Why other companies should be like Telstra
commentary No one wants to be Telstra right now; exposing your customers' data is never a smart thing to do. But we need more companies to follow its lead — not in exposing data, but in actually doing something about it once it has happened.
(IMG_3181 image by youngthousands, CC BY 2.0)
If you imagine for a second that you're a Telstra executive responsible for managing the massive stuff-up, the thought may run through your mind to find a way quietly dismiss it, sweep it under the rug or not make a huge deal about it. Perhaps you might even deny that it was ever a problem. It would be tempting to do whatever needs to be done to make the problem go away with the least amount of pain.
But Telstra did make the hard call, even if it was its only call, to come clean and hand itself over to the privacy commissioner. It notified its customers, it issued apologies, it responded to the hundreds if not thousands of tweets from frustrated and angry customers, it worked tirelessly over the weekend in answering customer calls. As I understand it, it is also issuing compensation to those who have had their privacy breached.
As it required over 60,000 customers to call up to reset their passwords over the phone, it mustn't have been easy to ask for personal information to verify their accounts.
While it's questionable as to what the company meant by the "internal error" that caused the problem, and whether the actions it now takes to solve it are appropriate, with regards to coming clean to its customers, I think that Telstra did well.
You may ask why I'd applaud the efforts of a company that in the public eye did something atrocious, but the reason is that their transparent follow-up is the exception rather than the norm.
I agree with Sophos head of technology Paul Ducklin's sentiment that "no data breach is acceptable", but I think that this sort of transparency is exactly what people should expect of companies that mismanage their customer's information. Sadly, this level of transparency isn't always the case.
After all, what company in its right mind would do such a thing if it thought that it could quietly get away with it?
Umart admitted that it knew there was a problem with its customer database a while ago, but, to my knowledge, it hasn't apologised to its customers, let them know or informed the privacy commissioner.
Could we expect it to put on extra staff on a weekend to answer angry customers' queries? Would we ever dream of seeing it provide its customers with compensation? Will it hand itself in to the privacy commissioner? Hell would freeze over first.
It's probably easier, from the company's point of view, for customers to approach the privacy commissioner themselves, and force it into an investigation — and that's if the customer ever found out. That investigation might result in the company issuing an apology, or perhaps some compensation to that customer in particular, but what about the rest of the customers that aren't legally required to be notified due to our lack of data breach-notification laws?
At the end of the day, companies have been trusted with personal information, and customers should be given the common decency to at least know when that trust has been broken so that they can secure themselves. At the moment, it makes more economic sense for companies to limit knowledge of a breach occurring, and compensate the few who do happen to find out.
So, while I find it worthy to applaud Telstra's transparency, since it has walked a path that few would ever want to tread, it's pathetic that doing the right thing is the exception and not the rule. That's not to say that it isn't possible that Telstra hasn't quietly swept privacy issues under the rug in previous cases.
The Australian Communications Consumer Action Network (ACCAN) chief executive Teresa Corbin's call for the privacy commission to further investigate Telstra is along the right lines of thinking in holding companies accountable, but it doesn't go far enough. It's not just Telstra that could have hidden privacy issues; it's every company that deals with customers' personal information.
There's a lot of anger towards Telstra, but what about those companies that don't say anything? What about the lack of data breach-notification laws, even though they were brought up in 2009? If people are angry that their information may have been exposed, then perhaps they should be angry that not enough is being done to point out who is doing it.