Wednesday 29 March 2017

Eircom faces legal action over theft of unencrypted laptops

Mark Hilliard

EIRCOM is likely to become the first company ever to be prosecuted for not protecting sensitive customer information following the theft of three unencrypted company laptops.

If prosecuted and found guilty, the company could face fines of up to €500,000.

There have been other high-profile cases of companies losing laptops that held non-encrypted data, but none of these have faced legal action.

Information including names, addresses and phone numbers belonging to 6,845 Meteor and eMobile customers as well as 686 Meteor employees -- companies owned by Eircom -- was stored on the computers.

The thefts took place at Eircom's Parkwest offices in Dublin and, in a separate unconnected incident, from a private address of an employee over the Christmas period.

The bank account details of 550 customers were also held and it took the company over a month to report the thefts on February 2.

The Office of Data Protection (ODP) is currently investigating why the company delayed and yesterday the Data Protection Commissioner Billy Hawkes said it was "one of the most serious breaches" ever reported.

He would not comment on whether charges would be brought but only that an investigation was underway. Gardai and Eircom are also investigating the thefts.

A spokesman for Eircom said that the delay in reporting the matter was due to their efforts to find out exactly what data was held on the laptops and which customers were affected.

He said that customers would have been contacted by yesterday evening. Letters were also being sent out yesterday.

Now the company faces the very real prospect of being charged under new legislation that came into effect last July and relates specifically to communications companies.

Under the legislation -- known as Regulation 4 of SI 336, 2011 -- they can be charged with failing to have appropriate security to protect personal data as well as an undue delay in reporting a breach.

Each offence carries a separate potential fine of €250,000. In the past the ODP has investigated the HSE after one of its laptops with private client information was stolen from its Roscommon office in 2009.

In the same year a laptop was stolen from Bord Gais containing the bank account details of 75,000 customers.

However, while Eircom may face prosecution, the legislation only applies to telecommunications companies because they are deemed to store more sensitive personal information.

EU legislation is likely to further apply the law to other sectors, although this is not expected to come into force for a number of years.

Irish Independent

Promoted articles

Editor's Choice

Also in Irish News