Sunday, September 27, 2009

Enforcing Responsibility via Business Regulations

For those of us on this side of the globe, you may have not caught this earlier this week, in fact it's still making the Australian papers and news! As I was catching up on my Google news alerts for the last few days, I kept coming across a headline that read "Bolton Tangled in Web Scam", and "Bolton Faces Losing Internet Companies" ... sounded ominous so I decided to give it to read.

Here's the story... apparently a chap named Nicholas Bolton who owns multiple domain name companies in Australia has had his ability to do business at one of his registrars (Bottle Domains) revoked. This means that not only can he take new registrations, but he can also not do business... thus he loses his company. What did he do to deserve such a harsh judgement? How did this all happen?

Apparently, back in January of this year Australian Style's database (which is the parent company of Bottle Domains) and its subsidiary (Bottle Domains) was compromised. The authorities knew this to be the case because the details of some 40,000 of the customers were for sale out on the Internet. That's pretty bad. What happened next was worse. During the course of the ensuing investigation, the auDA caught wind of a previous data breach dating back to 2007 for which Bolton had failed to properly notify his customers.

According to the Sydney Morning Herald ...
"As a result, auDA terminated the accreditation of Bottle Domains in April this year ''due to a serious breach of its obligations under the registrar agreement''."
... that's absolutely unheard of! What's worse, further investigations lead to the discovery of a total of 3 data breaches in Bolton's engerprises... and a whole string of negligence, cover-up, and neglect of customer obligation. So, just like that... Bolton's companies are out of business. Doors closed.

Bolton even tried to go to the Australian Supreme Court... which didn't do him much good, as the Justices didn't quite see things his way... and he further got his hand slapped. While this a pretty incredible story I think it's even more important to note the great lengths that the Aussies will go to, in order to protect their privacy!

The auDA has some rigid requirements for acceditation, including corporate requirement 3.6: "The Registrar must have opted in under the Privacy Act of 1988"... that's quite interesting. Having given the Privacy Act of 1988 a cursory read, I can assure you of one thing - it's quite protective of personal privacy as it relates to corporations.

So this begs the question... WHY don't more regulatory bodies (say, within the US) do this? I may be going out on a limb here but I suspect that we've had such egregious acts of privacy breach here in the states many times over ... yet nothing of this nature has happened. Wouldn't it be great if there was some retail industry regulation, maybe run by a conglomeration of the major credit issuers, that stated that if a corporation breached user privacy they could have their ability to process credit payments revoked? Better yet - wouldn't it be even better if this self-regulating industry body actually acted on this?

Sure, I'm talking crazy here, but aren't regulations here to give people comfort that if someone breaks the rules, they will have to pay the penalty? Wow... I really wish we had some regulatory bodies with balls in this country. Too bad, such a shame.


Matthew Hackling said...

Great post.

Christian said...

I can't clearly see if auDA removed their license because Bottle did not disclose to their customers or to auDA themselves.

I'm unsure what the rules are which auDA govern their registrars by.

BUT - it's good to see that the Australian legal system is looking at this from a wider viewpoint then that of JUST the privacy act, which in Australia does NOT mandate compulsory disclose.

Great post Rafal!