Mondays blog post generated quite a response. Although we were not named by Minister Donnelly, we must assume we (and no doubt other colleagues) were being referred to on the 20th May in his Newstalk interview (HSE cyber attack: ‘Distasteful’ legal firms ‘licking their lips’ at thoughts of suing State | Newstalk)
We were afforded the right of reply, which we did this morning (Solicitor ‘astounded’ at Donnelly claim lawyers licking lips over HSE cyber attack | Newstalk).
We have now taken it upon ourselves to send an open letter to Mr. Donnelly, calling on him to inform individual data subjects, what, if any, data of theirs has been obtained by nefarious actors, which the HSE is obliged to do in Accordance with Article 34 of the General Data Protection Regulation. A copy of this letter can be downloaded from the link provided below and is reproduced in HTML for those find that more accessible.
Dear Minister Donnelly,
I feel it is appropriate to write to you in respect of certain comments you made on the Newstalk Breakfast Radio Show on the 20th May 2021. Newstalk were generous enough to afford me a right to reply, and I took them up on the offer this morning.
It appears that your comments were as a result of information shared by me or colleagues in the early days of this debacle. The blog post was placed in response to the large number of queries this office received when news of the hacking broke.
I have worked extensively in the area of Data Protection for many years, and I am fortunate to consider a number of Government agencies as my clients in this regard. In this case however I feel it is important to speak out for the ordinary individuals who are worried about the fallout from the HSE Data Breach. In the context of this I think it is important to address some of the points made by you, so that there can be no confusion or ambiguity among politicians, the HSE or the General Public.
When the HSE speaks of “its data” being compromised they are misrepresenting the position. It is individual’s data. The HSE is a data controller with certain responsibilities to the data subjects. These data subjects are the ordinary people of Ireland who entrusted their most sensitive personal data with the HSE. Some of this information comprises TUSLA social work records, psychiatric records, oncology records, financial details, and in a nutshell, the most sensitive form of personal data imaginable.
It is now clear that the HSE cannot say for certain what information has been compromised, nor presumably can it be assured of the integrity of the information it still holds.
The hacking of the HSE computers, and subsequent ransom demand is undoubtedly a horrible act, by horrible people; there can be no question about this. The hacking has caused untold hardship and suffering to many and is an unforgivable criminal act. However, the HSE cannot abdicate responsibility, as they were the gatekeepers entrusted to keep the Data safe, and they failed in this respect.
While we don’t know how the data breach occurred, we do know it did occur, and we know the HSE were warned it may to occur. Article 32 of the General Data Protection Regulation states the following: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:”
While this does not impute a level of strict liability, it provides that the more sensitive the information, the better the safeguards should be. The information was extremely sensitive, and I would suggest if the safeguards had been adequate this breach would simply not have occurred; or would not have occurred at the level it has.
In your interview you referred to “Lawyers licking their lips”. I consider this to be an offensive characterisation, and a slur on the profession as a whole. Our job as lawyers is to make people aware of their rights, and assist them in getting access to justice. This duty arises whether we are acting for a large corporate client, or a concerned individual.
It so happens that the General Data Protection Regulation (as further implemented by the Data Protection Act 2018) provides for a number of ways for individuals to seek redress. One way is through making a complaint to the Data Protection Commission, the other is by bringing an action pursuant to Section 117 of the Data Protection Act 2018, more commonly known as a “Data Protection Action”. It is not “distasteful” to point out that people may have certain rights flowing from the events that occurred with the HSE. While it may at times be politically favourable to cast aspersions on lawyers, a country without a legal profession that operate freely and without fear or reprisals is not generally one many of us would like to live in.
Article 82 of the GDPR provides that “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”.
It therefore follows that if the HSE did not have adequate security (which seems possible), and if a breach occurred (which it did), the data subjects, or the owners of the data, will be entitled to turn to the State, and seek redress though the Courts. What level of damages may or may be awarded is not something we can say for sure with any degree or certainty, and the outcome of any action would be solely a matter for the Courts.
From our knowledge so far, individuals have suffered both material damage (cancelled appointments, tests, lack of treatment etc), and non-material damage (worry, anxiety and so forth).
Unlike many countries; in Ireland we do not have any particularly strong privacy focused non governmental organisation. As such it then falls on private individuals and professionals, to educate and inform. Having worked with a number of Civil Rights organisations before becoming a solicitor I will make no apology in this case for asking people about their experiences and letting them know of their potential rights.
While I appreciate that this is still an evolving situation I am now calling on you to make a full disclosure of the circumstances of the breach in accordance with Article 34, and particularly to inform individual data subjects, what, if any, data of theirs has been obtained by nefarious actors, so that they can mitigate any harm that may be caused to them.
I look forward to hearing from you by return, and would welcome any discussion or further debate on the matter.