What was INM’s ‘potential data breach’ and who knew about it?

Why did the matter reach board level?

INM has acknowledged that it approached the Data Protection Commissioner over a “potential personal data breach”, and that it engaged Deloitte to examine the matter. Photograph: Dara Mac Dónaill

INM has acknowledged that it approached the Data Protection Commissioner over a “potential personal data breach”, and that it engaged Deloitte to examine the matter. Photograph: Dara Mac Dónaill

 

The news that the State’s corporate watchdog, the Office of the Director of Corporate Enforcement (ODCE), has widened its investigation of Independent News & Media (INM) to include a “potential data breach” at the publisher raises a multitude of troubling questions for its investors, staff and the wider public.

INM has acknowledged that it approached the Data Protection Commissioner (DPC) in August over a “potential personal data breach”, and that it engaged Deloitte to examine the matter.

It also set up a committee of its board to investigate the matter, which is surely an indication of how the potential seriousness of the matter was viewed by some people within the organisation at the time.

INM patently had real and plausible grounds to believe that personal data had been breached, or it would never have brought the issue to the DPC at all.

What, exactly, was the nature of the personal data that INM suspected may have been breached? Was it the personal data of the newspaper publisher’s staff? Did it include, for example, its journalists’ communications? Did INM have a view on how, and to whom, the material, whatever it contained, was potentially breached?

Board level

When did the suspected or “potential breach” occur? Was there a delay in bringing the matter to the attention of the DPC, and if so, how long and why?

Who brought the matter to the attention of INM’s board, and in what circumstances? Why was it elevated to board level at all? Public company boards normally only deal with strategic and corporate governance matters, not operational issues surrounding the management of data.

The DPC found the “potential breach” notified to it was not a “breach of personal data” under its codes, and recorded it as a technical matter. If the DPC was unperturbed, then why has another State regulator, the ODCE, widened its investigation of corporate governance at INM to include the matter? Has the ODCE uncovered material to which DPC did not have access?

Who, exactly, knew what, how and when?

We can only hope that the ODCE, bloodied and bruised from the fallout of its involvement in the investigations of Anglo Irish Bank, retains the capability and resources to find answers to these questions.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.