It’s an unfortunate incident. Not a scandal.
I’ve waited a few days to write about the Moniker whois privacy flap. My first reaction was that this whole thing was being blown way out of proportion, so I wanted to wait and see how I felt in a few days.
But I still feel the same way.
I really don’t know all the details behind what happened. What I can gather from reading this blog entry is that an Oversee.net employee found out who owned a domain name protected by the company’s Moniker Privacy Services and disclosed this information to the domain owner’s boss.
How Bad is This?
This is a pretty bad lack of judgment by the individual who did this. I’d be rather upset if the company disclosed that I owned a particular domain name. Even if the information was publicly available, I wouldn’t want my registrar to disclose certain information without my permission.
How could this happen?
There are certain people who know just about every domain name I own. That includes my Moniker and Go Daddy account reps. They also know the few domains I have protected by whois privacy (mainly because they are for new ideas I had at one point).
Beyond that not many people at these companies should know what I have registered with them. I suspect their boss and their bosses boss up the chain could get access, too. I’ve always taken this into consideration when registering domain names.
I don’t know how the employee accessed the information in this case. But Moniker has said that distributing the information was against company policy.
Have you ever made a snap decision that seemed like no big deal at the time you made it, then afterward you ask yourself how you could have been so stupid? I know I have. Sounds like that’s what happened here.
Whose fault is it?
It depends on the details of what happened.
Perhaps there need to be more controls within the registrar (and I’m sure at other registrars, too). But there are limits.
As I mentioned, my Moniker and Go Daddy account reps know which domains I own. If one of them decided to break company policy and disclose this, there’s very little that can be done to stop that. It would be a bad decision for an employee to disclose this information, but good and bad people make bad decisions all the time.
Should the perpetrator be named, tarred, and feathered?
Not by Moniker.
Like it or not, these sorts of violations of company policy happen all the time in all industries. In most situations the company will not name who violated a company policy. It’s confidential information and they could get sued for doing it. It may not even be any of our business to know who it was.
One exception is if a law is broken, or if it’s a senior employee, officer, or an ironic person — such as the Chief Privacy Officer who was specifically entrusted with the information.
If the Moniker customer whose information was released wants to name names, that’s certainly up to them. But it’s certainly not Moniker who should disclose that information.
As for punishment, the employee could be fired. That’s serious. They also probably had a horrible holiday as they wondered about their fate. But it’s not like you go to jail for violating company policy.
What should Moniker have done after learning about what happened?
I’ll tell you this: they shouldn’t have immediately fired off an email to customers telling them what happened. Here’s why:
1. No customers are at immediate risk of damage due to this breach. If a lot of customers were victims, or a number of credit cards were disclosed somehow, that’s when an immediate message is warranted.
2. They need to investigate what exactly happened and determine if it’s the first time or a repeat occurrence. Do you think SnapNames immediately informed customers after the Halvarez scandal? No, they researched all the facts and then disclosed the information.
3. The company may need to make changes to internal procedures and would want to announce these in its communication.
4. The incident appears to only involve one customer and one employee. If that’s the case, and this is an isolated instance, it’s not the type of thing companies generally tell the world. If a customer service rep cusses me out, do they issue a press release? If a rogue customer service rep at Amazon tells someone else what I ordered, do they tell all their other customers that this happened or do they just discipline the employee?
Unless something else comes out, this is not a scandal we’re looking at. It’s an isolated incident perpetrated by one person who made a bad decision that affected only one customer.
It’s an unfortunate incident, and I don’t want to downplay that. All domain registrars should consider how this information is safeguarded. But let’s not make this something more than it is.