British people were told yesterday that the personal data of nearly half the nation has “gone missing”. In the newly merged department of Inland Revenue and Customs, a “junior official” downloaded the personal details, including bank account data and National Insurance numbers, of 25 million people and placed all of it on two unencrypted CDs.

The official then put the CDs in an envelope and posted it. The package wasn’t even registered so couldn’t be tracked or traced. It’s now officially “lost in the post”.

Alternatively, it may have been stolen to order by organized crime. We have been told, the official is now under guard in a “safe house” to protect him or her against the media, and presumably criminals seeking “to make him an offer he can’t refuse”.

This morning there’s huge panic all over the UK as people wake to find their bank accounts and personal identities compromised in the most dangerous way possible.

Once again we see the perils of allowing a central administration to accumulate vast quantities of information through a system of universal benefits more in tune with the Soviet era than the distributed nature of data in the age of the internet.

What can you do to protect yourself against the kind of scam everyone in the UK is now worried about?

1. Check your bank and credit card statements for the next 5 to 10 years. Criminals can lie low and strike when banks get sloppy again.

2. Change your online banking password, especially if you use family data as a memorable word.

3. Look at your credit report. The information in the Child Benefit Agency records is enough for a criminal to apply for loans, credit cards and even mortgages in your name, as well as other forms of credit such as mobile telephone and catalogue accounts. Your credit report lists all your credit commitments and recent applications for credit, so you can instantly see if someone has been trying to use your ID.

Apart from that, you are at the mercy of Government officials and your bank’s security measures. Ultimately, they must take responsibility for protecting their customer’s data.

Unfortunately, British Government agencies routinely break its own Data Protection Act. The shambles goes on.

If you thought you could make money online without declaring it to the taxman, think again.

Austria, Denmark, Britain, Canada, The Netherlands and Sweden have teamed up for the “Xenon” program, which was started in The Netherlands in 2004 by the Dutch equivalent of the IRS, Belastingdienst.

Wired Digital reports, “Xenon is primarily a spider: a program that downloads a web page, then traverses its links and downloads those as well, ad infinitum. In this manner spiders can create huge datasets of web material, while preserving the relationships between pages at the moment they were spidered — something that can reveal a lot about the people that made the pages.”

The program aims to crack down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

Once the web pages are screen-scraped, Xenon’s Identity Information Extraction Module interfaces with national databases containing information like street and city names. It uses that data to automatically identify mailing addresses and other identity information present on the websites it has crawled, which it puts into a database that can be matched in bulk with national tax records.

Canada’s tax authorities declined to state what its Xenon data retention policies are, as did Simon Bird, head of the “Web Robot Team” at the British HM Revenue and Customs office.

In the United States, the IRS is not a part of the Xenon project, but would neither confirm nor deny that it uses spidering software in its investigations.

If you are buying an existing business as a way to avoid the uncertainties of the startup phase, you’ll need to do “due diligence” on it before committing yourself and your investors to the deal. So, what is due diligence?

Essentially it’s the process of going through the books, examining current trading information, details of investment plans, commitments and liabilities. It should give an indication of any flaws in the setup, any skeletons in the cupboard.

For a listed company, it can ensure that shareholders receive the highest price and set off an auction process. It is disruptive to the target company which has no certainty that anything at all will come of the process.

Most companies like to keep closed books so that sensitive information doesn’t fall into the hands of rival firms who may just be fishing for confidential data.

The system isn’t foolproof either, in that investigating lawyers and accountants can run up huge bills without guarantee of accuracy.

Additionally, in the new world order, after Enron, we know that some companies have kept a second, secret set of accounts.

But for buying small-to-medium businesses, it would be unthinkable to go ahead without some form of due diligence, if only by the prospective buyers themselves.

The problem with sending email newsletters to your customers has always been that different states have different requirements.

In the US, Federal laws defining allowed practices for email marketers, which includes email newsletters, are detailed and precise. The Federal Trade Commission (FTC) regulates what is know as the CAN-SPAM law. At present though, state laws are causing more concern, particularly in Michigan and Utah. I’ll begin with these :

New laws in Michigan and Utah for child protection carry custodial sentences for even inadvertent non-compliance.

In essence, the problem is : The states of Michigan and Utah have passed child protection laws with “Do Not Email” registries for individuals to enter minors’ email addresses. Marketers potentially face stiff fines as well as time in prison if they send email to a registered minor’s address and the email contains material, or links to material, which children may not legally see or respond to. If you send commercial email, of any type, and you don’t check the address against the registry before you send it you are potentially liable.

The laws are not clear on what products or services a minor is prohibited from purchasing, viewing, possessing, participating in, or otherwise receiving. However, the State of Utah’s Department of Commerce is attempting to add further definition to what types of advertisements are covered. There’s a pdf here.

The only way to avoid liability is to check every address in your email list against the Michigan and Utah registries before you send them an email.

The fees to start are expected to be 0.007 cents for Michigan and 0.005 cents for Utah per address on your list. The costs for a 100,000 name list will be $1200 per pass. So you’ll need to check each new subscriber as they come, plus the whole list every 30 days. For a 10,000 list which acquires say 100 new subscribers a month. The cost will be $121.20 monthly. A 50,000 list with 500 new subscribers would be $606 monthly. Not cheap.

Any business anywhere in the world with a presence in the US needs to follow these laws. This law does not just apply to businesses in Michigan and Utah, it effects all businesses with a presence in any of the 50 US states.

These are the main provisions of the Federal law :

It bans false or misleading header information. Your email’s “From,” “To,” and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.

It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.

It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a “menu” of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor’s email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it’s illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.

It requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address. Your message must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email from you. It also must include your valid physical postal address.

Fines can be up to $11,000 for each violation, but may also impact other laws, so can be progressively higher, or even custodial.