Lessons from Laptop Loss – the Bank of Ireland case and Mandatory Reporting of Data Loss
April 23rd, 2008
You might have noticed that 10,000 Bank of Ireland customers have had their personal information put at risk after four bank laptops were stolen between June and October 2007. According to the Independent, the laptops “were being used by staff working for Bank of Ireland’s life assurance division. They contained the information about medical history, life assurance details, bank account details, names and addresses.” Despite this, the laptop drives were not encrypted.
Amazingly, Bank of Ireland failed to notify the Data Protection Commissioner until Friday of last week, ten months after the first theft, and at the time of writing had still not written to individual customers whose information was lost.
What justification did Bank of Ireland give for this failure? One of the key planks of their defence was that they had “monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity”. This, however, completely fails to address the point. Identity theft doesn’t necessarily involve emptying the existing accounts of customers – instead it’s common to take out new credit cards or loans in those names, ruining the credit ratings of those customers in the process. How would Bank of Ireland monitoring their own accounts protect customers from fraud elsewhere? Quite apart from that, this would not justify customers being kept in the dark and denied the opportunity to take their own steps to protect themselves – which might involve voting with their feet and taking their business to a bank which takes their privacy more seriously.
It’s not yet clear what sanctions (if any) Bank of Ireland might face for this breach. (Though it’s worth noting that in a similar case in England the Financial Services Authority fined the Nationwide Building Society £980,000 for failing to have adequate information security procedures and controls in place.) But the most important point to take from this case is the need for a change in the law.
At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.
If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (minister@justice.ie) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.
You can also write to your local TD. Most now use email, with the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.
Entry Filed under: DRI
10 Comments Add your own
1. Justin Mason | April 24th, 2008 at 8:39 am
Great article, and agreed!
An additional point:
as I noted on my taint.org post, it appears that the bank didn’t issue this information to the public. Instead, the Data Protection Commissioner did, once they were informed of the breach — leaving the bank apparently entirely unprepared for the PR fall-out.
2. Administrator | April 24th, 2008 at 9:36 am
Good point Justin. The IBTS laptop theft was handled much better in comparison.
3. identity theft and financ&hellip | May 2nd, 2008 at 6:53 pm
[...] June and October 2007. According to the Independent, the laptops ???were being used by staff workinghttp://www.digitalrights.ie/2008/04/23/lessons-from-laptop-loss-the-bank-of-ireland-case-and-mandato…Identity thieves sharpen their act The New Zealand HeraldThe people tasked with keeping our online [...]
4. Neil | May 9th, 2008 at 7:21 pm
great post mate, something like this can only happen in Ireland
5. Jenette Mitchell | July 26th, 2008 at 8:12 pm
There are many ways that people can steal our identity. One, many people don’t own a shredder. Use it. And second, be carefull about who and where you place your information.
6. Digital Rights Ireland &r&hellip | August 11th, 2008 at 3:25 pm
[...] written before about laptops going missing containing confidential personal information. Then it was 31,000 Bank of [...]
7. Digital Rights Ireland &r&hellip | August 13th, 2008 at 10:15 am
[...] editorial in today’s Irish Times has joined the calls (by ourselves and others) for laws which will ensure that Irish citizens are warned when their personal [...]
8. Tony | August 13th, 2008 at 2:15 pm
I find it’s best to stick printed personal info in the composter,if you have one, Once it’s been shredded.
At least you’re getting some further use out of it and you know it’s been fully disposed of.
9. UK Insurance | February 18th, 2009 at 11:24 pm
You raise some interesting points in this data loss article. I agree with your premise that data controllers should be obligated to inform customers if personal, identify able data has been compromised. I do think that larger institutions have now tightened up their processes in terms of laptops to include mandatory encryption and the disabling of external drives used to remove sensitive data from them. You point however around a change in the law to compel companies to inform the customer I note continues to be languishing.
10. Digital Rights Ireland &r&hellip | June 17th, 2009 at 10:11 pm
[...] been banging on about this for a while, but it’s worth repeating that in light of these fiascos, a law to warn you that your data has been stolen is long [...]
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed