JISCMail - DATA-PROTECTION Archives

Ekin

> XXX will not be liable for any loss
> that you may incur as a result of someone else using your password or
> account, either with or without your knowledge. However, you could be held
> liable for losses incurred by XXX or another party due to someone else
> using your account or password......"

Exclusion is a bit one sided.

Here a data controller is attempting to argue they have no responsibility
for security of personal data if their site is hacked and users accounts
abused.

Somewhat contrary to their data protection obligations assuming they are
subject to the Act.

How do I as a data subject know how someone gets my password? I am not the
only source. If the customer is to be blamed then surely there must be an
onus on the controller to provide some evidence of abuse to the customer
e.g. the log file of access dates and times.

If they fail to work with the customer then they may never find the security
failures in their own systems which may be perpertrated by hackers or indeed
their own employees. Security is not one sided regardless of contract
clauses.

Such a contract 'clause' may be arguable with the OIC as an unfair term in
consumer contracts.

The OIC has the power under I believe the Unfair Terms in Consumer Contracts
Act to rule any specific clause as unfair where it breaches DPA principles
but leave the rest of the contract in place.

I also believe that the general concensus in the 'security' world is that
most security failures are internal not external.

Anyone know of any cases where the above disclaimer clause or similar has
been tested under UK law?

David Wyatt

----- Original Message -----
From: "Ekin Caglar" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, December 12, 2002 1:14 PM
Subject: Re: [data-protection] Personal data about a subject?


> > > Legally, data controller of the email should be the owner of the
> > > domain name
> > Does this mean that ISP's are the data controllers of all e-mail
accounts
> > they hold? That does seem to rather go against what ISP's have been
> stating for many  years.
>
> Yes, ofcourse ISPs are the data controllers, provided that they are the
> owners of the domain name. That's why you have to agree to their
*extremely*
> strict terms and conditions (or an agreement of some sort) to obtain an
> email address from them. And in those agreements they have waivers for
> virtually every action you may do with your new email. Hotmail, for
> instance, has a 20 page agreement (much longer than our reseller
agreement),
> which at some point reads ".....Microsoft will not be liable for any loss
> that you may incur as a result of someone else using your password or
> account, either with or without your knowledge. However, you could be held
> liable for losses incurred by Microsoft or another party due to someone
else
> using your account or password......" Stuff like that. I know because I've
> been dealing with a lawsuit for a few months now where somebody hijacked a
> free email account to then illegaly take over domain names (paid for)
> registered by using that free email address.
>
> > Going back to the allocation/deletion of e-mail addresses, the views
> > expressed so far do not seem to deny the issue.
>
> I strongly agree that, because of what's been explained so far, once a
user
> drops an email address, it shall not be allocated to somebody else.
>
> > Ian W
>
> Ekin
> Sibilo.co.uk
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
>   (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^