Lessons from T-Mobile

November 18, 2009

I thought twice about covering the T-Mobile story on the site at all. After all, UK SCL members will have read about it in the mainstream media – half of you have probably commented on its implications yourselves. I decided that we would cover it, albeit quite formally. What really interests me is what the upshot of this might be (and the media coverage of it). I hope to go back later and review some of the coverage and the message that the public have presumably taken from it. But I can hardly resist commenting now on the occasional mention of the incident as a ‘leak’ – it is certainly not a leak when employees walk out with bucket-loads of data. My main focus now is on the lessons which might be drawn from the incident.

The first obvious lesson is already well known and has been recently covered in an article on this site: employees are the greatest weakness of most data security systems, especially in hard times.

The lesson which the ICO seem intent on making clear is that the penalties for such behaviour are inadequate. I have already expressed my doubts about the desire to imprison for such breaches but I confess that the first look at the circumstances here suggest that the Commissioner might have a strong point. It’s still not quite enough to convince me. It will be interesting to see the full facts in this case and then make comparisons with, say, the sentencing regime that applies to theft. Of course it is only the full facts that will enable us to see whether other, already imprisonable, offences have been committed en route as has been the case with most of the earlier incidents that have been supposedly scandalously punished in the past.

The lesson that I fear data holders who discover a breach may draw is simple: not to tell the ICO. T-Mobile have got an avalanche of bad publicity just before the crucial Christmas selling season. T-Mobile seem to have expected the ICO to sit tight on their report. The ICO seems to have believed that it could reveal the facts without naming the company – if that is so the ICO were foolish but that seems to be their position. The joyful cries of ‘Not me’ from T-Mobile’s rivals were entirely predictable and the missing piece of information in the ICO press release was always likely to increase press interest rather than provide a cloak of protection for T-Mobile.

I hasten to add that this is not the right lesson to be drawn. But, as this incident demonstrates, people too often act with short-term interests in mind. In the future, companies coming across this sort of breach may look at short-term losses and shy away from doing the right thing. The ICO too may look at its gain – the seemingly inevitable implementation of the increased penalties – and wonder if the press release highlighting the need for them did not carry with it some long-term loss.