Three companies fined over calls and emails to customers

Irish Times Tue, Feb 4, 2014

Three companies have been given court convictions for making unsolicited marketing phone calls and sending spam emails. Energy company Airtricity Ltd, clothing chain Next and Pure Telecom are the latest firms to be successfully prosecuted at Dublin District Court by the office of the Data Protection Commissioner. The case was taken after the watchdog received complaints from members of the public about being contacted for marketing purposes.

Judge William Hamill noted yesterday the companies had pleaded guilty at an early stage to charges under the Data Protection Act, and had contributed to the costs of bringing the case. But he refused to spare them recorded convictions. Pure Telecom was fined €500, Airtricity has to pay a €75 fine and Next was fined €100. Assistant Data Protection Commissioner Tony Delaney told Judge Hamill that one woman had used Next’s unsubscribe facility to stop getting spam from the clothing chain. However, that did not work and on February 25th and February 28th last year she received more marketing emails from the company. “One of them was a gift idea for mother’s day,” Mr Delaney said adding that they were, “typical marketing emails but clearly when she had opted out she should not have been getting them”.

Complaint

Judge Hamill noted the company had no prior convictions and that Next had used a third-party company to handle the unsubscribe process but has since stopped dealing with them.

In relation to Pure Telecom, Mr Delaney said his office received a complaint from a man with an ex-directory phone number who had received two promotional cold calls last March.

Judge Hamill was told Pure Telecom had been fined €1,250 in 2010 for a breach of data protection regulations. The company’s director Paul Connell said the calls came from a third-party agent which has since been dismissed, and he apologised to the complainant.

The court also heard a man with an ex-directory phone number had received a call on May 10th last offering a promotion on behalf of Airtricity which had then been using a third-party sales company to handle a promotion.

Judge Hamill heard this company had been using an old computer with an out-of-date call list from 2009.

The court heard Airtricity had no prior convictions but had been given a formal warning in 2010 in relation to other complaints.

77 per cent of company data breaches are caused by employees

The Journal.ie
21st January 2014

The survey found that almost a quarter of Irish companies have experienced multiple data breaches over the past twelve months.

MORE THAN HALF of Irish companies have experienced a data breach in the last twelve months, the majority of which are caused by staff members.

A new report from the Irish Computer Society (ICS), which surveyed IT administrators working in 256 Irish-based companies, found that 51 per cent of companies experienced a data breach in the past twelve months, while 22 per cent experienced multiple breaches.

The majority said that staff members were the main cause of data breaches with 77 per cent of incidents caused by “negligent employees.”

Other threats that concerned IT managers were unsecure end user devices, such as unencrypted laptops containing sensitive data, and external attackers trying to obtain data.

When asked about the correct adoption of data protection procedures, more than one in three said that policies are not implemented or are just partially implemented. Only 39 per cent said that its data protection policies were fully implemented.

The report also found that most employees were satisfied with the level of training they received in data protection with 57 per cent saying they received the right amount. 24 per cent of those surveyed said they received no training in this area, while 16 per cent said they received insufficient training.

The Chairman of the Association of Data Protection Officers, Fintan Swanton, believed it highlighted the need for organisations to take steps in managing their company’s data.

Employees might appreciate the importance of data security, but organisations need to instil a culture of compliant data management… It is as much a case of protecting the organisation’s commercial reputation, as it is of protecting the individual’s privacy.

The survey comes after new data protection legislation come into effect. The new legislation will require most organisations to have a Data Protection Officer.

Retailers seek tougher online security on data breaches

Irish Independent

Monday 13 January 2014

A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.

Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.

But the latest thefts - including attacks on Target Corp and Neiman Marcus - have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.

One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers.

Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.

The breaches are "unfortunate but we're not entirely surprised," Duncan said at his organization's annual convention now being held in New York.

"The technology that exists in cards out there is 20th-century technology and we've got 21st-century hackers," he said.

Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc will not require the higher security until next year at the earliest.

It is not clear the new "Chip-and-PIN" cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.

They have met with much less enthusiasm in the United States, in part because losses to fraud - just 5 cents for every $100 spent via plastic - have been manageable for merchants and their banks. But rising fraud rates, and the risk of identity theft, could change the calculation.

Public concern about access to personal data on rise in Ireland

Irish Times 7th January 2014

 

Data Protection Commissioner Billy Hawkes: “One thing we certainly don’t have is a light touch. We have a very rigorous approach to oversight of organisations.”

While the revelations of whistleblower Edward Snowden about the surveillance activities of the United States National Security Agency (NSA) extended tentacles into the related area of data protection in 2013, regulators in the European Union spent most of the year wrestling with proposals to harmonise the law across 28 member states.

A new EU regulation, first tabled in a proposal by the European Commission in 2012, would place new responsibilities on the regulators and also on businesses throughout the union.

Negotiations have stalled and the regulation is now unlikely to scrape through before the European Parliament elections in May. But the proposals still on the table would, in theory, place an extra burden on Ireland’s Data Protection Commissioner, Billy Hawkes.

The so-called one-stop shop mechanism would likely see him become the lead regulator in Europe for major multinationals with head offices in Ireland, including such companies as Facebook, Google and Apple.

In comments at a privacy conference in Brussels last month, Mr Hawkes indicated he did not relish the prospect of taking on the responsibility for regulating such multinationals for all citizens of the EU.

One-stop shop
Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.

“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it,” he said.

Speaking at his office in Portarlington before that conference, Mr Hawkes said he was already prioritising for attention those companies operating across the EU for which processing of personal data was core to their activities.

“Depending on, obviously, the number of the companies involved – and certainly if many more companies were to declare to be established in Ireland for data protection purposes – we would require more resources to be able to discharge our oversight responsibilities.”

He welcomed what he said was a clear commitment by Minister for Justice Alan Shatter to ensure he was adequately resourced for any new responsibilities – though again it remains to be seen what will emerge.

Privacy campaigners such as the Austrian-based Europe v Facebook group believe his office has not been sufficiently robust in its enforcement actions.

The group, led by Max Schrems, is seeking judicial review of Mr Hawkes’s decision not to pursue complaints made to his office about the gathering of personal data under the NSA’s Prism programme from US firms based here. Mr Hawkes is also in the process of making formal decisions on 22 earlier complaints by the group relating to the privacy policies of Facebook, which underwent a major audit by his office two years ago.

Light-touch regulation
Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.

“One thing we certainly don’t have is a light touch,” he said. “We have a very rigorous approach to oversight of organisations but we do try to use the resources that are given to us in an intelligent way. It does not necessarily involve always hiring more people on our staff. It can also involve using outside expertise to help us in particular areas.”

European Court ruling condemns mass surveillance

From Digital Rights Ireland

12th December 2013

The Advocate General of the European Court of Justice today gave an important opinion in our favour in a case brought by Digital Rights Ireland to challenge European mass surveillance law.

The challenge – which we started in 2006 – is to the Data Retention Directive. This is a law which requires ISPs and telecoms companies to record details of all your internet and telephone use – logging details of who you ring or text, where you travel and who you email – and to record that information for up to two years. We argue that this constitutes an unjustified invasion of the right to privacy and in an interim ruling the Advocate General has agreed, holding that the law is a “particularly serious” interference with individual privacy which creates a:

faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.

The Advocate General accepted our argument that storing this information on all citizens created an “increased risk” that it could be used for unlawful, fraudulent and malicious purposes against them – something we have already seen in Ireland where a Garda sergeant has abused the system to spy on a former lover and where it has been used to spy on journalists.

The Advocate General also held that this type of surveillance would have a “chilling effect” on freedom of expression, and went on to say that the Directive failed to provide even “minimum guarantees” regarding access to or use of the information collected on all citizens. According to the Advocate General the Directive therefore “is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union”.

According to the Advocate General:

the collection and, above all, the retention, in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period…

the effects of that interference are multiplied by the importance acquired in modern societies by electronic means of communication, whether digital mobile networks or the Internet, and their massive and intensive use by a very significant proportion of European citizens in all areas of their private or professional activities. [emphasis added]

A final judgment on our case will be delivered next year. In approximately 80% of cases the European Court of Justice follows the opinion of the Advocate General. Even pending the full judgment, however, this is already a significant step forward in the very first case of this nature to be brought to the ECJ and confirms the importance of our case.

Users of public wi-fi may have had personal details stolen

The Journal

11th December 2013

PEOPLE WHO USED wi-fi in public areas such as hotels may have had their details stolen due to security flaws, an Irish firm has warned.

Cork-based IT firm Smarttech.ie said that they had discovered “serious flaws” in cyber security measures after visiting 10 hotels in October and November.

They say that finding the flaws took “minimal” effort.

Smarttech say that they “wanted to demonstrate just how dangerous using unencrypted logins and passwords across a public network can be”.

Over the course of these security tests however, Smarttech.ie soon realised that the level of security being provided was a serious problem. In addition, they say that users seemed “completely oblivious to the dangers of using public wi-fi”.

The company carried out tests on public wi-fi systems and spotted flaws within 20 minutes.

They were then able to access users’ information, including email logins, credit card details, social media passwords and banking information.

In some cases, networks were accessed from outside the hotels.

Smart-tech says that they informed all of the hotels and made recommendations on how to close the gaps.

They added that anyone who operates a network should be aware of the security on their network. Under EU law, it is the duty of the premises supplying the network to ensure that the network is secure.

According to Ronan Murphy, CEO of Smarttech.ie, “Consumers need to be aware that if you are accessing public wi-fi there are serious security challenges. The tests we carried out prove that these risks affect anyone using public Wi-Fi. However there are steps that hotels and restaurants can take to secure their Wi-Fi service and therefore protect their customers”.

Data Breach at Loyaltybuild: Update 22 November 2013

Following the data breach which occurred at Loyaltybuild in October resulting in the breach of personal data of some 1.5 million individuals (including 376,000 individuals whose full credit card data was compromised), the investigation of the ODPC has been continuing.

The ODPC received a full client company list from Loyaltybuild in respect of those client companies whose customer data was exposed during the data breach. The ODPC immediately instructed Loyaltybuild to notify these client companies of the breach of their customer’s data and received confirmation from Loyaltybuild that this has taken place.

The ODPC also made contact with the client companies of Loyaltybuild based in this jurisdiction and instructed them to inform their customers of the breach of their data in accordance with our data security breach code of practice. The focus of our investigation to date has been uncovering the extent and nature of the personal data involved in the breach and ensuring that affected individuals have been duly notified. It is our understanding that this notification process is nearing completion.

Given the transborder nature of this data breach, the ODPC has taken the important measure of notifying relevant European colleague data protection authorities providing them with relevant information for any follow up action they may need to take.

The ODPC investigation is continuing with the focus now on security practices and procedures employed by the company. Part of this phase of the investigation will also involve the carrying out of a follow up inspection. The company has ceased its processing of personal data until such time as it can satisfy this Office that adequate security measures are in place.