Important personal data lost by the Bank of Ireland

By EDRi · May 7, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The personal data of about 10 000 customers of the Bank of Ireland (BOI) are
now in the possession of thieves as four laptops with the unencrypted data
were stolen from the bank between June and October 2007.

The four stolen laptops had been used by staff working for the bank’s life
assurance division. Not only the customers’ data including medical history,
life assurance details, bank account details, names and addresses were not
encrypted, but the bank notified the thefts to the Data Protection
Commissioner in Ireland only on 18 April 2008. Furthermore, until now the
bank has not written to individual customers whose information was lost.

The case is now investigated by the Financial Regulator as well as by Billy
Hawkes, the Irish Data Protection Commissioner. “The investigation will
focus on the justification for the personal data, including sensitive
medical data in some cases, being placed on the laptops in the first place,
the security arrangements in place and the exact circumstances which led to
the delay in the reporting of this matter internally within the Bank of
Ireland to the appropriate personnel for the taking of further action,” said
a statement from the Commissioner.

The only justification the bank gave in its defence was that it “monitored
all of these customer accounts and can confirm that there has been no
evidence of fraudulent or suspicious activity” which, of course, cannot
possibly cover fraud that may occur somewhere else. And this definitely does
not justify the fact that the bank did not notify its customers so that they
may protect themselves.

It’s not yet clear what sanctions will the bank receive or whether it will
receive any sanctions at all. In a similar case in England, the Nationwide
Building Society was fined around 1 300 000 euro by the Financial Services
Authority for having failed to provide proper information security
procedures and controls.

“Consideration will then be given as to what further action will be sought
from Bank of Ireland to ensure that the obligations contained in the Data
Protection Acts in this area are met. The Data Protection Commissioner and
the Financial Regulator are cooperating on this matter and we will refer any
relevant issues to the Financial Regulator” says the Commissioner’s

More and more, financial organisations create a risk to the security of
their customers’ data. According to the UK Information Commissioner’s Office
half of the data security breaches in the private sector reported since last
November involved financial services companies.

The problem is that, presently, there is no general legal obligation for a
body to notify the people in case of losing their data. As reported by
EDRi-gram, the European Data Protection Supervisor has suggested amendments
in this respect to the forthcoming e-Privacy Directive.

Bank alert as details of 10,000 files stolen (22.04.2008)–as-details-of-10000–files-stolen-1354910.html

Lessons from Laptop Loss – the Bank of Ireland case and Mandatory Reporting
of Data Loss (23.04.2008)

Bank of Ireland loses thousands of customer records (23.04.2008)

EDRI gram – EDPS endorses data breach notification provision in ePrivacy
Directive (23.04.2008)