(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The personal data of about 10 000 customers of the Bank of Ireland (BOI) are now in the possession of thieves as four laptops with the unencrypted data were stolen from the bank between June and October 2007.

The four stolen laptops had been used by staff working for the bank's life assurance division. Not only the customers' data including medical history, life assurance details, bank account details, names and addresses were not encrypted, but the bank notified the thefts to the Data Protection Commissioner in Ireland only on 18 April 2008. Furthermore, until now the bank has not written to individual customers whose information was lost.

The case is now investigated by the Financial Regulator as well as by Billy Hawkes, the Irish Data Protection Commissioner. "The investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances which led to the delay in the reporting of this matter internally within the Bank of Ireland to the appropriate personnel for the taking of further action," said a statement from the Commissioner.

The only justification the bank gave in its defence was that it "monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity" which, of course, cannot possibly cover fraud that may occur somewhere else. And this definitely does not justify the fact that the bank did not notify its customers so that they may protect themselves.

It's not yet clear what sanctions will the bank receive or whether it will receive any sanctions at all. In a similar case in England, the Nationwide Building Society was fined around 1 300 000 euro by the Financial Services Authority for having failed to provide proper information security procedures and controls.

"Consideration will then be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met. The Data Protection Commissioner and the Financial Regulator are cooperating on this matter and we will refer any relevant issues to the Financial Regulator" says the Commissioner's statement.

More and more, financial organisations create a risk to the security of their customers' data. According to the UK Information Commissioner's Office half of the data security breaches in the private sector reported since last November involved financial services companies.

The problem is that, presently, there is no general legal obligation for a body to notify the people in case of losing their data. As reported by EDRi-gram, the European Data Protection Supervisor has suggested amendments in this respect to the forthcoming e-Privacy Directive.

Bank alert as details of 10,000 files stolen (22.04.2008)
http://www.independent.ie/national-news/bank-alert--as-details-of-1000...

Lessons from Laptop Loss - the Bank of Ireland case and Mandatory Reporting of Data Loss (23.04.2008)
http://www.digitalrights.ie/2008/04/23/lessons-from-laptop-loss-the-ba...

Bank of Ireland loses thousands of customer records (23.04.2008)
http://www.out-law.com/page-9069

EDRI gram - EDPS endorses data breach notification provision in ePrivacy Directive (23.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification