Sometimes a breach is data theft, sometimes it’s business as usual

Among the latest unauthorized disclosures of personal information making headlines is the admission last week by T-Mobile that thousands of its British customers had essentially become pawns in a “black market” for mobile service subscriber information sold to T-Mobile competitors. It seems that one or more T-Mobile employees sold lists of subscribers nearing the end of their contracts to other mobile service providers; the T-Mobile customers were then contacted by salesmen for the competing carriers who tried to get the T-Mobile customers to switch providers. This case raises a couple of interesting ideas in the debate over the protection of personal information.

While it appears clear from statements from T-Mobile and U.K. authorities that the incident described represents data theft from T-Mobile and is therefore illegal, without the key element of rogue employees misusing corporate data assets for their own gain, the nature of the data sale by itself would not necessarily violate current privacy laws, particularly those in the U.S. that are generally less stringent than data protection regulations in the European Community. The data disclosed — name, mobile number, and contract expiration dates — certainly comprises personally identifiable information (PII) under just about any current definition of the term. The specific data fields in question however are not ones usually characterized as “sensitive” in domain or regulatory contexts such as financial services, health care, education, or public records, although most people do treat mobile telephone numbers as more private or sensitive than landline numbers, in part because mobile numbers are not generally available through public directories. If the sale of the customer data had taken place above-board, conducted by authorized T-Mobile personnel (for instance, to an affiliated third party such as a mobile handset vendor), it’s not at all clear that such a disclosure would violate any American privacy laws (British privacy laws, like those generally applicable in the EU, tend to require customer consent or “opt-in” before any secondary use or additional processing of personal information, even by the company that collected it). Take a look at the privacy policy of just about any large consumer bank or retailer and you will see language asserting a right to share personal customer information with third parties. For example, the Citibank privacy policy for states, “Information collected by a Citigroup affiliate through may be shared with several types of entities, including other affiliates among the family of companies controlled by Citigroup Inc, as well as non-affiliated third parties, such as financial services providers and non-financial organizations, such as companies engaged in direct marketing.” So according to such a privacy policy, and in full compliance with FTC rules, an American company could do what T-Mobile’s thieving employees did without violating any laws or regulations. If you’re thinking, “that doesn’t seem right” then you are seeing the implications of the sectoral approach to data privacy in the United States, in strong contrast to approached favored in other parts of the world, particularly the European Union’s Directive 95/46/EC.