Lessons from laptop loss: Legal consequences where organisations lose personal dataTJ McIntyreSolicitor, Lecturer in UCD School of LawChairman of Digital Rights Ireland7 April 2011

The last few years have seen multiple cases - both internationally and in Ireland - of largescale data breaches where hundreds of thousands of individuals have seen their personal information compromised. In response, Ireland and the EU are increasingly beginning tofollow the lead of the United States by introducing legal rules requiring organisations tonotify the affected individuals and/or the relevant data protection authorities. Thispresentation briefly outlines the law as it currently stands along with proposals for change inthe near future

Please note that this document is merely a summary of some points which will be made and isn’t intended to serve as a full description of the law in this area.

Introduction

The technology which makes it easier to gather, store and process information also makes itsubstantially easier to lose that information. Whether the process is a disgruntled insider witha USB key, a lost laptop or a server which has been remotely compromised the outcome isoften the same: many individuals put at risk by virtue of their personal data being lost. Whatlegal issues do these situations present?

Obligations to keep data secure – and liability for failure to do so

Such breaches are often also a breach of legal obligations owed by the data controller (or dataprocessor) to the individuals affected. These obligations may arise under either theconstitutional right to privacy, data protection law, sector-specific laws (such astelecommunications

or banking) or the general law (under contract or the duty of confidence,for example).For our purposes, the most important of these security obligations are those established under the Data Protection Acts 1988 and 2003. Section 2(1)(d) establishes the general principlethat:

2.-(1) A data controller shall, as respects personal data kept by him or her, comply with the followingprovisions:(d) appropriate security measures shall be taken against unauthorised access to, or unauthorisedalteration, disclosure or destruction of, the data, in particular where the processing involves thetransmission of data over a network, and against all other unlawful forms of processing.

Section 2C then elaborates on “appropriate security measures”:

See the Electronic Privacy Regulations (S.I. No. 535 of 2003 as amended by S.I. No. 526 of 2008).

2C.- (1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, inparticular (but without prejudice to the generality of that provision), where the processing involves thetransmission of data over a network, a data controller -(a) may have regard to the state of technological development and the cost of implementing themeasures, and(b) shall ensure that the measures provide a level of security appropriate to – (i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and(ii) the nature of the data concerned

Significantly, section 2C also imposes duties to train and monitor employees and others withaccess to data:

(2) A data controller or data processor shall take all reasonable steps to ensure that(a) persons employed by him or her, and(b) other persons at the place of work concerned, are aware of and comply with the relevantsecurity measures aforesaid.

And, crucially, section 2C also imposes obligations on data controllers to have contractualcontrols in place with data processors and to take reasonable steps to enforce those controls:

(3) Where processing of personal data is carried out by a data processor on behalf of a data controller,the data controller shall(a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contractprovides that the data processor carries out the processing only on and subject to theinstructions of the data controller and that the data processor complies with obligationsequivalent to those imposed on the data controller by section 2(1)(d) of this Act,(b) ensure that the data processor provides sufficient guarantees in respect of the technicalsecurity measures, and organisational measures, governing the processing, and(c) take reasonable steps to ensure compliance with those measures

Section 7 then creates a general duty of care on the part of the data controller (or processor)towards the data subject:

7. - For the purposes of the law of torts and to the extent that that law does not so provide, a person,being a data controller or a data processor, shall, so far as regards the collection by him of personal dataor information intended for inclusion in such data or his dealing with such data, owe a duty of care tothe data subject concerned

Consequently, as a result of this statutory tort it is clear that failure to comply with this dutyof care which results in the loss of data may result in liability to the data subject. Althoughthere does not appear to be any reported Irish decision on this point in the context of the dataprotection duty, comparison can be made with

Gray v. Minister for Justice

in which totaldamages of €70,000 were awarded on foot of negligent disclosure of information by amember of An Garda Síochána, contrary to the constitutional right of privacy.

[2007] IEHC 52.

It is important to note that

Gray

used a negligence based standard of liability rather than asking whether therewas a deliberate and conscious violation of the constitutional right to privacy. A similar standard was apparentlyused in the unreported decision in

Sinnott v. The Nationalist and Leinster Times Limited

(High Court, Budd J.,30 July 2008), where the court awarded €11,000 damages against the Carlow Nationalist for the negligent (butnot deliberate) publication of a photograph of a GAA footballer which exposed his private parts.

Limitations of a liability-based regime

While this liability-based regime will offer redress in some cases, it has been argued that itdoes not go far enough in regulating the activities of data controllers, particularly whenapplied to large scale data breaches.The first problem is obvious: organisations which lose data do not generally have anincentive to advertise that fact. This has a number of knock-on consequences. Withoutknowledge of a breach an individual will not be able to take steps to protect himself (e.g. bycancelling a credit card). Consequently, any response becomes reactive (seekingcompensation for loss) rather than proactive (seeking to prevent the loss from materialising).In addition, where a person does suffer damage, he may not know where the damageoriginates. For example, if an individual shops with several different online services, it willbe difficult if not impossible for him to know which was responsible for the disclosure of credit card details. In this case, the cause of action established by section 7 may be of littlevalue.A second problem relates to the procedures which must be followed to seek redress. In theabsence of a class action mechanism in Irish law it is unlikely that any particular individualwill have the wherewithal (or have suffered sufficient damage individually) to justifybringing an action.A third problem arises due to uncertainty as to the type of harm which is covered within thesection 7 duty of care. Suppose, for example, A suffers from a sexually transmitted disease.He learns that an unencrypted laptop containing his details (and those of many others) isstolen from his doctor’s car. He is understandably distressed by this fact and fears that hismedical information will become public, though it is extremely unlikely that it will. Does Ahave a cause of action under section 7?The comparable provision in UK law – section 13 of the Data Protection Act 1998

– explicitly provides for this situation by separating the concepts of damage and distress, andestablishing a general rule that distress is not actionable on its own.

It remains unclear,however, whether the same result would be reached under Irish law.

Towards data breach notification

Section 13 provides as follows:(1) An individual who suffers damage by reason of any contravention by a data controller of any of therequirements of this Act is entitled to compensation from the data controller for that damage.(2) An individual who suffers distress by reason of any contravention by a data controller of any of therequirements of this Act is entitled to compensation from the data controller for that distress if— (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes.(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had takensuch care as in all the circumstances was reasonably required to comply with the requirement concerned.

Though compare para. 63 in

Murray v. Big Pictures (UK) Ltd.

[2008] EWCA Civ 446 where the Court of Appeal suggests that article 23 of the Data Protection Directive may require that “damage” be given a wider interpretation in section 13, undermining the assumption that “damage” applies only to pecuniary loss.

Where the primary concern is that information might become public at a later stage, an analogy might bedrawn with the so-called “worried-well” cases and in particular

Fletcher v. Commissioners for Public Works

[2002] IESC 8.