1

Recent news headlines have brought to our attention how vulnerable our personal data is when it is in the hands of organisations to who we entrust that data to. This summer alone saw reports of the loss last year of a laptop by the Comptroller Auditor Generals office containing the personal details of over 380 000 iti d i A t li t il it b h d d th380,000 citizens, during August an online retailers security was breached and the hackers accessed the credit card details of the retailer’s customers and in April Bank of Ireland announced they had lost a number of laptops in 2007 which contained the personal data of over 30,000 customers.

2

These incidents are worrying enough in their own right, what is of grave concern is the lack of notice those impacted by these security incidents received. Each of these issues also only came to light a number of months after the original incidents occurred leaving the sensitive personal and financial details of i di id l t i k f b i b d b i i lindividuals at risk of being abused by criminals.

3

The data lost in most of these cases could provide criminals with enough information to attempt a number of crimes ranging from credit card fraud to full blown identity theft.

One of the fastest growing crimes

4

While our Data Protection laws require that companies ensure they provide “adequate security” to protect the personal details of staff and customers, there is no obligation on organisations to notify individuals if those “adequate security” measures fail. Without this type of notification individuals may not be aware their

l d t il h b d t i i l til th th l tipersonal details have been exposed to criminals until they themselves notice unusual transactions on their credit cards, bank accounts or indeed find their credit rating has been ruined as a result of defaulted loans falsely taken out in their names

5

6

Data Protection Act Requires “adequate Security”

7

Organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. In this age of cyber crime and sophisticated online criminal gangs we can no longer hope that the data do not fall into the wrong hands. Individuals need to know the trust th l d i i ti t k th i d t f h b b h d i dthey placed in an organisation to keep their data safe has been breached in order for them to take measures to protect themselves

8

In July 2003 the California Bill SB 1386 came into effect requiring companies or organisations to notify any Californian resident if their data has been exposed. Companies are not obliged to notify people affected by the security breach should that data be encrypted, which was not the case in the examples at the b i i f thi i if h tifi ti ld j di ibeginning of this piece, or if such notification would jeopardise an ongoing criminal investigation. Since 2003 over 35 other US States have implemented their own versions of the law.

9

It is interesting to note that in January 2007 the TJX Corporation, the parent company of TK MAXX stores here in Ireland, announced they had discovered a security breach that exposed over 40 million credit card details belonging to its customers. TJX admitted that the breach could also have impacted Irish

t H b th i bli ti TJX t tif th ff t dcustomers. However, because there is no obligation on TJX to notify the affected Irish individuals, TK MAXX customers in Ireland do not know if their details have been exposed.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

10

Not only have the data breach disclosure laws in the United Stated helped individuals better protect their personal and financial data but it has also been of benefit to companies. When details are disclosed by the affected company as to how the breach occurred, in the case of TJX it was insecure wireless networks, th i l f th i id t d th i t d d tother companies can learn from the incident and ensure their systems and data

are secure. This is no different to hearing your neighbour’s house has been burgled, you will take steps to secure your own home.

11

The European Commission is proposing amendments to the Privacy and Electronic Communications Directive, which will be obliged telecommunications companies to notify individuals should their personal data be exposed as a result of a security breach. However, this proposal

l li t t l i ti i d ill t lik l tonly applies to telecommunications companies and will most likely not come into being until 2011. In that time it is likely that the proposal will be further watered down by industry lobbyists.

Ireland should not wait until this the proposed amendment to the Privacy and Electronic Communications Directive come into place. We cannot wait until 2011 and now is the time that we introduce mandatory data breach disclosure laws here in Ireland so that individuals whose data is exposed as the result of a security breach are notified. This legislation could complement the existing Data Protection Act and ensure businesses that do take proper precautions are not overly burdened by this legislation. For example, as with the California SB 1386 law, companies that encrypt the personal data could be exempt from the notification requirements.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

12

Some will argue that data breach notification this will place yet another burden on businesses already tied up with bureaucracy and red tape. I think those supporting the argument miss the point that companies taking the required steps to protect their clients’ data will not be overly impacted by this proposal.

13

14

Ireland has taken bold steps in the past to lead the way with introducing legislation to benefit its citizens, the smoking ban and plastic bin tax, being two that come to mind. She should once more take the lead amongst our European neighbours and introduce legislation that better protects her citizens and provide

ff ti i f ti it f k f b i t f llan effective information security governance framework for businesses to follow.

15

16