Most Irish companies fall foul of IT cyberlaw and face new fines
A majority of Irish businesses are not adhering to legal requirements around IT security, according to a new Red C survey.
The research, commissioned by A&L Goodbody, says that the legal lapses are leaving Irish companies open to legal action and potential fines.
The survey of 200 Irish companies found that two-thirds do not have written IT security policies in place while three in five firms don't train staff on what to do. Such lapses contravene current Irish data protection law and could lead to harsher penalties under new laws to be introduced soon.
"We're entering a new era," said John Whelan, head of A&L Goodbody's international technology practice. "There are new fiduciary duties coming in under legislation here soon. Cyber security is becoming a boardroom issue. In the US, which is a couple of years ahead of us, litigation around this is rife. We're expecting to see some similar activity emerge in Ireland in coming years."
Ireland has traditionally taken a benign approach to data breaches in companies, with just one prosecution against company directors occurring last year. This is despite current research from the Irish Computer Society suggesting that half of Irish organisations have suffered at least one data breach over the last 12 months.
A new data protection law from Europe is set to require mandatory reporting of data breaches.
"We expect to see issues around this revisted in Irish courts soon," said Mr Whelan.
"The courts here have sometimes limited damages here to pecuniary ones as opposed to data-related ones, but there is a noticeable difference between UK and Irish courts in interpreting the same basic EU laws on the issue. I think you'll see the situation here evolve."
The new Red C research found that 63pc of Irish firms don't know what the legal situation is and half of Irish companies use off-site third parties to host data without knowing what their IT security policies are.
It also found that one in four company boards had not been briefed on their business' legal obligations, if any, to deal with a cyber attack.