Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and the unauthorised exploitation of systems, networks, and technologies.
Applicable laws regarding cyber security in Ireland include:
Despite the apparent dedicated effort of Irish legislation, a new study shows that Ireland is the sixth- least cybersecure nation in Europe. This study analysed and ranked countries on factors including cybercrime exposure, commitment to cybersecurity, social media and email hacks, malicious software, identity theft, cybersecurity legislations and online banking fraud.
This result comes as Ireland suffered the most debilitating, cyber-attack in the history of the State when the HSE infrastructure was severely compromised by a malicious ransomware virus in May 2021. This vicious attack critically damaged the HSE’s ability to deliver acute healthcare for a significant period. This was especially problematic and challenging given the intensity of the Covid-19 pandemic at the time of the attack. This, without doubt, put the HSE under immense pressure and it is estimated that it will cost up to €500m to entirely restore all systems and functions of the HSE’s IT infrastructure.
On 15 May 2021, the Data Protection Officer (DPO) for the HSE made a data breach notification to the Data Protection Commission. In his notification, he announced that on 14 May 2021 the HSE had suffered a data security breach of its IT systems. In the notification, the DPO bluntly set out the facts. 4.9 million people were affected by this breach and the data disclosed included:
Furthermore, special category data including trade union data, health data, biometric data and genetic data was also disclosed.
The DPO clarified that possible consequences for certain individuals included:
The DPO described the threat of the above risks to individuals as ‘severe.’ It was thought that these risks were not communicated correctly and urgently enough to the individuals concerned. The cyber-attack seemed to have had a lot of coverage in the media, but little information was disclosed to individuals personally.
Article 33 of the General Data Protection Regulation requires that in “the case of a personal data breach, the controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” It seems that Article 33 was complied with given the correspondence between the HSE and the DPC following the incident.
Article 34 GDPR states that “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”. Originally, the Data Protection Commission was informed by the HSE that data subjects would be notified both in the media and personally from 20 May 2021. This does not appear to have happened however and may result in a breach by the HSE of Article 34 GDPR. In addition, when people tried to contact the HSE to discuss their concerns over the recent cyber-attack, they received what appeared to be an automatic email in response. The apparent lack of compliance with Article 34 may give rise to claims from individuals seeking damages.
Government officials have agreed to increase their spending on State cyber security following the attack. They propose to kick start this by appointing a head of the National Cyber Security Centre. This position was vacant at the time of the HSE attack, and it has been criticised that the risk of this attack could have been reduced if this position were filled. Hopefully, these efforts by the Government, along with extra diligence from citizens will result in less cases of cybercrime in Ireland in the future.
For further information in relation to this matter, please contact Claire McCormack (Partner) or your usual AMOSS contact.