Dial U For Unformation (Part Two)

Often it feels like we are living in the Unformation Age, not the Information Age. Unformation is what you get when you throw a lot of data into a lot of computers and keep stirring it around, but do not take time and trouble to ensure that you can trust the data or, worse still, that you understand what it means. In the last blog, I discussed the problems at Carphone Warehouse, and how their regime must have been especially slack to be noticed by the UK’s toothless data protection watchdog. Today the story is about Virgin Media. It exemplifies how corporates usually get away with processing unformation without anyone being able to do anything about it. It also shows the difference between a government agency stipulating what should be done and being able to enforce it.

Just before Christmas, the UK telecoms regulator, Ofcom opened an urgent investigation into Virgin Media. The topic of the investigation: whether Virgin had failed to meet its responsibility to provide the emergency services with the location of callers. Let us be clear about the importance of this. This obligation relates to cases where somebody uses a phone to get the emergency services – Police, Fire or Ambulance – but are unable to tell the operator where they are. They may be unable to complete the call, or the person who places the call may not know the location. Speed is of the essence, as lives may be in danger. A week after the investigation began, Ofcom decided that

“there are reasonable grounds to believe that Virgin Media has failed to make Caller Location Information for all 999 calls available to the Emergency Organisations handling those calls.”

This sounds like the kind of thing that needs to be sorted out quickly. Ofcom stipulated that Virgin needed to rectify any issues and must make representations by January 11. Unfortunately, over a week has passed since that deadline but no further update has been issued. There are a lot of people whose lives may be put at risk during the course of a week, so a delay of a few days is bad though understandable. It is much harder to accept how the news of Virgin’s lapses came into the public domain in the first place. An anonymous whistle blower sold the story of Virgin’s problems to a national newspaper. The story printed in The Mail On Sunday asserts that Virgin’s shortcomings were identified in an internal review completed at the beginning of 2007. Instead of informing the regulator about their failings, Virgin decided to keep quiet. Perhaps the difficulties were resolved soon after the review was completed, or perhaps they still have not been resolved. We will have to wait on Ofcom’s next update to their investigation.

Regulators depend heavily on telcos to be open and honest about their problems. If Virgin does not audit their own response time when handling emergency services queries, nobody else will. Nobody else is checking the completeness of their location data either. So telcos can get away with hiding skeletons in the closet… up to a point. That point occurs when the story does somehow find its way into the public domain one way or another. When it does, the damage to public confidence is amplified. Keeping bad news secret even from regulators only begs the question of how many other unformation disasters have been kept secret. That undermines confidence in general. It also makes the reputation damage much worse. If Virgin identified a problem in early 2007, told Ofcom about it and fixed it straight away, chances are you and I would never know. Perhaps they have fixed the problem, but we know about it because they decided to keep it secret, even from the body responsible for enforcement.

When telcos put insufficient control around information, they risk more than turning it into unformation. Unformation makes for bad business decisions, lost revenues, wasteful expenditure and unhappy customers. The consequences can hurt customers, and may even put their lives at risk. Unfortunately, as was seen with the phone voting scandal in 2007, many will prefer to cover up their failings instead of fixing them. When that happens, the damage is much worse than if the failing was identified and resolved straight away. Governments can often be assumed to be behind the times. They are better at legislating with hindsight then with foresight. There will be a few more disasters before governments fully appreciate how to tackle risks around data integrity and the vast amounts of information processed by modern businesses like telcos. Having the foresight to set expectations, like the data protection legislation or regulatory stipulations about calls to emergency services, does not imply foresight on how to enforce those obligations. Enforcement is the weak link in the Unformation Age.

Some will do the right thing just because it is the right thing to do. Others will help, and help themselves, by providing products to deliver compliance. US vendor TCS has just won an award for its real-time address validation engine. The product, called RAVE911, gives location validation, which helps ensure telcos give accurate location data to the emergency services. It is also useful for other purposes like billing integrity, so the financial benefits of good data may compensate for the costs of compliance. However, it is a sad truth that, in the absence of a mechanism to police compliance, some will fail to comply. Compliance has a cost and some will avoid the cost. Not only will they fail, but they will keep it secret too. A recent report by Deloitte on security in the TMT sector stated that only 54% of firms would tell customers if their data privacy had been breached. The problems of Virgin and Carphone Warehouse may have been identified much sooner if the Information Commissioner had powers to audit businesses without warning. At the very least, the possibility of spot checks will encourage businesses to fix their problems sooner, and to admit to them instead of keeping them secret. The UK’s Information Commissioner is pushing hard for the power to make unannounced audits of UK companies in the wake of the UK Government’s loss of benefits data relating to 25m people. This has already resulted in a new power to spot check government departments. You can be sure the Information Commissioner sees spot checks of business as the natural way to enforce a law that applies equally to business and government.

The worst thing businesses can do is hope their unformation problems go away. Do that, and there is a risk they come back multiplied. Government intervention is most likely to occur following public scandals. Companies that are secretive, but not proactive, about data integrity issues risk turning a manageable issue into a full-blown scandal. In the UK especially, now is not a good time for two telcos to have serious problems with their data. Governments do not much like it when voters think they are incompetent, and the UK Government is under pressure to show it is competent to manage data. The pressure on the UK Government is doubly acute because it shows no sign of abandoning its unpopular plans for a national ID card, and the national ID database which that entails. A good way to redirect pressure would be for the Government to get tough on failing businesses, especially if there are a few scandals to help with justification. Telcos had better beware. A few more unformation goofs like those at Carphone Warehouse and Virgin Media and telcos may get a lot more unwanted scrutiny than they currently endure. And if that happens, the public may find out about a lot more unformation disasters that have been kept secret so far…

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.