BoI faces possible €100k fine and claims over stolen laptops
The data protection commissioner said yesterday that if the bank fails to comply with the recommendations of its investigation it could then face prosecution.
It did say that this would be unlikely, but could not be ruled out.
But information security expert Paul Dwyer, who has worked with the US secret service and the FBI, said he believes that if the bank is found in breach of the Data Protection Act, the thousands of customers affected could take civil action cases against the bank.
He also said that the bank could face fines of up to €100,000.
Assistant commissioner at the office of the data protection commissioner Diarmuid Hallinan said it expects a report on the incidents from BoI by the end of the week.
The data commissioner’s investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances that led to the delay in its being reported internally within BoI to the appropriate personnel for the taking of further action.
Mr Dwyer added that the encryption of laptops for an organisation like BoI would cost a few euro per laptop.
“It is not a complicated procedure and would only take a few minutes. It is inexcusable that a company like Bank of Ireland would not have its laptops encrypted,” he said.
“The major risk to having the laptops out in the public domain is identity theft. People would pay a lot of money to get the type of information that was on those laptops — that information would be gold to them.”
Chief security architect with Citrix Chris Mayers added that “in these days of secure remote access there is rarely any need for data to be saved onto laptops at all”.
Director of software company Glandore James Gavin said it is time for Ireland to adopt the Californian model where if a customer’s data is stolen or illegally accessed then they have to be informed as a priority.
Last year, the Nationwide Building Society in Britain was fined £980,000 (€1.2m) following the theft of a laptop from a Nationwide employee’s home, which contained confidential customer data. The Financial Services Authority found that Nationwide did not start an investigation until three weeks after the theft occurred.
“Recent disclosures by the Blood Transfusion Service, Jobs.ie, and now Bank of Ireland, show the increasing amount of personal data being released which has the possibility of ruining someone’s life. Currently, a company doesn’t even have to tell you if your information has been stolen.
“The data could be used to apply for mortgages, large loans, credit cards, driving licences, passports, and even birth certificates. A small amount of information and you can access the bank accounts of people. It is safe to assume that this type of theft occurs far more often than we know,” he said.
Also yesterday the Financial Regulator confirmed that it has been informed of this matter by Bank of Ireland, adding that it expects financial institutions to comply with all aspects of the law and regulatory requirements.
“Any failures which impact negatively on consumers are of particular concern,” it said.
* June to October 2007: Four Bank of Ireland laptops are stolen from three cars and one bank branch.
* February 2007: The bank becomes aware that the laptops were stolen.
* Thursday, April 17: The matter is reported to the Financial Regulator.
* Friday, April 18: The matter is reported to the Data Protection Commissioner’s Office
* Monday, April 21: News that the laptops have been stolen is reported.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
