Stop! Thief!

A colleague of mine in Switzerland today sent me some details of the German Government showing the value of information as an asset, albeit in a manner which is, to my mind, questionable.

The German Government is considering purchasing personal and financial data relating to German nationals which, it is alleged, was stolen from an unnamed Swiss financial institution. The asking price for these records is €2.5 million, which if you apply the figure of 1300 records that Business Week is quoting, puts the price tag on personal data at just under €2000 per record.

As Switzerland is outside the EEA (it is an EFTA member but is not in the EEA group of countries). It does, however, have a Data Privacy regime which is viewed by the EU Commission as being “adequate” to give it a 3rd country exemptions under EU Data Protection regulations.

My quasi-legal reading of the Swiss statute that the individual who is seeking to sell the information is acting in breach of Article 35 of the Swiss Federal Act on Data Protection, regardless of whether he is a current or former employee of a Swiss bank. Breaches of that section of the legislation carry with them a potential prison sentence.

Germany is considering purchasing the records to enable it to identify any German residents who have evaded tax through the use of Swiss banking facilities. This is not the first time Germany has purchased stolen data to assist in the investigation of tax evasion.

However, the concept of stolen data being purchased to support the lawful objectives of a country (and by extension supporting the idea of “Information as an Asset” raises a number of potential issues for Information Asset management professionals:

Data Controllers

1. If you are a Data Controller (in this case the Swiss bank), are you sure you are managing your information assets appropriately, including but not limited to ensuring their physical security?
2. Do you have processes and controls in place to identify instances where personal data may be being stored in Excel spreadsheets or similar files in an unsecure or inappropriate manner?
3. Do the leaders of your organisation adequately value (and ideally understand) the Information Assets you have? Or do they spend more on servicing photocopiers than maintaining data? Would they spend more than €2000 per photocopier?

Law Enforcement/Government

1. Do two wrongs make a right? In other circumstances, would you buy evidence from a criminal to support prosecutions for murder, drug dealing, terrorism etc?
2. Is it appropriate for a government to potentially promote the theft of personal data by providing a valuation in the market place for records. €2000 per record is the price that the German Government may be about to set – how many copy cats might seek to enter the purloined personal data market if they believe that they can achieve multi-million turnovers with government approval?
3. If the German Government is going to spend tax payers money, what “value for money” assurance process do they have in place over this data? How much duplication is there in the data? Is it in a format that can be readily put into use? Does the dataset contain a percentage of crappy and fictitious data to bulk it out and increase the apparent value? W. Edwards Deming decried the practice in butchers shops of mixing fat with minced meat to bulk it up. Drug dealers are renowned for ‘cutting’ their illicit wares with other products to make each unit sold appear bigger. Drug dealers are not renowned for their approach to customer returns and refunds.
4. At what point does the fruit of the poisoned tree start to kick in with regards to how electronic evidence is acquired?

Information Management Professionals

1. Does the fact that we can mean that we should when it comes to copying personal data around and putting it on our ipods or memory sticks for easy transport?
2. While a “greater good” argument can always be made for blowing the whistle on criminal activity that is evidenced by your data, at what point does whistleblowing become fencing stolen goods? When you ask for €1 a record or €100? What about €2000?
3. Qui custodiet custodiens? Who watches our watchers? Who watches the Information Professionals to ensure we are acting in an ethical and legal manner? A variety of professional bodies exist, but in general we are a self-policing lot. Trust is everything.

Perhaps the solution here is to require, as part of the much mooted “Bretton Woods II” reboot of our financial services industries to instil a reboot of ethics and to require disclosure of data which would evidence potential criminal activity (e.g. tax evasion) in 3rd countries. This would provide IM professionals with a route and a process to flag these activities rather than copying 1300 records onto a memory stick illegally and then touting them for sale.