Commissioner investigating loss of bank customers' details


THE DATA Protection Commissioner is investigating the loss of a USB computer memory device containing personal details of almost 900 Bank of Ireland customers.

The full name, account numbers, first line of address and contact numbers for 894 customers from different parts of the country are held on the memory key. The information was not encrypted despite this being required by the bank's policies and procedures.

A spokeswoman for the bank said the device had been reported missing last Wednesday. The Data Protection Commissioner was notified yesterday as the bank began contacting customers.

The bank said "no financial information in relation to customers' accounts was on the device". It had no reason to believe the device had "fallen into the wrong hands".

The customers whose details were held on the device were a representative sample of those contacted by the bank as part of its relationship management programme and a follow-up survey.

Deputy Data Protection Commissioner Gary Davis said that, while there was no mandatory reporting requirement for financial institutions to report lost data, "the bank seems to have reacted reasonably in this instance".

He said the likelihood of a fraud was "relatively remote".

In April it emerged that the commissioner was investigating the theft of four Bank of Ireland Life laptops which contained personal details of 31,500 customers. These computers have not been recovered. Mr Davis said no instances of fraud relating to the stolen laptops have been reported.

A series of recommendations were made to Bank of Ireland following the thefts, including that all USB ports on the bank's computers be sealed. This is due to be completed in March next year.

Last Friday, Minister for Justice Dermot Ahern established a review to examine whether data protection legislation needs to be changed. Former secretary general at the Department of Finance Eddie Sullivan will chair the review, which will also consider whether mandatory reporting and penalties should be introduced.