Overview

On 1 July 2011, new obligations in respect of the reporting of data security breaches were introduced. The regulations impose binding legal obligations on telecommunications companies and internet service providers (ISPs) on the reporting of data security breaches, and carry criminal penalties for failure to comply.

Prior to the coming into force of the regulations, Telcos and ISPs, like other organisations, were obliged to comply with the general data security requirements of the Data Protection Acts which oblige data controllers to ensure that they maintain appropriate security measures against unauthorised access to, alteration, disclosure or destruction of personal data. In addition, the Data Protection Commissioner approved a Personal Data Security Breach Code of Practice in July 2010 which includes provisions in relation to the notification of data security issues both to the Commissioner and to affected data subjects. Although the Code represents best practice in this area, it is not legally binding. A key feature of the new data security breach notification regime which has been introduced by the regulations is that it imposes legally binding reporting and other obligations on Telcos and ISPs, most of which attract criminal liability for non-compliance.