BOI Data Breach

[DeeKie]

This is the problem. There is no case law to provide guidance as to the amount of compensation that should be paid. GDPR suggests that the Data Protection Commissioner could look for fines of "€10M or 2% of global turnover, which ever is greater" for "less serious breaches". And this is a serious breach. OP's solicitor is best placed to advise. Having said that, compensation in the low six figures may be appropriate given:

1) seriousness of the breach.
2) the new GDPR environment in which banks, and the rest of us, operate.
3) the possibility of systemic failings within BOI in relation to "data protection by design".

Ultimately, it will be up to the courts to decide on compensation. I suspect that if the OP were to instruct his/her solicitor to issue proceedings then BOI will fold before this gets publicly aired in court. BOI will not want to be a party to the establishment of case law on this one.

You are discussing administrative fines (which go to the DPC) and damages (which go to the data subject) in the same post. This might confuse people unfamiliar with this fairly dense topic. I also think your damages figures are high if you look to the U.K. where they’ve had non-material damages for years.

 

[24601]

Having said that, compensation in the low six figures may be appropriate

Six figures? Where are you possibly pulling such a figure from?

 

[NoRegretsCoyote]

Thanks TLO for your comments, The bank increased their compensation to a lot more than what was originally offered of 500e. However, It is still not enough to cover the loan that they provided and they disclosed. They disclosed the details of my loan to my neighbor, something I am not happy about and I have lost all trust in my bank. I think I will have to take this further and leave the sand Bank.

I'm confused.

Is this the same or a different data breach?

 

[RedOnion]

they allowed another random individual with the same name

They disclosed the details of my loan to my neighbor

To be clear, the 'random individual' was your neighbour, with the same name as you?

 

[Warrior2]

The same person yes. The bank denied that they had disclosed anything, however it was very clear that I had access to his accounts and when I got in touch with him, he was able to tell me how much I had in my accounts.

 

[Leo]

However, It is still not enough to cover the loan that they provided and they disclosed.

There is nothing in law to suggest it should cover this. Where did you get that from?

Just to emphasise DeeKie's point, GDRP fines should not be confused with any compensation that may or may not be awarded in such breeches. The majority of breeches result in little or no compensation to the victims. You can review details of past GDPR fines on tracker sites such as . Here you'll see a broad range of fines, but many might be surprise you in how small some of them are. For example the German Knuddells chat site only being fined €20k for exposing the details of 330k users. That's 6c per user.

 

[24601]

There is nothing in law to suggest it should cover this. Where did you get that from?

Just to emphasise DeeKie's point, GDRP fines should not be confused with any compensation that may or may not be awarded in such breeches. The majority of breeches result in little or no compensation to the victims. You can review details of past GDPR fines on tracker sites such as . Here you'll see a broad range of fines, but many might be surprise you in how small some of them are. For example the German Knuddells chat site only being fined €20k for exposing the details of 330k users. That's 6c per user.

I'm confused about this? Is the OP expected his loan to be covered by compensation? If so, why exactly? It's obviously very annoying that this happened and there should be some recourse but the idea that there should be material compensation for what appears to be a case of mistaken identity and a systems failure affecting two individuals with the same name and similar addresses is just silly.

OP, if I were you I'd press for as much compensation as reasonably possible, conscious of the fact that it is likely to be modest, and that it has no relationship with your loan. The suggestion of six figures compensation by another poster is off the wall stuff and should not be anchoring your expectations.

 

[Leo]

Is the OP expected his loan to be covered by compensation? If so, why exactly?

It sounds that way, and I don't understand how they've made that connection either.

 

[DeeKie]

. You can review details of past GDPR fines on tracker sites such as . Here you'll see a broad range of fines, but many might be surprise you in how small some of them are. For example the German Knuddells chat site only being fined €20k for exposing the details of 330k users. That's 6c per user.

Really useful site. Thanks.