[Infowarrior] - Worker Snooping on Customer Data Common

[Richard Forno]

Worker Snooping on Customer Data Common

By RYAN J. FOLEY ­ 2 days ago

http://ap.google.com/article/ALeqM5ghPenZUJTE7BfSfgQbj6RX597DEAD8V019TG0

MADISON, Wis. (AP) ‹ A landlord snooped on tenants to find out information
about their finances. A woman repeatedly accessed her ex-boyfriend's account
after a difficult breakup. Another obtained her child's father's address so
she could serve him court papers.

All worked for Wisconsin's largest utility, where employees routinely
accessed confidential information about acquaintances, local celebrities and
others from its massive customer database.

Documents obtained by The Associated Press in an employment case involving
Milwaukee-based WE Energies shine a light on a common practice in the
utilities, telecommunications and accounting industries, privacy experts
say.

Vast computer databases give curious employees the ability to look up
sensitive information on people with the click of a mouse. The WE Energies
database includes credit and banking information, payment histories, Social
Security numbers, addresses, phone numbers, and energy usage. In some cases,
it even includes income and medical information.

Experts say some companies do little to stop such abuses even though they
could lead to identity theft, stalking and other privacy invasions. And
companies that uncover violations can keep them quiet because in many cases
it is not illegal to snoop, only to use the data for crimes.

"The vast majority of companies are doing very little to stop this
widespread practice of snooping," said Larry Ponemon, a privacy expert who
founded The Ponemon Institute, a Traverse City, Mich.-based think tank.

Jim Owen, spokesman for the Edison Electric Institute, a lobbying
association that represents utilities, disputed suggestions the problem was
common in the industry.

"I am not aware of any other situation that has arisen in the utility
sector," he said.

Companies generally avoid talking about snooping or any measures they've
taken to prevent it.

Scott Reigstad, a spokesman for Madison, Wis.-based Alliant Energy, which
has one million electric and 420,000 natural gas customers in Iowa,
Wisconsin and Minnesota, said his company has safeguards in place to stop
misuse but does not discuss them publicly.

"We haven't had any issues that we're aware of," he said.

Jay Foley, executive director of the Identity Theft Resources Center, said
state regulators and lawmakers must step in if companies are not guarding
their customer information responsibly.

"Something needs to be done at the state level to make sure this is
illegal," he said.

He said more companies have to start using software that can track each
customer account that employees access.

WE Energies says it has taken numerous steps to stop the problem but even so
detecting misuse can be difficult. That's because it is hard to discern the
legitimate access of customer information from employees looking for
curiosity.

"People were looking at an incredible number of accounts," Joan Shafer, WE
Energies' vice president of customer service, said during a sworn deposition
last year. "Politicians, community leaders, board members, officers, family,
friends. All over the place."

Her testimony came in a legal case involving an employee who was fired in
2006 for repeatedly accessing information about her ex-boyfriend and another
friend. An arbitrator in November upheld the woman's firing. The AP reviewed
testimony and documents made public as part of the case.

The misuse came to light in 2004 when an employee helped leak information to
the media during a heated race for Milwaukee mayor that a candidate, acting
Mayor Marvin Pratt, was often behind in paying his heating bills. Pratt lost
to the current mayor, Tom Barrett.

Pratt said he's convinced the disclosure cost him votes and unfairly damaged
his reputation. Pratt said he recently met with top company executives and
was satisfied it has stopped the problem as much as possible. He said he has
dropped earlier plans to explore a lawsuit.

"They caught this and they are making corrections to it, which they should.
But it never should have happened in the first place. Not just to me, but to
anyone. They gave their employees too much latitude to access files."

After the incident involving Pratt, the company fired the employee who
leaked the information and vowed to crack down after finding others engaged
in similar practices. But problems continued.

In all, the utility fired or disciplined at least 17 employees for breaking
the policy between 2005 and 2007, according to testimony and company
records. Another employee gained access to Pratt's account for no business
purpose and was suspended in 2005 but kept her job.

Others looked up information on their bosses at WE Energies and local
conservative radio host Mark Belling, who said he had never been told of the
breach.

Ponemon said employees with access to vast amounts of customer information
often see nothing wrong with looking up an individual out of curiosity, or
in some cases, more sinister motives.

Governmental agencies have also struggled with the problem.

The IRS took 219 disciplinary actions, including firings and suspensions,
against employees who browsed through confidential taxpayer information last
year, according to the U.S. Treasury Inspector General for Tax Information.
That was more than double the number the previous year.

Last month, the Minnesota Department of Public Safety said it disciplined
two employees who accessed information on 400 residents from its driver's
license database. The agency did not say what the discipline was because it
continues to investigate. It said the employees were looking for their own
entertainment, not any criminal motives.

WE Energies serves 1.1 million electric customers in Wisconsin and
Michigan's Upper Peninsula and 1 million natural gas customers in Wisconsin.

Shafer said in an interview that the utility took steps to eliminate the
practice and only one employee has been disciplined for violations in the
last year.

After the 2004 incident, the company started checking who accessed
high-profile customer accounts and requiring annual training on its
policies.

Still, Shafer acknowledged in her deposition last year that it would be
"difficult, if not impossible" to discover many instances of misuse.

Utility regulators in Michigan and Wisconsin said they had not been notified
of the company's problems. They say they do not have any rules covering such
misuse.

The head of the Wisconsin Citizens' Utility Board, which lobbies on behalf
of utility customers, said he was "shocked and dismayed" to learn about the
practice.

"The testimony is incredibly candid. I'm very surprised that utility
employees were misusing this information," said executive director Charlie
Higley. "We hope WE Energies has taken steps to ensure that information is
treated privately."
Hosted by Google
Copyright © 2008 The Associated Press. All rights reserved.