Following the biggest hacking attack ever in Ireland, it's important for everyone to take stock of the principles of data protection law. It has been reported that personal data concerning 1.1 million consumers across Europe was stolen from Ennis-based LoyaltyBuild, which operated holiday breaks schemes for brands such as SuperValu, Axa, Electric Ireland and Pigsback.
Data protection is recognised as a human right in the EU Charter of Fundamental Rights. The legislation requires, for example, that data be processed fairly, only collected for specified purposes, and kept secure. Culturally speaking, the principles are rooted in lessons from European history of extensive surveillance and information-gathering by totalitarian regimes.
The responsibility for compliance with data protection lies with the data controller, for example a business which determines the purposes and means of processing the data. If the business out-sources the processing to another company, that company is referred to as a data processor. It appears that in this case credit card details may have been stored with 3-digit CVV numbers in unencrypted form. If this happened, the credit card information was not processed fairly (as it should only have been kept long enough to process the payment) and was not kept securely. It also breaches the non-statutory Payment Card Industry standards.
The responsibility for adherence to the principles lies with the data controllers - the companies such as Axa, Electric Ireland and Musgrave Group (which presumably operates the loyalty scheme for Super Valu stores). This is a timely reminder to all businesses that they need to regularly review their compliance with data protection and payment standards, and to ensure that any subcontractors also comply with these standards.
The data breach was notified to the Data Protection Commissioner, Mr Billy Hawkes. He sent two investigators to LoyaltyBuild and issued press releases on the status of the incident. His role is a vital part of data protection law, and businesses need to be aware of the Commissioner's extensive powers, and the possibility of unannounced 'dawn raids' at any time.
The GardaÃ are investigating the hacking attack and, if the perpetrators are found, criminal prosecution may follow. However, they may well have disguised their location and identities using technical tools. While Irish law on cybercrime is relatively robust, we have not yet ratified the Cybercrime Convention of 2001 and we have not implemented the 2005 EU Framework Decision on Attacks against Information Systems, which could make the prosecution of such crimes more straightforward.
This incident will increase awareness amongst consumers of the risks of telephone and e-commerce payments. It is important for all of us to constantly check our financial statements, as even a small transaction may indicate a compromised account. We also need to hesitate before dealing with an unknown website - we can take steps such as checking online reviews for the site, ensuring that it uses â€œhttps://â€ in the web address and using a Paypal account for payment when available.
But the primary message from this incident is that society needs to take data protection more seriously. We need a heightened awareness of the need for tight, well-funded regulation of data protection. This is not a luxury, but an essential part of the balance between business and consumer interests in commercial transactions. A new EU Data Protection Regulation is currently being drafted, and we all have a responsibility to ensure that it is fit for purpose, robust and workable. There is no room for complacency or apathy in this area.
Dr Darius Whelan is Director of the LLM in Intellectual Property and E Law, Faculty of Law, UCC
Copyright © 2011-2017 Cork Independent