Shostack + Friends Blog Archive

 

Disclosure in The UK

Scotsman.com reports “Standard Life customers are hit by breach in security,” and Computerworld.uk reports that a “Laptop containing Southend children’s social services case notes bought on eBay.”

In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law.

However, it’s anarchy in the UK. There are no disclosure requirements. So why did Standard Life say this:

It said: “There has been an individual error in systems employed for the production of contract notes by Standard Life Investments.

“Less than 0.2 per cent of our valued investors have been impacted by this. We have acted swiftly to make investors aware of the error.”

I’ve said before that there’s a new standard out there, even ahead of the laws. It requires owning up to mistakes, and doing so promptly.

I wanna be clear on something: customers prefer it that way. Every customer impacted knew about it (they got someone else’s bank statement.) I bet fewer than 15 leave.

8 comments on "Disclosure in The UK"

  • Nicko says:

    I’ve said before that there’s a new standard out there, even ahead of the laws. It requires owning up to mistakes, and doing so promptly.
    I think that there is also a cultural difference between the US and the UK. While it is not universal, I do think that there is a much greater willingness for organisations to own up to mistakes over here, which I suspect stems from the whole society being much less litigious. Over here we have the concept of an “honest mistake”, which seems to be somewhat lost on a country where everything has to be someone’s fault.

  • Chris says:

    Interesting that there are maybe 1/20th as many “honest mistakes” about which we have information from the UK as compared to the US, then.
    Not to defend the lawsuit-happy US, but it could also be that the willingness of Standard Life to own up has as much to do with the recent 780,000 pound (IIRC) fine against the building society whose name I cannot recall as it does the more straight-up British organizational temperament.
    To Adam’s point, regulations AND attitudes are changing. I would say the latter are changing at least in part with regard to the former being in the pipeline.

  • Rob Newby says:

    That’s Nationwide you’re referring to Chris. I have a friend who was working for one of their subsidiaries at the time, (it was £980,000 they were fined). The FSA took umbrage at them losing a laptop with customer details on it and then waiting 3 weeks before they took any action – to tell the 11 million potentially affected customers.
    I think other points you both make have to do with the relative size of each country as well as general attitudes to security. Where Americans are litigious, in the UK we tend to be lax until something happens, then get really angry about it. It just happens that someone got angry and realised he could fine someone, so did.
    More relevant here I think however is the fact that if something bad happens in the UK, the whole country knows about it, and a bank could be out of business with that kind of bad publicity. In the US, a larger proportion will not be interested in the news.
    The FSA have inadvertently created something with much the same effect as a disclosure law, the threat of being shown to be a bad business.

  • Chris says:

    Thanks Rob!
    (What’s £200,000 among friends? :^))
    Interesting point about “bad news travels fast”, and also doesn’t have to go as far. I wonder if your opinion about customers voting with their feet would actually be true. Certainly there’s a belief over here that they would — a belief reinforced by the Ponemon Institute’s latest report, about which Adam has blogged. I suppose it depends in part on switching costs. Maybe I am lazier than most, but switching banks is a PITA, so I am not so sure that customer loss is a big worry for situations where gross incompetence (as opposed to an honest mistake or plain old bad luck) isn’t the cause. It’s an intriguing question.

  • Anonymous says:

    That’s an extremely good point, which I had missed. I’m more likely to forgive someone for a small coding error than I am to forgive them for constantly handing out my credit card details out the back door.
    Customer loyalty, or “laziness” as you so correctly put it, is something the banks rely on a lot. Switching isn’t so hard these days, and there’s little benefit in remaining loyal. I would encourage it, if only to see what savings you can make!
    I still think that the FSA have made a scapegoat of Nationwide, and rightly so. It will make other banks think twice about not owning up immediately, effectively creating the disclosure law which the UK so badly needs.

  • Rob Newby says:

    That’s an extremely good point, which I had missed. I’m more likely to forgive someone for a small coding error than I am to forgive them for constantly handing out my credit card details out the back door.
    Customer loyalty, or “laziness” as you so correctly put it, is something the banks rely on a lot. Switching isn’t so hard these days, and there’s little benefit in remaining loyal. I would encourage it, if only to see what savings you can make!
    I still think that the FSA have made a scapegoat of Nationwide, and rightly so. It will make other banks think twice about not owning up immediately, effectively creating the disclosure law which the UK so badly needs.

  • Dissent says:

    Chris: do we have any banks here that haven’t had a breach that we could switch to? 🙂
    As to the “coming forward” bit in the U.K., they’ve had their own share of denial leading to “black eye” and bad rep — like the Powergen incident about 5 years ago. And with more people immediately contacting the media before the police (as in the recent MTAS breach in the UK), such “coming forward” may not be anything more than trying to put the spin on an incident before it’s revealed.
    In any event, as Adam notes, customers prefer to hear promptly from the company.

  • Chris says:

    I an sure customers say they prefer it, and they probably do in some abstract sense. I bet it doesn’t translate into action. I agree with Adam — hardly anyone is going to switch due to this.
    What I would like is some real information about the extent to which this sort of PII exposure leads to ID theft. One recommendation in the recent GAO report thst I haven’t seen written about is that precisely this be measured. No doubt the folks at ID Analyics are now deciding which color leather is best for their M5s (the answer is “black”), but I agree that this is a question which needs to be found.

Comments are closed.