2. Recent news headlines have brought to our attention how vulnerable our
personal data is when it is in the hands of organisations to who we entrust that
data to. This summer alone saw reports of the loss last year of a laptop by the
Comptroller Auditor Generals office containing the personal details of over
380,000 iti
380 000 citizens, d i A
during August an online retailers security was b
t li t il it breached and th
h d d the
hackers accessed the credit card details of the retailer’s customers and in April
Bank of Ireland announced they had lost a number of laptops in 2007 which
contained the personal data of over 30,000 customers.
2
3. These incidents are worrying enough in their own right, what is of grave concern
is the lack of notice those impacted by these security incidents received. Each of
these issues also only came to light a number of months after the original
incidents occurred leaving the sensitive personal and financial details of
individuals t i k f being b
i di id l at risk of b i abused b criminals.
d by i i l
3
4. The data lost in most of these cases could provide criminals with enough
information to attempt a number of crimes ranging from credit card fraud to full
blown identity theft.
One of the fastest growing crimes
4
5. While our Data Protection laws require that companies ensure they provide
“adequate security” to protect the personal details of staff and customers, there is
no obligation on organisations to notify individuals if those “adequate security”
measures fail. Without this type of notification individuals may not be aware their
personal d t il h
l details have b
been exposed t criminals until th th
d to i i l til they themselves notice
l ti
unusual transactions on their credit cards, bank accounts or indeed find their
credit rating has been ruined as a result of defaulted loans falsely taken out in
their names
5
8. Organisations need to realise that the data they hold on staff and customers is
not theirs but rather has been entrusted to them by those individuals. In this age
of cyber crime and sophisticated online criminal gangs we can no longer hope
that the data do not fall into the wrong hands. Individuals need to know the trust
they l
th placed i an organisation t k
d in i ti to keep th i d t safe h b
their data f has been b breached i order
h d in d
for them to take measures to protect themselves
8
9. In July 2003 the California Bill SB 1386 came into effect requiring companies or
organisations to notify any Californian resident if their data has been exposed.
Companies are not obliged to notify people affected by the security breach
should that data be encrypted, which was not the case in the examples at the
beginning f this i
b i i of thi piece, or if such notification would j
h tifi ti ld jeopardise an ongoing
di i
criminal investigation. Since 2003 over 35 other US States have implemented
their own versions of the law.
9
10. It is interesting to note that in January 2007 the TJX Corporation, the parent
company of TK MAXX stores here in Ireland, announced they had discovered a
security breach that exposed over 40 million credit card details belonging to its
customers. TJX admitted that the breach could also have impacted Irish
customers. However, because th
t H b there i no obligation on TJX t notify th affected
is bli ti to tif the ff t d
Irish individuals, TK MAXX customers in Ireland do not know if their details have
been exposed.
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
1400/sb_1386_bill_20020926_chaptered.html
10
11. Not only have the data breach disclosure laws in the United Stated helped
individuals better protect their personal and financial data but it has also been of
benefit to companies. When details are disclosed by the affected company as to
how the breach occurred, in the case of TJX it was insecure wireless networks,
other companies can l
th i learn f
from th i id t and ensure their systems and d t
the incident d th i t d data
are secure. This is no different to hearing your neighbour’s house has been
burgled, you will take steps to secure your own home.
11
12. The European Commission is proposing amendments to the Privacy and
Electronic Communications Directive, which will be obliged
telecommunications companies to notify individuals should their personal
data be exposed as a result of a security breach. However, this proposal
only applies t t l
l li to telecommunications companies and will most lik l not
i ti i d ill t likely t
come into being until 2011. In that time it is likely that the proposal will be
further watered down by industry lobbyists.
Ireland should not wait until this the proposed amendment to the Privacy
and Electronic Communications Directive come into place. We cannot
wait until 2011 and now is the time that we introduce mandatory data
breach disclosure laws here in Ireland so that individuals whose data is
exposed as the result of a security breach are notified. This legislation
could complement the existing Data Protection Act and ensure businesses
that do take proper precautions are not overly burdened by this legislation.
For example, as with the California SB 1386 law, companies that encrypt
the personal data could be exempt from the notification requirements.
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
1400/sb_1386_bill_20020926_chaptered.html
12
13. Some will argue that data breach notification this will place yet another burden on
businesses already tied up with bureaucracy and red tape. I think those
supporting the argument miss the point that companies taking the required steps
to protect their clients’ data will not be overly impacted by this proposal.
13
15. Ireland has taken bold steps in the past to lead the way with introducing
legislation to benefit its citizens, the smoking ban and plastic bin tax, being two
that come to mind. She should once more take the lead amongst our European
neighbours and introduce legislation that better protects her citizens and provide
an effective i f
ff ti information security governance framework for businesses to follow.
ti it f kf b i t f ll
15