There have been a number of cases of firms exposing customer data in the US, only brought to light by new regulations obliging companies to disclose such problems. These included Bank of America losing an unknown number of backup tapes (February 2005), a software glitch forcing HSBC North America to tell customers of its General Motors MasterCard that their details may have been stolen (April the same year) and Ameritrade losing four backup tapes and only getting three back (also in April 2005).

One of the worst cases was in May 2005, however, when Retail Ventures reported that customer information from 108 stores in its DSW Shoe Warehouse subsidiary had been stolen. The information, involving 1.4 million credit cards used to make purchases, mostly between November and February, included account numbers, names and transaction amounts.

The issue of data and whose responsibility it is to guarantee its integrity came into focus recently when the personal searches of some 685,000 subscribers to AOL were exposed on the Web. AOL researchers had collated data – amounting to around 20 million enquiries – on an internal web site in July, but the document was soon spotted by bloggers.

Bad publicity followed, as it was proved possible to identify personal information such as the addresses and interests of individuals. In August AOL accepted the resignation of its chief technology officer Maureen Govern and also fired two other employees it held responsible for the error.

AOL’s chief executive, Jonathan Miller, attributed the breach of security to “poor judgement” by some staff, adding: “We are taking a number of additional steps, on top of our existing security systems, to help ensure this type of incident never happens again.” And a management task force was set up to decide how long AOL should retain search data, with much tighter restrictions on employee access to customer information.

Around the same time there were red faces at HSBC, when researchers at Cardiff University uncovered a vulnerability in the bank’s online system that could allow an attacker to gather all the necessary information required to enter a targetted customer account.

The New York Times revealed in June that the US National Security Agency (NSA) has been covertly monitoring millions of international bank transfers made over the Society for Worldwide Interbank Financial Telecommunication (Swift) banking network since 2001 – without court approval. According to reports, the NSA has access to confidential details including names and account numbers connected with all international money transfers which it monitors for evidence of terrorist activity. The New York Times has been heavily criticised by the White House for leaking details of the programme, while civil libertarians have criticised what they see as excessive government snooping.

Last year, research by the US consumer organisation Privacy Rights Clearinghouse indicated that over 50 million Americans may have had their personal information compromised each year due to various problems, including hacking, dishonest employees, and computers falling into the wrong hands.

Another aspect of complying with data laws was highlighted in September 2004, when the Internet Watch Foundation questioned some 1,000 senior IT managers and found 87 percent were not aware of all the legal issues concerning data and offences under the Sexual Offences Act (2003). Few, for instance, fully understood how to deal with such material as evidence, which could present particular difficulties for those working at ISPs or in systems management roles.

Another concern for firms is the need to protect staff and customers from scams spread through web sites and emails. In February the Office of Fair Trading warned that nearly half of the UK population – some 20 million consumers over the age of 15 – had been targeted by such scams, including pyramid schemes, lotteries, phishing or 419 scams. Nearly one in 10 of those targeted had actually fallen victim to the ploy and parted with money.