Bank of Ireland has been fined €463,000 by the Data Protection Commissioner for falsifying customer account details which could have affected their creditworthiness. The fine was also based on the bank’s failure to notify customers of the problem in a timely manner, while Commissioner Helen Dixon was ordering the bank to repair its underperforming data processing systems.
The affected data breaches, which occurred between 2018 and 2019, relate to instances where the bank submitted incorrect information to the Central Credit Register (CCR), which is maintained by the Central Bank of Ireland.
The CCR helps a lender decide whether or not to approve a loan application and gives the central bank better insight into lending patterns across the economy.
The total penalty of €463,000 was shattered into pieces attributed to each Bank of Ireland data error.
The largest part – €250,000 – was imposed on the bank with bad data processing systems.
“I have taken into account the fact that the lack of technical and organizational measures in place appears to have contributed to the personal data breaches that have occurred,” said Commissioner Helen Dixon.
The second largest chunk – €125,000 – was partly accounted for by the time it took the bank to notify 47,000 customers of one of its major mistakes, in which the details of some loans and mortgages were not correctly reported to the CCR. These included “the misperception by some borrowers that they were in financial distress.”
“I was impacted by the length of delay it took BOI to issue a notice to data subjects after learning of the personal data breach,” said Ms. Dixon. “I also considered the large number of data subjects affected by this breach (approximately 47,000) and the number of complaints BOI received from customers.”
It is not the first time that the Irish DPC has fined credit problems. In recent years, the Irish Credit Bureau has been fined €90,000 for messing up the credit scores of 15,000 people and possibly damaging their financial reputation.
Bank of Ireland has also faced harsh criticism of its data processing systems by the data regulator, which has been identified as the main reason the bank has messed up its customers’ information.
“I order Bank Of Ireland to bring its processing operations into line with Article 32 of the GDPR by implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risks, subject to the conditions set out in the table below,” she said.
“In my view, these orders are adequate, necessary and proportionate to ensure compliance with Article 32 of the GDPR. In this regard, I acknowledge BOI’s ongoing remedial actions and strategic transformation as outlined in submissions throughout the investigation. In my view, however, this order is necessary and proportionate given the importance of ensuring that BOI’s obligation to implement appropriate technical and organizational measures, particularly in view of the large amount of highly sensitive personal data subjects processed by BOI, is fully implemented will.”
https://www.independent.ie/business/technology/bank-of-ireland-fined-over-errors-reporting-details-of-47000-customers-loans-41522333.html Bank of Ireland fined for failing to report details of loans from 47,000 customers