Irish Watchdog Charges Private EyesImproper Selling of Information to Credit Unions Alleged
Ireland's data protection watchdog has accused some private investigators of tricking government employees into revealing personal information about Irish citizens and then selling this information to their clients, including credit unions.
None of the private investigators have been named, but the Office of the Data Protection Commissioner says that "an investigation has been under way by the office for some time into the activities of a number of private investigators or tracing agents who are suspected of unlawfully accessing personal data and passing it on to third parties, such as credit unions." Financial institutions sometimes hire tracing agents - known as skip tracers in the United States - to help locate people who owe them money.
The private investigators' alleged social engineering attacks could have violated not only Irish privacy laws, but also the country's criminal code. "It is a criminal offense under data protection legislation for a person to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose it to another person," the data protection office says.
The Department of Social Protection was among the government agencies allegedly tricked by some private investigators into releasing individuals' private information, according to the DPC. The agency, which is responsible for overseeing Ireland's social insurance and social assistance programs, as well as universal benefits, holds personal information on every Irish citizen. The agency has been working with the DPC to investigate the alleged data breach.
The Data Protection Commissioner declined to pinpoint how many individuals' personal details may have been obtained by the private investigators. But according to the Irish Independent, which first broke the news of the investigation, a "lengthy internal probe" cross-checked names of 468 credit union customers and found that private investigators used false identities to trick - or in local parlance, "blag" - government agency staff into sharing details on 78 of those customers, which private investigators sold to credit unions for €50 ($67) per record.
The Irish League of Credit Unions denies that credit unions had any knowledge of the alleged activities. It notes that no charges have been filed against credit unions.
"Credit unions were unaware that illegal means of data collection were being used," the organization says in a statement. "If this was being done, it was without the credit unions' permission or knowledge. Credit unions would not knowingly employ any company who used illegal tactics and we certainly do not in any way condone the use of securing information by illicit means."
Charges have been filed by the Data Protection Commissioner in district court against the unnamed private investigators. The matter will be presided over by a judge because Ireland's data protection agency - unlike many other EU member states - lacks the power to directly fine any person or business for alleged data privacy offenses.
"In Ireland, every prosecution that the data commissioner takes has to go to court, which can be a time-consuming and expensive process, so they do it sparingly, when it's a slam dunk," says Daragh O'Brien, managing director of Castlebridge Associates, a Dublin-based data protection and data governance training company and consultancy. "It's a potential weakness in the way we've implemented the [EU] legislation in Ireland, because it means that everything either has to go to court or be resolved amicably, because it's a criminal standard of proof that they have to meet - it's not an administrative fine in the manner of a parking fine."
Furthermore, under Irish law - specifically section 31 of the Data Protection Act of 2011 - the maximum fine if someone is convicted in court of a privacy violation is up to €3,000 ($4,000) per offense, and each allegedly stolen record could be counted as a separate offense. As an alternative, the matter might be handed to the country's attorney general to be prosecuted on a criminal indictment, in which case each defendant would face a fine of up to €100,000 ($134,000) per offense.
But O'Brien says prosecuting data privacy violations at this higher level "has never happened and is unlikely to happen," because of the time and cost involved. In fact, the case may result in no jail time, should the judge choose to apply the country's Probation Act. "[This] allows them to decide that the facts of the case are proven but to dismiss or conditionally discharge the criminal charge in exchange for an undertaking from the defendant not to re-offend and, usually, a fine by way of a donation to a court-nominated charity," O'Brien says.
He cites as an example a 2011 trial involving three people who were charged with violating the Data Protection Act. The case centered on a retired police officer who asked his daughter-in-law, a government employee, to look up information on people who had filed claims with his client, an insurance agency. All three defendants said they hadn't profited from the information and pleaded guilty to related charges. The judge ordered each of them to pay a €1,000 ($1,335) fine that was donated to a children's hospital and imposed no jail time.
O'Brien says the data commissioner's powers provide scant deterrence for anyone who socially engineers others into revealing individuals' private details and violating their privacy rights. "The penalty should match the severity of the crime," he says. "The level of penalty on prosecution under the current legislation is such that there is little or no disincentive for people who seek to get access to data without authorization [and] for profit, particularly given the cost to the DPC of taking criminal prosecutions in each case."
But the fines facing those who are convicted of breaking Ireland's privacy laws will likely increase when the EU updates its data protection directive, at least based on what's now in the draft version of the updated legislation. "With the EU data regulations, the penalties for the private investigators could be in the region of 1 million euros per offense," O'Brien says.