Data law is long overdue Sunday, June 21, 2009 By TJ McIntyre It hasn’t been a good week for personal information. Last Tuesday, the HSE admitted that it had lost an unencrypted laptop containing sensitive information, including particular social work case notes on nine families.
Remarkably, the HSE had not reported this loss to the Data Protection Commissioner, who learned of the incident from media reports. The HSE incident was eclipsed the following day when Bord Gáis revealed that it had lost an unencrypted laptop with account details - including bank and credit card information - on 75,000 customers, exposing them to the risk of identity theft.
Unfortunately, these are not isolated incidents. In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.
Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost - it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.
This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone - neither the customer nor the Data Protection Commissioner.
The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.
The Data Protection Commissioner has tried to remedy this, recommending that companies should voluntarily notify data breaches to his office. Voluntary notification has, however, proved to be inadequate. In some cases - as with the most recent HSE laptop loss - it has simply been ignored.
In other cases it has been too little, too late.
For example, consider the recent Bank of Ireland case. Laptops were stolen between June and October 2007 containing client medical histories, life assurance details and bank account details.
Bank of Ireland did not, however, notify the Data Protection Commissioner of this loss until April 2008 - ten months after the original theft - and at that date had still not warned individual customers whose information was lost.
Those customers were therefore kept in the dark and deprived of the chance to protect themselves.
There is an alternative. Since 2003, California has had a law which requires companies to warn customers whose data has been compromised. This has proven to be very successful and has been followed in the overwhelming majority of US states. The most obvious effect of the law is to enable customers to take steps to protect themselves once a data breach takes place.
In addition, by ensuring that data breaches become public, the law creates an incentive for firms to invest in adequate security and training to avoid negative publicity. It also enables consumers to determine whether a firm takes privacy seriously, and to take their business elsewhere if necessary.
This Californian model is being considered in Europe, where the European Commission and European Parliament have agreed that telecommunications companies and internet service providers should be required to notify users and the regulatory authorities when they lose data.
Last month, the commission also indicated that it would bring forward proposals to extend data breach notification to other sectors. The Californian model has also been advocated in Ireland and, in January, the Minister for Justice set up a Review Group which is currently examining whether Irish law should require mandatory reporting of data breaches.
Between these developments, it seems likely that we’ll see mandatory reporting of data breaches introduced into Irish law in some form in the near future. It will be important, though, to ensure that the laws are workable and useful for consumers.
For example, one concern with the Californian model is that too low a threshold for notification may lead to too many warnings being sent, resulting in a desensitising effect where warnings go unheeded. Similarly, the Californian model has been criticised for simply requiring notification of the breach itself - often leaving consumers unaware what they should do.
To have a practical effect, any Irish law must ensure that warnings include advice on the steps individuals should take in response.
Also, data breach notification is only one part of the solution; until Irish institutions develop a culture of respect for individual privacy, we can expect these problems to continue.
Those concerns aside, it’s clear that the time has come for the introduction of a data breach notification into Irish law, and it will be a welcome first step towards protecting Irish consumers when this happens.
TJ McIntyre is a solicitor, UCD law lecturer and chairman of Digital Rights Ireland.
|
Text-Only