Reporting of data security breaches

Ireland’s data protection legislation was introduced in 1988, but the law only came to public attention after several high profile data breaches in recent years.  As in other jurisdictions, there have been calls for the introduction of an obligation to notify the authorities when a data breach has or is likely to occur.

The Data Protection Commissioner has previously indicated that Ireland is likely to introduce a mandatory reporting law which will obligate data controllers to notify data subjects when their personal data has been leaked. At present, the EU plans to introduce a mandatory reporting law, but it would only apply to telecoms providers.

Karlin Lillington, in today’s Irish Times, adds her voice to those calling for a mandatory reporting law for all personal data breaches. She makes the point that the extent of data breaches will probably not be known until a mandatory reporting law is introduced, as was the case in California. This contention is supported by the Commissioner’s 2009 annual report, which attributes the increase in voluntary reporting of data breaches “to a greater awareness among organisations of their data protection responsibilities.” However, Karlin does not believe voluntary reporting is sufficient.

Given the reluctance of organisations to use a basic security tool such as encryption to lock down personal data, we need a legal threat to force adoption of this elementary form of best security practice.

We cannot sit about and wait for years for the subject to come back on to Europe’s agenda. No Irish citizen should have to wonder for years whether financial institutions, health organisations, insurance companies, energy suppliers, telecommunications companies, Government departments or small neighbourhood companies are keeping data safe – or dealing with the potentially catastrophic consequences if they are not.

In the UK it has been argued that a security breach notification law is not necessary. Dr. Chris Pounder argues that the existing law may already require data controllers to contact data subjects who are at risk of identity theft following a data security breach.  Dr. Pounder bases this argument on the seventh principle in the UK Data Protection Act 1998, which requires data processors to establish “a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage … and the nature of the data to be protected.”

He says that compliance with the seventh principle requires a risk assessment which will enable the organisation to determine what level of security is appropriate and to implement that level of security. Allied to that is the recent amendment to the UK legislation to allow the Information Commissioner (the UK equivalent of the Data Protection Commissioner) to fine an organisation up to £500,000 for serious breaches of data protection law. Dr. Pounder argues that the loss of unencrypted personal data would qualify as such a serious breach and could result in a fine.  He contends that the type of data security breach laws widely adopted in US states are already present in the data protection principles set out in European data protection legislation.

This argument relies on an interpretation of the existing law, which can be challenged by a data controller or processor. The Irish Data Protection Acts 1988 and 2003 are similar to the UK legislation and require that appropriate security measures are taken to protect personal data.  The legislation sets out the criteria to be considered when evaluating what security measures are appropriate and the Commissioner has published guidance on this point. However, the Irish legislation does not provide for the extensive penalties possible under the UK law and it may be a stretch to extend Dr. Pounder’s argument (if that argument is accepted at all) to Irish law. At any rate, a specific provision in the DPA would be preferrable to an interpretation.

A report from the Data Protection Review Group established by the Minister for Justice is expected soon and may well recommend the introduction of a mandatory reporting law. The Group’s consultation paper makes the point that a change in the law will not necessarily ensure protection against data breaches, but would “reduce the prospects of damage being done by such losses.”

Concern is evident from the Group’s evaluation of the regulatory options that a move toward mandatory reporting could reduce the historical approach of the Commissioner and data controllers to collaborate in resolving data protection issues and could force the Commissioner into a more confrontational enforcement role.

Such a role would provide more certainty and ensure that penalties apply where appropriate, but could involve significant cost on the part of the Commissioner’s office and would likely require the recruitment of enforcement specialists. Last year, for example, the Commissioner’s office put its legal requirements out to tender and the range of likely services sought tends to suggest that the expertise required to implement any new enforcement powers does not currently exist in-house.

Advertisements

3 thoughts on “Reporting of data security breaches

  1. Good post. As a practical matter I can’t help but feel that Irish developments are unlikely so long as there are signs of movement at EU level. The data breach notification provision in the Telecoms Package was a significant measure – perhaps we would have the greatest likelihood of success if we seek Irish government support for Viviane Reding’s wider data breach notification proposals.

  2. Indeed. I think the indication in the Working Group consultation paper that enforcement costs could be an issue is the ‘out’ that the Group, Government or Commissioner would need to argue against a solo run for now.

    And they would be right. If the Commissioner felt, on cost grounds, unable to appear in the High Court in proceedings specifically involving the interpretation of the Data Protection Acts (EMI v. eircom), it is hard to see how his office has sufficient funds for any significant enforcement proceedings.

Comments are closed.