Learning from the Data Protection Commission’s recent fine on Bank of Ireland Group plc

What happened

• Following 22 personal data breach notifications that Bank of Ireland Group plc (BOI) made to the Irish data protection regulator (the DPC) between 2018 and 2019, an inquiry commenced to understand how the organisation had infringed the provisions of the GDPR.
• It was found that BOI had failed to inform the DPC of some of the personal data breaches ‘without undue delay’ and that sufficient information was not provided in relation to them when they were eventually reported.
• Similarly, BOI was also found not to have had informed data subjects of the personal data breaches ‘without undue delay’.
• Lastly, BOI was found not to have implemented appropriate security measures in protecting the personal data involved in these data breaches.

Why it matters

• BOI was fined €463,000 for infringing the GDPR and was ordered by the DPC to bring its processing into compliance with the law.
• This inquiry serves as an important reminder of the need to implement proper breach escalation procedures so that when a security incident is identified, it is appropriately risk-graded and reported to the regulator and/or data subjects.
• Breach escalation procedures should be easy to understand and contain templates that staff can readily complete when faced with a potential personal data breach.
• Staff should also be made aware of the procedures through formal training and other forms of communication such as posters and the company intranet.

What happened

• The National Institute of Standards and Technology (NIST), is a US organisation that promotes innovation and advances standards.
• One such standard is the Cybersecurity Framework which is a voluntary framework consisting of guidelines and best practices to manage cybersecurity risk.
• Recently, NIST published a Request for Information (RFI) on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management”.
• This RFI seeks to gain views and feedback on the importance of international perspectives when updating NIST’s resources and on ways to better align the Cybersecurity Framework with privacy risk management resources.

Why it matters

• The appropriate use of personal data is a global issue and not just a regional or local one.
• This is increasingly evidenced by the European Commission’s attempts to forge new adequacy agreements between the EU and ‘third countries’ in order to enable seamless transfers of information across borders.
• The release of this new RFI confirms NIST’s commitment to ensure a global perspective informs future versions of the Cybersecurity Framework.
• The intention is to also align the Framework with other international approaches such as the ISO 27000 series, particularly ISO 27110 which relates to privacy risk management.

What happened

• Spanish energy giant Iberdrola, parent company of Scottish Power, has been hit by a cybersecurity incident that led to a personal data breach affecting over 1 million customers.
• The attack is said to have occurred in March this year (2022) and involved the theft of customer information such as email addresses and phone numbers. Bank details were not affected.

Why it matters

• Iberdrola confirmed that the issue was resolved within the day and further attempts failed.
• Implementing appropriate security measures (both technical and organisational) are crucial to ensure cyber attacks are avoided and risks resulting from them are remediated in a timely manner.
• This includes a comprehensive training and awareness programme for all staff handling personal data within the business.