Thursday, June 25, 2009

Bord Gais Laptop Loss

I wrote an opinion piece for the Sunday Business Post on the recent Bord Gais laptop loss - using it as a jumping off point to argue for a data breach notification law in Ireland. Here's an excerpt:
It hasn’t been a good week for personal information. Last Tuesday, the HSE admitted that it had lost an unencrypted laptop containing sensitive information, including particular social work case notes on nine families.

Remarkably, the HSE had not reported this loss to the Data Protection Commissioner, who learned of the incident from media reports. The HSE incident was eclipsed the following day when Bord Gáis revealed that it had lost an unencrypted laptop with account details - including bank and credit card information - on 75,000 customers, exposing them to the risk of identity theft.

Unfortunately, these are not isolated incidents. In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.

Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost - it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.

This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone - neither the customer nor the Data Protection Commissioner.

The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.
More from the Digital Rights Ireland perspective here. What Irish bloggers have been saying about the Bord Gais scandal here.

1 comment:

  1. without mandatory brach disclosure laws in place all that will happen should a breach become public is that the affected company changes from managing a security breach to a PR exercise. It is not right that Irish victims of data loss have to take on the burden themselves of managing the breach and ensuring their data is not misused. Data they entrusted to the affected company to secure. And that is simply companies that have the ethical and moral backbone to let people know they suffered a data breach.

    Mandatory data security breach notification needs to be implemented asap to ensure companies take the appropriate steps to secure personal data and not merely pay lip service to the Data Protection Act. I argued for the introduction of such legislation on page 20 of the October issue of the Law gazette.