Lessons from Laptop Loss – the Bank of Ireland case and Mandatory Reporting of Data Loss

You might have noticed that 10,000 Bank of Ireland customers have had their personal information put at risk after four bank laptops were stolen between June and October 2007. According to the Independent, the laptops “were being used by staff working for Bank of Ireland’s life assurance division. They contained the information about medical history, life assurance details, bank account details, names and addresses.” Despite this, the laptop drives were not encrypted.

Amazingly, Bank of Ireland failed to notify the Data Protection Commissioner until Friday of last week, ten months after the first theft, and at the time of writing had still not written to individual customers whose information was lost.

What justification did Bank of Ireland give for this failure? One of the key planks of their defence was that they had “monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity”. This, however, completely fails to address the point. Identity theft doesn’t necessarily involve emptying the existing accounts of customers – instead it’s common to take out new credit cards or loans in those names, ruining the credit ratings of those customers in the process. How would Bank of Ireland monitoring their own accounts protect customers from fraud elsewhere? Quite apart from that, this would not justify customers being kept in the dark and denied the opportunity to take their own steps to protect themselves – which might involve voting with their feet and taking their business to a bank which takes their privacy more seriously.

It’s not yet clear what sanctions (if any) Bank of Ireland might face for this breach. (Though it’s worth noting that in a similar case in England the Financial Services Authority fined the Nationwide Building Society £980,000 for failing to have adequate information security procedures and controls in place.) But the most important point to take from this case is the need for a change in the law.

At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.

If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (minister@justice.ie) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.

You can also write to your local TD. Most now use email, with the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.