Irish Data Protection Commission Fines Eircom Over Breach

The Irish data protection office ("ODPC") brought legal action last month against telecommunications firm Eircom and two of the company’s cell phone subsidiaries for failing to encrypt two stolen laptops, as required by Irish Regulation 4(I) of SI 336, and then waiting more than one month to notify the ODPC and subscribers of the breach. The Irish law requires notification of a breach to both impacted individuals and the Irish data protection office “without undue delay.” The laptop theft reportedly affected 3,944 Meteor customers and 6,295 eMobile customers, while the compromised data included names, contact information, passports, drivers’ licenses, national identification numbers, and bank account or credit card information. The ODPC has been reported as stating that it believes “without undue delay” should be two working days, for notification not only to its office, but to impacted individuals as well. In dismissing the action, the Dublin District Court has required the two subsidiaries, eMobile and Meteor, to donate €15,000 ($19,280) to a charity.

Tip: Companies should keep in mind that if they suffer a breach that impacts individuals in Europe, and notification is required, many European data protection authorities believe that notification should happen more rapidly than is expected in the U.S.

These tips have been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.