The editorial in today’s Irish Times has joined the calls (by ourselves and others) for laws which will ensure that Irish citizens are warned when their personal information has been compromised.
IF ANY doubts remained about the urgent need for a national data disclosure law, they will have been banished by the revelation that the Comptroller and Auditor General’s office failed to disclose – for 16 months – the theft of a laptop which included personal details of 380,000 social welfare recipients.
The comptroller’s office also revealed that 106,000 of the records included highly sensitive bank account data. None of the data were encrypted, an appalling disregard for this most basic of digital security provisions. And while it was said there was no indication the information had been used in a compromising way, such assurances will provide little comfort to the 380,000 individuals whose information is exactly the kind of material that quickly makes its way on to criminal websites, where it is sold in cheap bundles to hackers and identity thieves.
Such incidents are becoming more, rather than less, common. In April, Bank of Ireland finally told Data Protection Commissioner Billy Hawkes that three laptops with details of 31,500 customers had gone missing up to 10 months earlier. Those data weren’t encrypted either. A month later the bank said it was investigating another allegation that a laptop had been stolen in 2001.
The Government must recognise that the public is well past the point of believing such occurrences are rare events. Nor will people accept that long-delayed disclosures of such losses by the organisations involved is just a trivial oversight. It is time to force organisations to immediately reveal such losses. The Government should introduce the type of legislation pioneered in California five years ago (and now copied in 40 more states).
California’s laws require organisations to immediately inform affected individuals when personal financial or medical information is lost. Initially seen as an oddity, it forced the disclosure of some of the biggest national data breaches and hacking incidents in the US, because Californian customers had to be told about them if their names were associated with any of the records. Once this happened, organisations quickly found they had to reveal the full extent of data breaches.
Thanks to the law’s name-and-shame effect, it has helped compel organisations to adopt better data protection standards. And such a law allows people to close accounts immediately and otherwise protect themselves from the sloppy stewardship of their private details, rather than wait months, even years, to find their account details might have been sold on. Irish citizens deserve such protection of their personal information.
August 13th, 2008
From the Irish Independent:
STAFF at the State spending watchdog who failed to inform authorities that laptops stolen from them contained sensitive information about up to 400,000 people are to escape disciplinary action.
The Office of the Comptroller and Auditor General (OCAG) last night confirmed the staff will not face any sanction despite not displaying the “common sense” to report the nature of the material contained on three laptops stolen over the past three years.
OCAG admitted the unencrypted laptops — among 16 stolen from their officials since 1999 — contained highly sensitive information, including PPS numbers, bank account details and social welfare payment details.
While the staff involved reported the theft of the laptops to their superiors and the gardai, the extent on the information contained in them was not reported and only became apparent in recent weeks when OCAG conducted a review.
An OCAG spokesman described the massive oversight as “a procedural flaw” and said no disciplinary action would be taken as there had been no procedures in place at the time for the reporting of the theft of sensitive information.
The OCAG appears to be suggesting that the only mistakes made were those of the individual staff who failed to report the nature of the information which had been stolen. But those mistakes – serious as they were – are just the tip of the iceberg. Who was responsible for the failure to encrypt these laptops? Who was responsible for the decision to transfer entire databases to vulnerable devices? And who was responsible for deciding to copy entire databases without first anonymising the identities and bank details of the social welfare recipients? Those individuals should also be held to account.
August 12th, 2008
We’ve written before about laptops going missing containing confidential personal information. Then it was 31,000 Bank of Ireland customers who had to worry whether they could be the victims of fraud. This time it’s 380,000 social welfare recipients whose details might be compromised – with 106,000 of those also having had their bank account details lost. As before, and in breach of the most elementary principles of data security, it seems that this data was not encrypted.
The most worrying thing about this episode? Despite the laptop being lost in April 2007, it is only now that the victims are being told that their information has been compromised. In the 16 months between then and now they have been deprived of the right to protect themselves – for example, by taking steps to monitor their bank accounts or credit ratings. As we’ve said a few times now, it’s about time that Irish law recognised a right to be notified when your personal data is lost. Here’s how the law currently stands and what you can do about it:
At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.
If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (email@example.com) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.
You can also write to your local TD. Most now use email, with the address: firstname.lastname@example.org. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.
If you think you may have been affected, you can contact the Department of Social and Family Affairs on a helpline at 1800 690 590 (9am – 6pm) or via e-mail at email@example.com.
August 11th, 2008