Mobile phone operators, eMobile and Meteor, have been ordered to pay €15,000 each to charity after the personal data of a number of their customers was compromised following the theft of two password protected but unencrypted laptops from Eircom’s Dublin offices.

The theft of the laptops took place sometime between 28 December 2011 and 2 January 2012. The laptops held customer details, including names and addresses, copies of passports and driving licences, and financial information.

The Data Protection Commissioner initiated criminal proceedings against each company before the District Court. The DPC told the court that its Code of Practice requires that all such data breaches be reported to his office within two working days. In this instance however, the DPC was not notified of the data breach until a month after the theft, and a number of the affected customers were not notified until more than two months had passed. Both companies were charged with, and pleaded guilty to, failing to protect the personal data held on the laptops, failing to notify the DPC of the personal data breach without undue delay (as per the DPC’s Code of Practice) and failing to notify the affected individuals without delay. The companies were ordered to donate a total of €30,000 to the Laura Lynn Foundation and Pieta House charities.

This decision highlights the importance of implementing adequate data protection measures and the repercussions of failing to promptly notify the DPC of data breaches. Companies should ensure that robust procedures are in place to identify any actual or potential compromise of personal data immediately as the time limits for notification under the Code of Practice are very short. 

Contributed by Leo Moore and John Farrell.

Back to Legal News