Data security measures for Bord Gais


Bord Gais is to introduce new security procedures after it accepted it was in breach of Data Protection legislation in relation to the theft of details of some 93,000 customers on a laptop.

A report on the investigation by the Office of the Data Protection Commissioner (ODPC) into the theft of four laptops from Bord Gais’s offices in Dublin’s north inner city in June was published yesterday.

The laptops were stolen from Bord Gáis offices on Foley Street in Dublin’s north inner city in the early hours of Friday, June 5th.

One of the computers was not encrypted. It was originally believed to contain the banking details of about 75,000 people, but during the investigation it emerged the details of 93,857 customers had been compromised.

The laptop contained details such as account numbers, home addresses and branch details of people who had switched their electricity supply from the ESB as part of Bord Gáis’s “big switch” campaign.

No individual suffered financial loss as a consequence of the loss of data, the ODPC said. Fourteen individuals made complaints to the data protection office in relation to the theft of their data on the laptop, however.

Amongst its findings, the ODPC noted that the staff member who downloaded the personal data to the laptop had an obligation to ensure the protection of data written into her job specification.

The ODPC also found there was insufficient oversight of the wide range of tasks carried out by this staff member.

The investigation by data protection officers found Bord Gais had breached its responsibilities under the Data Protection Acts on a number of counts, including that it failed to put in place an appropriate level of security on the stolen computer.

Bord Gais accepted there was not an appropriate level of security on the laptop to protect the level and the nature of the personal data that was on it.

The company further broke the law by not ensuring that access to personal data was on a “need to know” basis. It also breached the legislation by retaining personal data on the machine in question for longer than was justifiable.

During the investigation, Bord Gais provided gardai with the raw data on encrypted memory sticks. The affected financial institutions and customers were also informed.

The ODPC recommended an immediate review of access levels among staff at Bord Gais to personal data and systems and that an effective system be put in place for granting, reviewing and removing such access when it was no longer needed.

It also recommended that an appropriate governance structure be put in place to ensure the implementation of the data protection issues to be addressed.

In addition, the ODPC recommended that it be made “abundantly clear to all staff that personal data should not be downloaded to local drives and should be maintained on networked systems for any use that is considered appropriate”.

The report noted that while the loss of a laptop with such a substantial amount of personal data breached a number of the provisions of the Data Protection Acts, it was “not representative of the generally serious and committed approach to data protection that ODPC is satisfied is now in place”.

Bord Gais managing director David Bunworth, in a written response to the ODPC, said the company accepted the findings and recommendations contained in the report.

He said that since the security breach, Bord Gáis had taken a number of steps, including the encryption of all the company’s laptops.

The company had also made changes to its sales management system, including removing inactive users and making its IT department responsible for the control of user access.

“Please be assured that Bord Gáis Energy has taken the report and its recommendations very seriously and will ensure that there will be no recurrence of the issues that emerged following the theft of the laptops from Bord Gáis Energy premises,” Mr Bunworth said.

Deputy Data Protection Commissioner Gary Davis said he believed the report demonstrated there were “issues that needed to be addressed in Bord Gais”.

“I am pleased to note that Bord Gais, both before the audit and subsequently, has taken significant steps to improve its data protection compliance.

The report itself should be read by all organisations and should serve as a reminder to them of what can happen where data protection standards are not at an appropriate level.”