On October 22, Global Times reported:
YTO Express, one of China’s largest express delivery companies, has been unable to stop employees from selling customer information to online dealers, despite its ongoing efforts to stamp out the practice, a company spokesman said Tuesday.
The company’s admission illustrates the difficulty that the express delivery industry has had protecting customers’ personal information, including names, addresses and telephone numbers, as online dealers continue to proliferate.
It seems somewhat mind-boggling that a firm knows its employees are regularly engaging in wrongdoing and yet hasn’t been able to deal with it despite working on this for a year or more and even though the police say they will investigate if YTO reports employees to them.
YTO Express does not seem to be the only courier with this problem, and sites selling personal information obtained illegally abound. But really, what should the consequences be for a business that knows its employees are engaging in wrongdoing but hasn’t come up with effective access controls or monitoring to stop the problem? At what point do governments say, “Hey, if you’re so bad on data security and privacy, you don’t get to collect personally identifiable information.”