back to article Korean credit card companies hit with 90-day, $100m sales ban

Three South Korean credit card firms which are thought to have exposed the personal data of 20 million customers have been forced to suspend all new business for three months in a blow which could cost them nearly $100 million. Korean regulator the Financial Services Commission (FSC) said the firms were not allowed to sign up …

COMMENTS

This topic is closed for new posts.
Bronze badge

That'll learn 'em. If only our own Information Commissioner could have his teeth sharpened to a point like his Korean counterparts.

18
0
Silver badge

But what punishment would the ICO give to all the public sector organisations found breaching data protection?

3
0
Anonymous Coward

Proper punishment, not like the slap on the wrist given to Google for its data slurping.

7
1
Anonymous Coward

taxing the public

As far as I'm aware he can't. The law says the organisation is responsible - so yes - fining the public sector is taxing the public and/or victimising those it serves. He might just be able to name and shame people but even that is dangerous ground.

A more personal orientated law such as a more moderate form of individual liability would maybe work (so like health and safety but leading to civil rather than criminal action maybe). However I'd like that really to recognise the difference in public versus private sector incentives and obligations somehow.

4
0
Anonymous Coward

If only our own Information Commissioner could have his teeth sharpened to a point like his Korean counterparts.

That's more a political decision. For the moment, the ICO has to make to with pre-wetted noodles to give wrist slaps, which IMHO does more to ENCOURAGE abuse than to stem it, so hats off to the South Koreans here. That sort of fine would even slow down Google.

But what punishment would the ICO give to all the public sector organisations found breaching data protection?

This is where it gets interesting. In my opinion, data loss must move into criminal law and a way must be found to identify the top person in the chain who takes the decisions - a bit like tax evasion eventually becomes personal. That way, you can eventually sling someone into jail if they're not paying attention. I agree with what appears to be your thinking: a financial punishment will not work because it's not their money to start with, but the taxpayer's, so it would just be a budget reshuffle. Maybe we could start with a public naming & shaming? Maybe even tar & feathers?

6
0
Silver badge

"This is where it gets interesting. In my opinion, data loss must move into criminal law and a way must be found to identify the top person in the chain who takes the decisions - a bit like tax evasion eventually becomes personal. That way, you can eventually sling someone into jail if they're not paying attention."

So, do we sling in jail the head of the organization, who knows nothing about programming? The person who left the XSS vulnerability in the website design? Perhaps the head of the company that did the outsourced web site design? Somebody over at Mozilla and Microsoft for leaving the vulnerability? Much as it might seem fun to throw Ballmer in jail for all security vulnerabilities in Windows, you might find it difficult to get people to take on public sector work, particularly at the coding level, if you offer a nice juicy time in the slammer if they make a mistake.

3
1
Anonymous Coward

you might find it difficult to get people to take on public sector work, particularly at the coding level, if you offer a nice juicy time in the slammer if they make a mistake.

The idea is to move the punishment up the management chain to where the decision was actually made - invididual or groupwise. A coder just codes, but if management demands a certain level of quality and compliance because their own damn skin is involved it can only be good, and may get rid of the current lowest-bidder culture.

9
0

Without the know-how or experience to personally prove that their demands are being met, all they'll do is out-source it to people who *do* have the know-how and experience, and those are the people that will get it wrong.

Trying to push for personal liability (and jail time, of all things) in such areas is nutty. Privacy breaches are most often the results of mistakes, bad policy, or sheer laziness. Such things might be annoying, but they're hardly criminal. If they were we'd all be locked up at some point in our lives.

0
4
Bronze badge

Q: But what punishment would the ICO give to all the public sector organisations found breaching data protection?

A: A summary execution.

1
0

Re: taxing the public

I like the Health & Safety analogy. Corporate H&S works pretty well because senior managers become responsible in law.

Many years ago, a new Head of Data Centre was parachuted in from the US to run the site I was working at. I got an appointment with him to discuss Health & Safety. The conversation went...

Him: 'Why do I need to know about this stuff - we've got lawyers to deal with it'

Me: 'In the UK its criminal law and you could go to prison'

Him: 'Tell me about this stuff'

Management dont make coding errors for sure, but they are responsible for their staff and providing the relevant budget to put appropriate controls in place.

There really does need to be some sort of personal liability associated with Data Protection.

5
0

Re:

No tax collections for 100 days should do it...

2
0
Silver badge

@ DavCrav

Back in WWII there were problems at shipyards with subs going out to trials and never coming back even though they hadn't been through enemy territory. I think they managed to retrieve one such sub and found the root cause was bad welds. So the military instituted a lottery system. Each welder who worked on a sub had his name put in a hat. One name was drawn from the hat and that person went to see on the maiden voyage of the sub. They very, very, very rarely had issues with welds after the welders lottery was implemented.

In your particular example, I don't see any good reason to limit to one individual. Each of them played a part in it and shares in culpability. Let the chips fall where they may. Or heads as the case may be.

3
0
Silver badge

Re: A: A summary execution.

Seems a bit wasteful. Send them to the organ bank. That way society at least gets some benefit from them.

Either that or summary execution is being fed to the lions in front of a live studio audience.

1
0
Silver badge

forget tar and feathers

Bring out the brickbats.

edit:

Well, then I read to the end of the thread, and I like the organbank idea better.

2
0
Anonymous Coward

Re: A: A summary execution.

"Either that or summary execution is being fed to the lions in front of a live studio audience." Dress them up as Giraffes, first.

0
0
Anonymous Coward

Re: A: A summary execution.

Seems a bit wasteful. Send them to the organ bank. That way society at least gets some benefit from them.

I don't think you'd want to inflict their liver on someone :)

0
0
Silver badge

Re: taxing the public @ TrishaD

"I like the Health & Safety analogy. Corporate H&S works pretty well because senior managers become responsible in law."

Yes, it is a nice thought, but look at the ridiculous over-reach of H&S in the workplace and everywhere else, much of it because people are taking a "no way anyone is going to get me for anything" attitude. The creation of the offense of Corporate Manslaughter has fuelled the rise of the H&S monster to the point where personal responsibility for large chunks of one's own life is a mere fading memory, costing billions of £s each year, and making things stupidly inefficient.

Applying the same principles to DP will lead to nothing new being done, just lots of tweaks to address the merest possibility of maybe sometime happening, and systems becoming effectively impossible to use. How often are you told (wrongly) that something can't be done "because of Data Protection", which means your life just got more difficult? The cost of this attitude is externalised to you and me, and will get worse with serious penalties at the board level.

I want an effective Data Protection watchdog, and I love the idea of making commercial organisations *really* hurt when they are in breach, but I have a horrible feeling that the public sector is effectively invulnerable.

0
0
Bronze badge
Thumb Up

can't have this

a government acting in the interest of its citizens. Quick, British and Yank government financial advisers at once !

8
0
Silver badge

That's the way to do it!

Need a Punch icon.

3
0
Anonymous Coward

Re: That's the way to do it!

Money for nothing, and chicks for free?

Sorry :p

2
0
Anonymous Coward

overdone?

While, at first sight, I might applaud, on reflection: this might make them go under, i.e. the stream of customers, more or less steady until now, stopped so abruptly, will not just resume flowing after 3 months. Customers will have found alternative suppliers in these 3 months, and won't just come back when this company resumes their business, unless they discount heavily...

That said: how do all those NEW ventures ever begin? From scratch (sometimes).

0
2
Silver badge
Alert

Re: overdone?

Pour encourager les autres...

4
0
Silver badge

I bow before the judicial system of such a country.

Doing that around here would generate an avalanche of protests citing "exceeding authority" or "unconstitutional" and a flood of media spin in favour of the bank subject to punishment.

Remember, our banks are "too big to fail", therefor untouchable even when they patently do wrong.

And yes, I do happen to think that it is the CEO that should go to jail for grave mistakes made by personnel HE IS RESPONSIBLE FOR. But I understand that "responsibility" is nothing more than an entry in the dictionary these days.

7
0
Anonymous Coward

mixed feelings about this...

yeah. Its good to see a company actually punished.

but, do you really think this is coming out of the shareholders profits? More likely a load of employees will be footing this bill.

0
0
Silver badge

Re: mixed feelings about this...

So long as they are the right employees, I don't have a problem with that.

A long time ago I worked at a company where the receptionist kept her password on a piece of paper under her keyboard. Every year we went through the standard it security training which included the bit about not keeping your password on a piece of paper under the keyboard. Everyone on the Help Desk team at one time or another made it a point to raise this issue with her. She stubbornly responded: "There's nothing in my files that's important to anyone and I don't have anything personal on the computer."

3
0
Anonymous Coward

Re: mixed feelings about this...

She stubbornly responded: "There's nothing in my files that's important to anyone and I don't have anything personal on the computer."

Our staff contracts (and inductions) make it VERY clear that we take security serious - this receptionist would be on probation after her first violation, and terminated after her second. We've already made security as easy as it can be (our own observations are that complexity prompts people to seek a way around it), but we have extremely tight legal obligations to meet, and very high client expectations.

And HR would be asked to explain how we got such a person in the first place...

1
0
Silver badge

Re: HR would be asked to explain how we got such a person in the first place...

She was a very early hire with the company. And excluding the security violation the most competent receptionist we had. When she did retire the roulette wheel of receptionists began and we never again had one who matched the rest of her skill set. She was also a very pleasant person.

I have scarier stories than that one. But I'd never post them on a public site, only tell them to friends during a board gaming session on the weekend.

0
0
This topic is closed for new posts.

Forums