Thursday 13 August 2020

CorkHi21°| Lo16°

Cork Independent


Society needs to take data protection seriously

Thursday, 21st November, 2013 12:00am

Following the biggest hacking attack ever in Ireland, it's important for everyone to take stock of the principles of data protection law. It has been reported that personal data concerning 1.1 million consumers across Europe was stolen from Ennis-based LoyaltyBuild, which operated holiday breaks schemes for brands such as SuperValu, Axa, Electric Ireland and Pigsback.  

Data protection is recognised as a human right in the EU Charter of Fundamental Rights. The legislation requires, for example, that data be processed fairly, only collected for specified purposes, and kept secure. Culturally speaking, the principles are rooted in lessons from European history of extensive surveillance and information-gathering by totalitarian regimes.

The responsibility for compliance with data protection lies with the data controller, for example a business which determines the purposes and means of processing the data. If the business out-sources the processing to another company, that company is referred to as a data processor. It appears that in this case credit card details may have been stored with 3-digit CVV numbers in unencrypted form. If this happened, the credit card information was not processed fairly (as it should only have been kept long enough to process the payment) and was not kept securely. It also breaches the non-statutory Payment Card Industry standards.

The responsibility for adherence to the principles lies with the data controllers - the companies such as Axa, Electric Ireland and Musgrave Group (which presumably operates the loyalty scheme for Super Valu stores). This is a timely reminder to all businesses that they need to regularly review their compliance with data protection and payment standards, and to ensure that any subcontractors also comply with these standards.  

The data breach was notified to the Data Protection Commissioner, Mr Billy Hawkes. He sent two investigators to LoyaltyBuild and issued press releases on the status of the incident. His role is a vital part of data protection law, and businesses need to be aware of the Commissioner's extensive powers, and the possibility of unannounced 'dawn raids' at any time.

The Gardaí are investigating the hacking attack and, if the perpetrators are found, criminal prosecution may follow. However, they may well have disguised their location and identities using technical tools. While Irish law on cybercrime is relatively robust, we have not yet ratified the Cybercrime Convention of 2001 and we have not implemented the 2005 EU Framework Decision on Attacks against Information Systems, which could make the prosecution of such crimes more straightforward.  

This incident will increase awareness amongst consumers of the risks of telephone and e-commerce payments. It is important for all of us to constantly check our financial statements, as even a small transaction may indicate a compromised account. We also need to hesitate before dealing with an unknown website - we can take steps such as checking online reviews for the site, ensuring that it uses “https://” in the web address and using a Paypal account for payment when available.

But the primary message from this incident is that society needs to take data protection more seriously. We need a heightened awareness of the need for tight, well-funded regulation of data protection. This is not a luxury, but an essential part of the balance between business and consumer interests in commercial transactions. A new EU Data Protection Regulation is currently being drafted, and we all have a responsibility to ensure that it is fit for purpose, robust and workable. There is no room for complacency or apathy in this area.  

Dr Darius Whelan is Director of the LLM in Intellectual Property and E Law, Faculty of Law, UCC







ePaper Service

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8
Desktop, Tablet & Smartphone friendly
Cookies on Cork Independent website
We use cookies to ensure that we give you the best experience on our website. We also use cookies to ensure we show you advertising that is relevant to you. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the Cork Independent website. However, if you would like to, you can change your cookie settings at any time by amending your browser settings.
How does Cork Independent use cookies?
Cookies enable us to identify your device, or you when you have logged in. We use cookies that are strictly necessary to enable you to move around the site or to provide certain basic features. We use cookies to enhance the functionality of the website by storing your preferences, for example. We also use cookies to help us to improve the performance of our website to provide you with a better user experience.
We don't sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to government bodies and law enforcement agencies).
Hide Message