Bank of Ireland customer data on missing device

 

The Data Protection Commissioner is investigating the loss of a USB computer memory device containing personal details of almost 900 Bank of Ireland customers.

The full name, account numbers, first line of address and contact numbers for 894 customers from different parts of the country are held on the memory key.

The information was not encrypted despite this being required by the bank’s policies and procedures.

A spokeswoman for the bank said the device had been reported missing last Wednesday and the Data Protection Commissioner notified yesterday. The bank began contacting these customers yesterday.

In a statement the bank said “no financial information in relation to customers’ accounts was on the device”. It went on to say it had no reason to believe the device had “fallen into the wrong hands”.

The customers who details were held on the device were a representative sample of those contacted by the bank as part of its relationship management programme and a follow-up survey.

Gary Davis, deputy Data Protection Commissioner, said while there was no mandatory reporting requirement for financial institutions to report lost data “the bank seems to have reacted reasonably in this instance”.

While the loss of the data was a concern he said the likelihood of a fraud was “relatively remote”. In April it emerged that the Commissioner was investigating the theft of four Bank of Ireland Life laptops which contained personal details of 31,500 customers.

These computers have not been recovered. Mr Davis said no instances of fraud relating to the stolen laptops have been reported to the Commissioner.

A series of recommendations were made to Bank of Ireland by the Commissioner following the laptop thefts including that all USB ports on the bank’s computers be sealed. This process is due to be completed by the end of March next year.

Last Friday the Minister for Justice Dermot Ahern established a review process to examine whether the data protection legislation needs to be changed following recent breaches.

Former secretary general at the Department of Finance, Eddie Sullivan will chair the process which will also consider whether mandatory reporting of breaches and penalties should be introduced.