Data protection has been headline news since the beginning of 2012. In January the EU Commission announced proposals for the comprehensive reform of EU data protection legislation (see our previous article on the proposed reform here); Eircom, Ireland’s largest telecommunications operator, suffered a major data breach that may compromise the personal details of thousands of its customers; and three insurance companies also pleaded guilty to the storing of data otherwise than in accordance with their registration entry.
Recently Eircom announced that two unencrypted laptops were stolen from its offices at Parkwest Dublin between the end of December 2011 and beginning of the New Year. A further laptop was taken from an employee’s home.
Eircom confirmed that the laptops contained personal data such as names, telephone numbers and in some cases financial information. The company said the theft resulted in a potential data breach for more than 6,845 eMobile and Meteor customers, as well as 686 employees.
Both thefts were reported to the gardaí immediately and investigations are currently underway. However, Eircom has been heavily criticised for the delay in informing the Office of the Data Protection Commissioner (ODPC) of the thefts. The ODPC is of the view that the nature of the information breach put Eircom employees and customers at risk of identity theft.
According to the ODPC the average delay in reporting such thefts is 24 to 48 hours. The Personal Data Security Breach Code of Practice suggests notification should be made within two working days. However, Eircom appears to have had knowledge of the thefts for over a month before informing the ODPC. Under the newly proposed EU Data Protection Regulation, such delays could be punishable by fines of up to €1 million for individuals or 2% of global annual turnover for companies.
Insurance Sector Convictions
Eircom’s announcement of the data breach occurred within a week of three insurance companies pleading guilty in Dublin’s District Court for processing social welfare data otherwise than in accordance with their data protection registration.
The judge described the compromise of personal data in such a way as a very serious matter. However the court was satisfied appropriate measures had been taken by the companies to ensure that they are now fully compliant with the ODPC’s Code of Practice on Data Protection for the Insurance Sector.
With consideration given to each company’s early pleas of guilt and lack of any previous convictions in relation to data protection matters, the Probation of Offenders Act was applied to each company. All three parties made a charitable contribution of €20,000 to the Capuchin Day Centre, a shelter for the homeless in Dublin’s city centre.
The large volume of reporting on data protection matters together with increasing public interest in how personal data is being processed and stored should see increased compliance in data sensitive sectors such as telecommunications and insurance. With major reform of data protection legislation on the horizon, data controllers and processors should prioritise full compliance with the ODPC’s Codes of Practice.