Irish Times calls for data breach disclosure law
IF ANY doubts remained about the urgent need for a national data disclosure law, they will have been banished by the revelation that the Comptroller and Auditor General’s office failed to disclose – for 16 months – the theft of a laptop which included personal details of 380,000 social welfare recipients.
The comptroller’s office also revealed that 106,000 of the records included highly sensitive bank account data. None of the data were encrypted, an appalling disregard for this most basic of digital security provisions. And while it was said there was no indication the information had been used in a compromising way, such assurances will provide little comfort to the 380,000 individuals whose information is exactly the kind of material that quickly makes its way on to criminal websites, where it is sold in cheap bundles to hackers and identity thieves.
Such incidents are becoming more, rather than less, common. In April, Bank of Ireland finally told Data Protection Commissioner Billy Hawkes that three laptops with details of 31,500 customers had gone missing up to 10 months earlier. Those data weren’t encrypted either. A month later the bank said it was investigating another allegation that a laptop had been stolen in 2001.
The Government must recognise that the public is well past the point of believing such occurrences are rare events. Nor will people accept that long-delayed disclosures of such losses by the organisations involved is just a trivial oversight. It is time to force organisations to immediately reveal such losses. The Government should introduce the type of legislation pioneered in California five years ago (and now copied in 40 more states).
California’s laws require organisations to immediately inform affected individuals when personal financial or medical information is lost. Initially seen as an oddity, it forced the disclosure of some of the biggest national data breaches and hacking incidents in the US, because Californian customers had to be told about them if their names were associated with any of the records. Once this happened, organisations quickly found they had to reveal the full extent of data breaches.
Thanks to the law’s name-and-shame effect, it has helped compel organisations to adopt better data protection standards. And such a law allows people to close accounts immediately and otherwise protect themselves from the sloppy stewardship of their private details, rather than wait months, even years, to find their account details might have been sold on. Irish citizens deserve such protection of their personal information.