Why Ireland needs a data breach warning law

This piece appeared in the Sunday Business Post recently summarising why we think it’s time you had a right to be told if your personal information is lost or stolen. Here’s an excerpt:

In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.

Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost – it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.

This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone – neither the customer nor the Data Protection Commissioner.

The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.