Data Breach at the Bank of Ireland

TheBishopOfSoho

Hi there, I received a letter from the Bank of Ireland informing me that my details were involved in a data breach going back up to 7 years. It seems that internal emails of BOI employees, containing my name, account number and balance, had been emailed internally, and printed out, and someone external to the bank had handed these printed emails into the bank.

Im pretty stressed that this has happened for obvious reasons, and opened a formal complaint, but its very clear that BOI have broken the law here. They have mentioned that they have informed the Data Protection Commissioners office, but what does that mean? What will the DPC do from there? What options do I have in terms of challenging the bank on this, when they say that the 3 people listed on the emails no longer work for the bank so they cannot investigate further?

Peregrinus

What remedy do you want?

TheBishopOfSoho

Peregrinus wrote: »

What remedy do you want?

What I'm asking I suppose is 2 things:

What does the DPC do when notified of a breach?

What options do I have legally if DPC doesn't do much, I'm not entirely sure the bank are being straight with me, and won't say where this information was handed in, or whether this is a local breach where someone here would know my information.

yosser hughes

The bank are required to notify the DPC. They will have to satisfy that they have investigated the issue and remedies to prevent reocurrence are put in place.
These things happen.
Have you suffered any loss as a result? If not, what exactly are you looking for apart from an apology?

TheBishopOfSoho

yosser hughes wrote: »

The bank are required to notify the DPC. They will have to satisfy that they have investigated the issue and remedies to prevent reocurrence are put in place.
These things happen.
Have you suffered any loss as a result? If not, what exactly are you looking for apart from an apology?

Someone at the bank printed off a load of files with confidential information off them, and.took them home, they say they cannot investigate this as the people involved no longer work with the bank. That seems like like a cop out, what has happened shouldn't have, they have failed in their duty of care with my data and the people involved should still be liable. I want to know exactly how someone from the public came.to have details of my bank accounts and balances. This may not be a big deal to some people but it's worrying that someone locally will have information about me.i don't want share. Will the DPC dig into this, or just brush it up with a generic "All procedures have been followed" line, or do I have legal right to chase this to find out more?

Reati

Peregrinus wrote: »

What remedy do you want?

A heavy fine. Banks seem to do this frequently and nothing hurts home more than a large fine or simular.

OldMrBrennan83

This post has been deleted.

Bubbaclaus

These things happen. You've suffered no loss because of it. Move on.

Peregrinus

TheBishopOfSoho wrote: »

What I'm asking I suppose is 2 things:

What does the DPC do when notified of a breach?

The DPC is mainly concerned to know how the breach happened, and what steps have been taken to prevent it from happening again.

TheBishopOfSoho wrote: »

What options do I have legally if DPC doesn't do much, I'm not entirely sure the bank are being straight with me, and won't say where this information was handed in, or whether this is a local breach where someone here would know my information.

Your concerns are different from the DPC's; you are concerned to assess what risk to you personally the breach presents, and what steps you can take to miminise that risk. At the moment, as I understand it, you have no reason tot think that any actual harm has yet occurred to you because of the breach, but you are concerned that it could.

I wouldn't be relying on the DPC to sort this for you; that's not the DPC's role.

If the bank gave you more information (such as, how long the data was out there, what branch it was handed in it, what data exactly was in the e-mails) you'd be somewhat better placed to assess the risk. But, to be honest, not hugely better placed; you're not likely to find out who saw or might have seen the data while it was out of the bank's control. Precisely because it was outside the bank's control, the bank can never be sure that it has found that out.

Is there anything you can do to minimise the risk to you? Yes, there certainly is, and it's entirely within your control. Close your accounts and take your business to another bank.

The main risk when somebody has your name, address, bank details and bank account number is fraud on your bank account. And you can obviate this risk by closing the account and changing banks.

Reati

Bubbaclaus wrote: »

These things happen. You've suffered no loss because of it. Move on.

No, that's a cop out. These things don't just happen. These things are allowed to happen.

Proper security and DRM / IRM would have prevented this.

yosser hughes

Reati wrote: »

No, that's a cop out. These things don't just happen. These things are allowed to happen.

Proper security and DRM / IRM would have prevented this.

What's a cop out,? The bank have informed the OP and the DPC. How is that copping out?
Well clearly these things do actually happen.
This is human error. It happens.

jimmycrackcorm

Reati wrote:

Proper security and DRM / IRM would have prevented this.

How does that block someone printing?

Reati

yosser hughes wrote: »

What's a cop out,? The bank have informed the OP and the DPC. How is that copping out?
Well clearly these things do actually happen.
This is human error. It happens.

Relax.

Saying these things happen is a cop out. These things don't just happen. The system allows them to happen.

jimmycrackcorm wrote: »

How does that block someone printing?

IRM allows you to set permissions to help prevent documents from being printed, forwarded, or copied.

tricky D

Bubbaclaus wrote: »

These things happen. You've suffered no loss because of it. Move on.

There is breach of confidentiality, loss of secrecy and loss of trust. While less tangible than financial loss they are nevertheless important factors in financial dealings and have been damaged.

Dismissing the incident as you have is not the best way forward in preventing such systemic breaches in the future.

Bubbaclaus

tricky D wrote: »

There is breach of confidentiality, loss of secrecy and loss of trust. While less tangible than financial loss they are nevertheless important factors in financial dealings and have been damaged.

Dismissing the incident as you have is not the best way forward in preventing such systemic breaches in the future.

It's been reported to the Data Protection Commissioner. OP seems to be after some additional personal gain from this.

Fred Swanson

This post has been deleted.

yosser hughes

Fred Swanson wrote: »

This post has been deleted.

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Bubbaclaus

yosser hughes wrote: »

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Compo culture infestation in Ireland.

Fred Swanson

This post has been deleted.

Bubbaclaus

Fred Swanson wrote: »

The bank can and should be punished. Sh1t happens is not an adequate response.

It has been reported to the DPC and confirmed with the affected party as required. What exactly are you looking for here? All the steps have been followed.

yosser hughes

Fred Swanson wrote: »

This post has been deleted.

New GDPR rules will mean banks can be fined. Sh1t does happen and will always happen. That's life.

tricky D

yosser hughes wrote: »

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Yes, Damages in a civil matter is quite normal compensation for a breach of duty of care even if some dismiss it as compo culture.

As for someone being sacked, reread the OP. Also reporting to the DPC is certainly no magic wand that will fix everything.

yosser hughes

tricky D wrote: »

Yes, Damages in a civil matter is quite normal compensation for a breach of duty of care even if some dismiss it as compo culture.

As for someone being sacked, reread the OP. Also reporting to the DPC is certainly no magic wand that will fix everything.

Yes, I read the OP, some staff have left, but sure why not get someone else sacked and a few quid anyway?
I'm glad you clarified, it's about the cash.

tricky D

Cash if you want to call it that. You can dismiss it as compo culture but is no where near the same as people claiming silly money for 'suspected' whiplash. The bank have broken the law and the result is loss of trust, confidentiality and secrecy - would you like to deal with a bank that has damaged those? Also an apology would be nice as well as the cash.

Furthermore, the OP is suspicious that the bank are not being straight with him and are not providing a good account of what has happened. Given that and the behaviour of banks over recent times and culture of immunity, I wouldn't hesitate suing them, they do not deserve to be let off the hook given the crap they have pulled. Puzzling that people defend banks like this.

yosser hughes

tricky D wrote: »

Cash if you want to call it that. You can dismiss it as compo culture but is no where near the same as people claiming silly money for 'suspected' whiplash. The bank have broken the law and the result is loss of trust, confidentiality and secrecy - would you like to deal with a bank that has damaged those? Also an apology would be nice as well as the cash.

Furthermore, the OP is suspicious that the bank are not being straight with him and are not providing a good account of what has happened. Given that and the behaviour of banks over recent times and culture of immunity, I wouldn't hesitate suing them, they do not deserve to be let off the hook given the crap they have pulled. Puzzling that people defend banks like this.

I'm not defending the banks. I'm merely trying to get to the nub of the issue and we finally have. It's about a claim, cash.
'what about de bankers' is the most overused term in Irish life now. Your point about what people claim for whiplash is funny.
So let's not pretend it's anything other than a compo claim okay?

Chimichangas

yosser hughes wrote:

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked? What do you mean by 'remedy' here? You can't undo the data breach.

Bubbaclaus wrote:

It has been reported to the DPC and confirmed with the affected party as required. What exactly are you looking for here? All the steps have been followed.

I'm glad we seem to agree to move on from the 'sh*t happens..'attitude. 🀨

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...
Just a thought.

yosser hughes

Chimichangas wrote: »

I'm glad we seem to agree to move on from the 'sh*t happens..'attitude. ��

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...
Just a thought.

Yeah, because that's what the OP is really interested in alright:rolleyes:

tricky D

yosser hughes wrote: »

So let's not pretend it's anything other than a compo claim okay?

And what is wrong with compensation in this case? Damage has been done, banks are sill not acting in good faith and the DPC is not a magic wand. Not all compensation claims should be dismissed as part of the culture.

The OP has every right to be furious.

tricky D

Chimichangas wrote: »

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...

That is what should happen, but the banks aren't quite like that as we well know.

Bubbaclaus

This thread is gas.

Can someone tell me what damage has been done to the OP to justify compensation? What loss has the OP suffered?

Compo culture gone mad.

hullaballoo

Under the GDPR, it is specifically set out that damages can be obtained for a data breach. Previously, there was a question over whether privacy breaches could attract damages, although most reasonable lawyers think that it would as is par for the course where personal rights are adversely affected.

Funnily enough, the damages recoverable in this jurisdiction for data/privacy breaches are likely to be very low when compared to other jurisdictions in the EU that take such things seriously.

That should keep the usual suspects posting about "compo culture" in here happy.

Bubbaclaus

hullaballoo wrote: »

Under the GDPR, it is specifically set out that damages can be obtained for a data breach. Previously, there was a question over whether privacy breaches could attract damages, although most reasonable lawyers think that it would as is par for the course where personal rights are adversely affected.

Funnily enough, the damages recoverable in this jurisdiction for data/privacy breaches are likely to be very low when compared to other jurisdictions in the EU that take such things seriously.

That should keep the usual suspects posting about "compo culture" in here happy.

GDPR doesn't come into effect until 25 May, so I don't know why people think it's relevant here.

Chimichangas

Bubbaclaus wrote:

Can someone tell me what damage has been done to the OP to justify compensation? What loss has the OP suffered?

That is gas alright if you're looking someone to tell you what damage had been done to the op... Maybe it's just me, but without some type of an investigation how would anyone know. And am I right in thinking that you think nothing needs to be done?
...even reporting it out informing the customer was a waste of time?

Without knowing the full facts compensation can't be ruled in or out..? But without an investigation how to you get the full facts. How do you prevent it happening again.

Fred Swanson

This post has been deleted.

Bubbaclaus

Chimichangas wrote: »

That is gas alright if you're looking someone to tell you what damage had been done to the op... Maybe it's just me, but without some type of an investigation how would anyone know. And am I right in thinking that you think nothing needs to be done?
...even reporting it out informing the customer was a waste of time?

Without knowing the full facts compensation can't be ruled in or out..? But without an investigation how to you get the full facts. How do you prevent it happening again.

Once again, it has been reported to the DPC by the bank per the OP. Why does this equate to nothing done?

gizmo555

hullaballoo wrote: »

Funnily enough, the damages recoverable in this jurisdiction for data/privacy breaches are likely to be very low when compared to other jurisdictions ...

I'm not so sure about that - this case was just settled for €50k by Irish Life, which infringed the privacy of a child:

https://www.independent.ie/irish-news/courts/girl-settles-case-for-50000-after-private-eye-took-her-photo-36892240.html

Also, the GDPR expressly states that one can sue for "non-material harm" caused by a failure to process data in accordance with data protection rules, e.g., anxiety, distress, embarrassment, and not just direct financial loss, which is the current Irish case law in Collins v FBD Insurance.

hullaballoo

Bubbaclaus wrote: »

GDPR doesn't come into effect until 25 May, so I don't know why people think it's relevant here.

What a strange thing to post.

We're 2 weeks away from the entry into force of the Regulation and you can't see how that's relevant to this discussion?

Bubbaclaus

hullaballoo wrote: »

What a strange thing to post.

We're 2 weeks away from the entry into force of the Regulation and you can't see how that's relevant to this discussion?

Well unless the OP is from the future, I don't see how anyone can claim this is a breach covered under GDPR.

Maybe the OP is a time traveller?

hullaballoo

gizmo555 wrote: »

I'm not so sure about that - this case was just settled for €50k by Irish Life, which infringed the privacy of a child:


https://www.independent.ie/irish-news/courts/girl-settles-case-for-50000-after-private-eye-took-her-photo-36892240.html


Also, the GDPR expressly states that one can sue for "non-material harm", e.g., anxiety, distress, embarrassment, and not just direct financial loss, which is the current Irish case law in Collins v FBD Insurance

You're misunderstanding what you're reading there.

In relation to the first part, I said that there has been doubt about the recoverability of damages under current law. The Indo article you've referred to backs this up. Iirc, Patrick Keane SC acknowledged in his application to have the case ruled that there is doubt about whether damages are payable for privacy breaches in this jurisdiction. Reading between the lines, there was an SC in a Circuit Court case because they wanted to test the law in that regard and I'd imagine the defendant could see a good argument in favour of damages being payable in such instances and decided to offer a reasonable amount of money to avoid a finding that would lead to the floodgates opening for claims by people who have been subjected to "private investigators" by insurance companies.

Of course, because the journos love reporting infant rulings, this has been picked up on and will probably, notwithstanding the objective of settling, open the floodgates to some extent anyway.


In relation to Collins v. FBD, it doesn't say what you say it does. It says damage must be proved, not merely a breach. Damage/loss includes the non-material elements.

A quirk of common law is that pure financial loss can rarely give rise to compensatory damages, which is a proposition that sits itself opposite what you say Collins says.

hullaballoo

Bubbaclaus wrote: »

Well unless the OP is from the future, I don't see how anyone can claim this is a breach covered under GDPR.

Maybe the OP is a time traveller?

Very drole all right.

I suppose you know for a fact, despite clearly having no underlying knowledge of the area other than the date it comes into force, that there is no retrospective impact?

gizmo555

hullaballoo wrote: »

Patrick Keane SC acknowledged in his application to have the case ruled that there is doubt about whether damages are payable for privacy breaches in this jurisdiction.

What did Bruce Arnold and Geraldine Kennedy get compensated for then, in their successful action against the state for tapping their phones?

hullaballoo wrote: »

In relation to Collins v. FBD, it doesn't say what you say it does. It says damage must be proved, not merely a breach. Damage/loss includes the non-material elements.

Thanks for this clarification. As you say, the court held there had to be evidence of actual loss or damage. Google unsuccessfully cited this case in the English courts in Google v Vidal-Hall. In this case compensation was awarded for anxiety and distress caused by Google's breach of data protection rights.

You can read McCann Fitzgerald's comparison of the cases here:

https://www.mccannfitzgerald.com/knowledge/data-privacy-and-cyber-risk/vidal-hall-v-google-damages-for-breach-of-data-protection-law

(And, FWIW, their take on this is that "the current law according to Collins v FBD does not require the payment of damages without proof of economic loss".)

hullaballoo

gizmo555 wrote: »

What did Bruce Arnold and Geraldine Kennedy get compensated for then, in their successful action against the state for tapping their phones?

Afair, that again was a case where rather than liability for such an infraction being decided, the cases were settled without the precise issue being determined.

I am fully open to being corrected on that but that's my recollection and a quick google hasn't shown me otherwise.

Also, there is some doubt as to who is obliged not to breach a person's constitutional rights. This is getting a little bit more convoluted but there was a time where damages for breaches of constitutional rights were really only recoverable as against the State. It's only relatively recently that effectively private individuals (including corporate entities) started being sued, successfully, for such breaches. Legally, I'm not sure it's been fully thrashed out as to the ability to recover damages as against non-State parties for breaches of constitutional rights. As cases are decided on the basis of the arguments presented (in the main, but again, there is a very recent divergence from that time-honoured practice), it's possible that damages have been awarded incorrectly as against non-State parties where such defendants failed to raise the issue. I don't know because I've not read every case ever but I do know that cases have been incorrectly decided and even the fact of an award is not always conclusive in relation to liability.

Thanks for this clarification. As you say, the court held there had to be evidence of actual loss or damage. Google unsuccessfully cited this case in the English courts in Google v Vidal-Hall. In this case compensation was awarded for anxiety and distress caused by Google's breach of data protection rights.

You can read McCann Fitzgerald's comparison of the cases here:

https://www.mccannfitzgerald.com/knowledge/data-privacy-and-cyber-risk/vidal-hall-v-google-damages-for-breach-of-data-protection-law

(And, FWIW, their take on this is that "the current law according to Collins v FBD does not require the payment of damages without proof of economic loss".)

It's definitely food for thought and I'll look at this further if I have the time because it is interesting. I'll start by reading the full text of Collins.

Safe to say the law is unclear on this stuff.

Bubbaclaus

hullaballoo wrote: »

Very drole all right.

I suppose you know for a fact, despite clearly having no underlying knowledge of the area other than the date it comes into force, that there is no retrospective impact?

The 2 year transitional period started in 2016 to allow entities to met the requirements in time for it's introduction later this month. It is not retrospective so only applies from later this month onwards.

Sorry to disappoint you.

Chimichangas

Bubbaclaus wrote:

Once again, it has been reported to the DPC by the bank per the OP. Why does this equate to nothing done?

I never said it was nothing done, I was asking you if you thought that (reporting) was a waste of time. That's what your opinion came across as, as per the quote below....

Bubbaclaus wrote:

These things happen. You've suffered no loss because of it. Move on.

Peregrinus

Leaving aside the GDPR which, as others note, hasn't entered into force yet, there's definitely a breach of contract here. There's a contractual relationship between bank and customer, and confidentiality/privacy is a well-understood term of the contract, and the bank is in breach here. If the OP sues the bank he must win; the only question will be the amount of damages.

But the amount may not be large. The OP can't point to any concrete, material harm that has yet resulted from the breach, and he is in a position to take (and the court will expect him to take) action to mitigate the possibility of harm by, as already suggested, closing his accounts. He will nevertheless get some award of damages; he hasn't suffered any financial loss, but his contractual rights have been infringed, he has suffered worry and the inconvenience and disruption of having to move his banking business. The award may be increased to reflect the bank's inability or refusal to tell him what data relating to him, exactly, was involved in the breach, and to tell him all of the circumstances of the breach. Still, he's not going to fund his retirement on this.

_Brian

Sorely on the interest of op security and safety they are entitled to know who exactly has been given their details.
It’s fine if no one but a bank employee had access to the data but there are those out there in society who would love exactly to know who had large sums on deposit and where they lived. It definitely places op at greater risk.

As regarding GDPR nothing has been tested and it’s “possible” op could use this legislation to move this forward as it’s a current issue.

Peregrinus

_Brian wrote: »

Sorely on the interest of op security and safety they are entitled to know who exactly has been given their details.

The bank doesn't know who exactly has been given the customer's details.

The printouts left the bank's custody and were later handed in by a member of the public. The bank does not know how many hands they passed through before they came into the hands of the member of the public. And, of course, even if the bank has the name and address of this member of the public, he might reasonably object to his personal information being circulated to the bank's customers, so I don't think the bank is in a position to identify even him.

So the bank can't give the customer a full account of who has had access to its data, and no court can or will order it to.

GM228

Bubbaclaus wrote: »

The 2 year transitional period started in 2016 to allow entities to met the requirements in time for it's introduction later this month. It is not retrospective so only applies from later this month onwards.

Sorry to disappoint you.

A transitional period for implementation and using the Regulation for retrospective redress is not the same.

You are entitled to seek conpensation under the provisions of the GDPR for a breach of "this regulation" (the GDPR regulation), however any references to the outgoing Data Protection Directive 95/46/EC are construed with "this regulation", so it's entirely feasible that a person could seek redress via the mechanisms of the GDPR for a breach of the older DPD. The very fact that they are construed could make it difficult to say you can't seek redress under the regulation for a breach of the directive.

There are countless national and EU laws which have allowed for retrospective application for redress etc for circumstances happening long before their enactment or commencement or even before them being no more than a wonderful idea of an EU institution.

You are trying to argue the point with someone who specialises in the subject by the way and he has many years experience in the field, it's a bit like a lay vs professional litigant argument, but just like the "compo culture" comment keep it up I have plenty of popcorn left.

4ensic15

FBD and Collins was opened to a UK court and heavily criticised. It is unlikely to be followed even without the GDPR.

Google Inc v Vidal-Hall [2015] EWCA Civ 311 (27 March 2015

GM228

gizmo555 wrote: »

Thanks for this clarification. As you say, the court held there had to be evidence of actual loss or damage. Google unsuccessfully cited this case in the English courts in Google v Vidal-Hall. In this case compensation was awarded for anxiety and distress caused by Google's breach of data protection rights.

I assume you mean something more than evidence, it's not just evidence that's required, but proof of actual damage. Evidence may not prove damage. Probably a bit pedantic but there's a difference between providing evidence and proving something as evidence may be rejected. Payment of damages without proof of actual damage would only apply in cases of strict liability which is not the case here.

From the Collins case:-

Section 7 provides an obligation of duty of care and allows for a remedy under the law of torts and the law of torts generally provides for compensation to be based upon certain criteria which includes the proof of damage.

The statutory position in Ireland is that no matter how blatant the breach that the person the subject of the breach can only receive damages on proof of loss or damage caused by the breach.

Vetch

GM228 wrote: »

A transitional period for implementation and using the Regulation for retrospective redress is not the same.

You are entitled to seek conpensation under the provisions of the GDPR for a breach of "this regulation" (the GDPR regulation), however any references to the outgoing Data Protection Directive 95/46/EC are construed with "this regulation", so it's entirely feasible that a person could seek redress via the mechanisms of the GDPR for a breach of the older DPD. The very fact that they are construed could make it difficult to say you can't seek redress under the regulation for a breach of the directive.

There are countless national and EU laws which have have allowed for retrospective application for redress etc for circumstances happening long before their enactment or commencement or even before them being no more than a wonderful idea of an EU institution.

You are trying to argue the point with someone who specialises in the subject by the way and has many years experience in the field, it's a bit like a lay vs professional litigant argument, but just like the "compo culture" comment keep it up I have plenty of popcorn left.

I’m reading what you say there about the DPD and GDPR being construed together. The DP Bill says the following currently. Would this in any way mitigate it?

Application of Data Protection Act 1988
8. (1) Subject to subsection (2), the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data other than the processing (within the meaning of that Act) of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State.
(2) The Act of 1988 shall apply to—
(a) a complaint by an individual under section 10 of that Act made before the commencement of this section,
(b) an investigation under the said section 10 that was begun but not completed before such commencement,
(c) a contravention of that Act that occurred before such commencement.