in this transaction is the user’s browser type and version type of computer used, and the operating system applied, screen resolution as well as the date and time of the visit. Websites record all this information in huge log files which allow them to identify the ‘click-trails’ of people surfing through their site.
This mapping of IP address is very much linked to the second practice, i.e. the placement of cookies files in one’s website. Cookies refer to pieces of information sent by a web server to a web browser that the browser software is expected to save and to send back to the server whenever the browser makes additional requests from the server.
Cookie files act like a spy in one’s computer. Once a web page is downloaded on the user’s screen, cookies are thereby stored in his hard drive. The commercial sites would therefore receive information on the sites he visits subsequently, and thus be able to trace a user’s activities and preferences on the Net, including how long one spends on a particular page, and information supplied via forms such as email addresses, passwords, and credit card numbers. With these unauthorized practices over personal data of individuals, commercial website operators often put themselves in the infringement of privacy online.
The potential misuse of personal data is more evident in the area of marketing. Advertising companies use the information collected to send direct advertisements to users and often flood their email account to the users’ annoyance. This practice, known as ‘spamming’, is another threat to the right to privacy in the Internet.
Spam has been referred to as ‘Unsolicited Commercial Email’ (UCE). The problem of this UCE is said to be the leading complaint of Internet users (Hunter). But junk e-mail is more than just annoying; it costs Internet users and Internet-based businesses millions, even billions, per year. Junk e-mail is “postage due” marketing; it’s like a telemarketer calling you to collect. The economics of junk e-mail encourages massive abuse and because junk e-mailers can get into the business very cheaply, the volume of junk e-mail is increasing every day. The inconvenience that associates with spamming centered around the annoyance it caused and technical problems that may follow as a result of a flooded email system.
There are at least five reasons that can be summarized on why these junk mails become such a problem to Internet users. The first reason is, the spammers (i.e. the online marketers) can easily send hundreds or thousands of emails in a short time, at a very cheap price, and at the expense of the receivers of those junk emails. Since a receiver must bear the cost to open and deal with every message received, this is just like a cost shifting from the spammers to the receiver. Secondly, marketing companies usually commit fraud and deception. This is because these UCE’s are often sent with deceiving subject titles so as to allure the receiver to open and read them. This will render the users annoyed, and therefore they are deprived from their convenient use of their emails. The third and fourth reasons are more technical in nature. The placement of bulk emails replaces normal emails, and at the end of the day, a Net user will find out that his email address is flooded by those junk emails alone, and his storage of other emails have been automatically removed. This unapproved removal, sometimes leads to the deletion of important mails kept in the users’ storage system.
Last but not least, the question of ethics comes into the picture. Accepted norms and ethics do not approve this kind of unsolicited business practice. Based on the fact that there is an economic incentive to send junk e-mail, users and Internet Service Providers will need some legal recourse to stop the growing flood. That is why in 1997, the Coalition Against Unsolicited Commercial Email (CAUCE) in the United States proposed an amendment to the US Federal statute that outlaws junk faxes (47 USC 227), to also prohibit junk e-mail.