Search News & Insights
Data Protection Commissioner publishes report of investigation into theft of stolen laptops containi
In the early hours of 5 June 2009, four laptops were stolen from the premises of a large supplier in the utilities sector (“Utilities Supplier”) in Dublin. The Utilities Supplier reported the theft to the Office of the Data Protection Commissioner (“ODPC”) that day, and later that week confirmed that three of the laptops were unencrypted and that one of those contained personal data relating to new customers. The ODPC launched an investigation, and it recently published its report (the “Report”).
The Report details how the unencrypted laptop came to contain records relating to 93,857 customers, including names, addresses, email addresses, and financial data. A data analyst had for “pragmatic business reasons” downloaded the files from the sales management system (on which new customer data is held). The files were saved to the laptop in question rather than to the network drives.
The Report made the following findings:
- Appropriate security measures were not in place on the laptop
The Report found that the personal data in question should not have been saved onto the laptop, which should itself have been encrypted. The Utilities Supplier stated that only 40 laptops of the 409 it possesses were unencrypted, and that these were due to be encrypted in any event regardless of this incident. It also stated that it had provided sufficient guidance to its staff as regards the saving of data locally on laptops. The ODPC accepted that the Utilities Supplier had, or was in the process of rolling out, appropriate encryption policies, but also found that it “was not apparent” that a staff member who read the guidance regarding the saving of data locally “would clearly understand” it. The Report concluded that there was not an appropriate level of security on the laptop and therefore the Utilities Supplier had breached section 2(1)(d) of the Data Protection Acts, 1988 and 2003 (the “Acts”).
- Inadequate system of checks and balances
The Report noted that the data analyst at the centre of this matter had analysis, verification and administrator roles. It stated that it was unusual for one person to perform all of these roles and that such a situation was not capable of providing the usual checks and balances that are needed to ensure that all access to personal data is appropriate and restricted to those who require such access to perform their roles. It also pointed out that oversight in relation to the tasks performed by the analyst in question was insufficient. The ODPC took the opportunity of the investigation to carry out a wider examination of levels of access granted across the Utilities Supplier’s business. It found that the normal policies that it expects to ensure "need to know" access to personal data were not in place. Accordingly, it found that Utilities Supplier breached section 2(1)(d) of the Acts by failing to take appropriate measures to ensure “need to know” access only.
- Files were retained for longer than was necessary
The data held on the laptop was compiled between November 2008 and May 2009. The Report notes that the purpose of storing this data in the sales system (from where it was copied to the laptop) was for daily verification. Once a new customer application was either approved or rejected, this data was no longer required in the sales process. Accordingly, there was “no apparent basis” for the continued retention of the data. The Report concludes that the Utilities Supplier breached section 2(1)(c)(iv) of the Acts by retaining personal data for longer than was necessary for the purpose for which it was collected.
In reaching the above findings, the Report notes that the largest contributory factor was likely to be the “historical gaps” in the data protection policy at the Utilities Supplier and that the findings are not representative of the “generally serious and committed approach” to data protection that is now in place at the Utilities Supplier. The Report also noted that the Utilities Supplier contacted the ODPC immediately (though some important information was only communicated a week later) and co-operated fully with the ODPC, including by informing the data subjects in question and their financial institutions. The Utilities Supplier also undertook to respond to complaints received from customers and to address them to the best of its ability.
Nonetheless, the ODPC did make some recommendations for the Utilities Supplier, which the Utilities Supplier is implementing. It has already completed a full review to ascertain who has access to personal data, and is drafting policies to provide who can have such access in the future (ie only those who “need to know”), and to set out how long personal data will be held for. The Utilities Supplier has also given its IT department central responsibility for data protection matters, and has set up an Information Security Committee (with a dedicated Information Risk Officer) to coordinate data security policies across all business groups. Finally, the Utilities Supplier is putting in place a comprehensive Information and Security Training programme for all its staff.
It is worth noting that although 90 per cent of the Utilities Supplier’s laptops were encrypted and staff were told (though perhaps not clearly) not to store personal data locally on the laptops, personal data in relation to over 90,000 people were still lost and, even though the Utilities Supplier took a “generally serious and committed approach” to data protection, it still had to put in place new policies and structures. It may not have been prosecuted in relation to its breach of the Acts, but the Utilities Supplier suffered reputational damage at a time when people are caring more and more about the security of their personal data. In this context, the benefits of taking data protection seriously are clear to see.