:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/S5G5HHFTT7IK62O4GQUJHWTHDU.jpg)
The news that the State's corporate watchdog, the Office of the Director of Corporate Enforcement (ODCE), has widened its investigation of Independent News & Media (INM) to include a "potential data breach" at the publisher raises a multitude of troubling questions for its investors, staff and the wider public.
INM has acknowledged that it approached the Data Protection Commissioner (DPC) in August over a "potential personal data breach", and that it engaged Deloitte to examine the matter.
It also set up a committee of its board to investigate the matter, which is surely an indication of how the potential seriousness of the matter was viewed by some people within the organisation at the time.
INM patently had real and plausible grounds to believe that personal data had been breached, or it would never have brought the issue to the DPC at all.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/A262L7LWG6AKTV7L24JTS3SFZY.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/UWIGJLSURFMIFKRN3GDUDQ46XM.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/7I24GC2LYTH5P675DWGAAGO6NY.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/Y6EMMHU3OSHCYF2Z2VVQCFLM6M.jpg)
What, exactly, was the nature of the personal data that INM suspected may have been breached? Was it the personal data of the newspaper publisher’s staff? Did it include, for example, its journalists’ communications? Did INM have a view on how, and to whom, the material, whatever it contained, was potentially breached?
Board level
When did the suspected or “potential breach” occur? Was there a delay in bringing the matter to the attention of the DPC, and if so, how long and why?
Who brought the matter to the attention of INM’s board, and in what circumstances? Why was it elevated to board level at all? Public company boards normally only deal with strategic and corporate governance matters, not operational issues surrounding the management of data.
The DPC found the “potential breach” notified to it was not a “breach of personal data” under its codes, and recorded it as a technical matter. If the DPC was unperturbed, then why has another State regulator, the ODCE, widened its investigation of corporate governance at INM to include the matter? Has the ODCE uncovered material to which DPC did not have access?
Who, exactly, knew what, how and when?
We can only hope that the ODCE, bloodied and bruised from the fallout of its involvement in the investigations of Anglo Irish Bank, retains the capability and resources to find answers to these questions.