Privacy remains a significant issue for many telecommunications operators and poses ever-increasing challenges.

This should come as no surprise; operators capture and hold enormous amounts of data on their customers. Furthermore, factors such as new services, the continued digitization of information, as well as more accessible and ever cheaper digital storage, have only increased (and will continue to increase) the amount — and level of sensitivity — of the personal data operators accumulate. More generally, as operators invest in building deeper two-way customer relationships, their growing dependency on customer data will increase the associated risks.

This post also appeared as an article in Inside Telecommunications, Issue 4, 2011

Which information?

What information do operators have on their customers? Personal data is any information that relates to a living individual (not companies) and that can be reasonably linked to that individual. With regard to customers, it typically relates to the following:

table

Note: “XXX” in above table refers to content customers typically don’t want revealed that they are accessing. This is largely pornographic or sexual content, but one could also include in this c ategory content that would hint toward the customer’s religious, racial, political (etc.) preference.

The higher up the table , the more sensitive the nature of the information. While operators need a better understanding of customer data to serve them and build more suitable propositions and pricing, compliance and regulations — as well as customer opinions and perceptions — may restrict that. For example, when KPN mentioned in 2011 that it was using deep-packet inspection to better understand the data usage of its customers for quality of service purposes, it immediately became the center of a media storm, drawing attention from the Dutch parliament and resulting in investigations of the regulator (OPTA).

Furthermore, this data is often dispersed in — or accessible through — a plethora of systems. Having more than 100 different applications that provide access to the data is no better. There is a genuine need for many different people to have access to this data in order to provide the required services. For instance, with the exception of the data shown in the top row of above table, customer care and call center operators (often outsourced) will require access to almost all of this information.

Increasing privacy regulations

As the need for better privacy management expands, countries continue to adopt stronger regulations to address the growing risks and increased privacy concerns. For example, on 25 January 2012, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen privacy rights.

These new, and often stricter, rules can have a real impact. Let’s look at two examples:

  1. In view of operational excellence, many operators are or have been centralizing or outsourcing activities such as call centers, billing and fraud management, and IT operations. However, such projects may require personal information to cross geographic boundaries, which could be forbidden or subject to specific and sometimes contradictory regulations.
  2. Breach notification requirements are proliferating in countries around the world.[1] This means that operators will need to openly notify customers whose personal data has been, or is likely to have been, compromised.

The biggest impact

The biggest impact of a privacy breach is not the fine for noncompliance. It’s the impact on reputation. Increased churn and customer acquisition costs may far outweigh the cost of fines or retributions. The above-mentioned breach notification requirements make it also more likely that a privacy incident is widely discussed in the press and on consumer forums. Even though we live in an age of social media, where many people are sharing their innermost thoughts with the rest of the world, the fact remains that people still value privacy. This might sound like a contradiction, but people want to share strictly on their own terms. Any violation of that will have an impact on operator reputations and eventually profitability.

So where are the risks?

We typically see three main sources of privacy breaches with telecom operators:

1. Unintentionally overstepping the boundaries

How far can operators go in using customer information for their own marketing and selling purposes? The answer is unclear. Some operators are already — though sometimes unknowingly — overstepping the boundaries of customer tolerance and/or privacy regulation. Since customer information has tremendous value to third parties, some operators, such as Verizon Wireless, have changed their privacy policies to allow certain information to be sold, albeit in an anonymously aggregated manner. For example, in Verizon Wireless’ case, the company may now record customers’ location data and web browsing histories, combine them with other personal information such as age and gender, aggregate this with millions of other customers’ data, and sell it on an anonymous basis. Whether customers accept or are even aware of these practices is uncertain.

2. Accidental breaches

This type of breach involves accidental loss or sharing of personal data. This could be through the loss of a laptop or by mistakenly providing personal data of one customer to another customer.

3. Deliberate privacy breaches

Highly sensitive information is a target for hackers to sell or to abuse. High-profile cyber-crime intrusions come to mind. The vast number of intrusions in 2011 has shown this threat is real. However, breaches also come from internal sources — for example, a customer care employee providing call details about the wife of a friend to help his divorce case.

Critical advice

Keep track
Customer data is often at the heart of the telecom operator’s business. Knowing where this data is created, captured and stored; how it’s subsequently processed, shared and transferred; who has access to it (and why); and how and when the data is disposed of — these are all significant exercises that many operators have yet to undertake, or which urgently require updating.

Ensure privacy awareness
With so many people with access to sensitive personal information, the inherent risk of human error and threat of personal manipulation (referred to as “social engineering” by security experts) to obtain data are high. As such, specific awareness campaigns are required.

Have a privacy officer with sufficient business insight
Most operators have privacy officers, or similar functions. But all too often, this is an isolated function with too much focus on the theoretical policy aspects of privacy. They are unable to translate regulatory, business and IT requirements. Consequently, the definition of privacy professionals is changing. Privacy is a multidisciplinary subject that requires knowledge of the organization’s different functions, as well as an understanding and collaboration with other information stakeholders. We believe operators truly need privacy officers that understand the business processes as well as the company’s product and service offerings. These individuals should be able to work the business departments in order to establish privacy in practice, rather than just on paper. In addition to individuals for whom privacy is their core profession, there is also a rising trend of privacy skills and knowledge coalescing outside the privacy office. HR, security, IT, internal audit, marketing, records management and other functions increasingly have some percentage of their roles dedicated to privacy.

Implement “privacy by design”
Evolving from a concept to an essential component of privacy protection, privacy by design stresses the importance of embedding privacy into new technologies and business practices from the beginning.

Define appropriate procedures
In many countries, people have the right to request access to any personal data companies hold on them. For an operator, it can be quite a challenge to respond to such requests in a timely manner, if at all. Yet, failure to do so may trigger regulatory investigations or bad press. Proper incident management is equally important, especially with an incident communication plan in case of a (suspected) privacy breach. Being prepared for such events by having the necessary procedures in place to deal with them is vital to managing their impact.

Impacts of proposed EU privacy regulations

Compared to the existing directive (94/46/EC), the new proposed regulation will impact the telecom operators in the following main ways:

  • A single law (the European Commission proposes a regulation, not a directive) that will do away with the current fragmentation and costly administrative burdens
  • Requirement to designate a data protection officer
  • Requirement to implement a “privacy by design” principle
  • The obligation to carry out data impact assessments
  • A new drive to the privacy topic, by strengthening national data protection authorities’ independence and powers (which was not yet the case for all EU countries), it will also enhance administrative and judicial remedies when data protection rights are violated. In particular, qualified associations will be able to bring actions to court on behalf of the individual
  • Introduction of fines up to 2% of a company’s annual worldwide turnover
  • Simplification of personal data crossing borders within EU member states, but also outside the EU, based on Binding Corporate Rules (BCR) being validated by only one national data protection authority — especially relevant in case of outsourcing or centralizing activities
  • Implementation of stricter breach notification (breach notification already existed in telecom regulation, but it was not yet adopted in all EU countries, even though the deadline was June 2011)

The EU also proposes a new directive (replacing Framework Decision 2008/977/ JHA16) setting out rules on the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. This new directive will affect data retention and other rules around judicial investigation.

End notes

[1] Many US states already have breach notification requirements in place, but such requirements are also included in the draft proposal for the new General Data Protection Regulation, as well as in the latest amendments to the existing e-privacy directive (under Article 4 of the amended e-privacy directive — Dir. 2009/136/EC, amending Dir. 2002/58/EC — electronic communications providers must report personal data breaches without delay to the competent national authority, and to subscribers or individuals when the breach is likely to adversely affect their personal data).

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply