Gone Smishing? Credit Card Scams & Cybercrime

Credit Card Scams & Cybercrime

Bank of Ireland recently notified their customers of a smishing scam where some of their credit card customers had received a text message claiming to be from the bank. The text message told customers that their credit card had been automatically blocked for security reasons and asked them to click on a link for further information and to order a replacement credit card. The link brought customers to a phishing website where they were asked to input their security information including their account number, four-digit PIN number and their online banking PIN. Some of the bank’s customers unfortunately lost their money due to the fraudulent scam.

Cybercrime is becoming highly sophisticated and as consumers now conduct most of their banking online this is an area where fraudsters concentrate much of their focus. Banks regularly warn their customers to be vigilant against online financial fraud particularly when any text or email has a link which then requests the customer’s security information for their account. You should never give out this information even if the email or text looks entirely genuine. Any suspected phishing emails or smishing texts should be immediately reported to your bank and deleted from your device. The onus is placed very much on the consumer to be alert to suspected fraud which is understandably difficult for those who have no experience or knowledge as to how to identify potential scams.

It is vital that the terms and conditions under which your online banking are governed are carefully considered and analysed if you are unfortunate enough to be the victim of online financial fraud.   Legal advice should be sought to ascertain whether you have any claim against the bank to recoup your financial loss.

How to protect yourself against credit card scams and cybercrime:-

  • Make sure your anti-virus software is up to date on your laptop/computer.
  • There are anti-phishing toolbars included in most internet web browsers, make sure these are also the most up to date version.
  • Do not respond to any emails/texts requesting your personal, financial or security details.
  • Never open a link attached to an email/text that you are not sure about and do not enter your personal/security/financial information if requested in the linked website.
  • Avoid sending your personal/security/financial information in an email.
  • Before transferring money to an online account, ring the account holder to confirm their identity and the account number.
  • If you receive an unsolicited phone call from your bank, do not give your personal/security/financial information over the phone even if they have some basic information on you such as your name and address. Say that you will need to validate their identity and will contact your bank directly, do not use phone number given to you by the caller as this could be fake.
  • The Gardai advise that if you have transferred money to an unknown source as a result of a fraudulent email you should also report it to your local Garda station.
  • The default approach should always be caution. If you suspect anything fraudulent delete and report.

*Smishing – the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.

*Phishing – the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.
For further information and advice in relation to “Gone Smishing? Credit Card Scams & Cybercrime”, please contact Daragh Burke, Amorys Solicitors daragh@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys.

COVID-19 and Data Protection Rights

Data Protection Rights and the Pandemic COVID-19

It was recently reported that the HSE had disclosed to an employer that one of their employees had tested positive for Covid-19 prior to informing the employee of their own test results. The HSE explained in a statement that in “exceptional circumstances”, “if it is considered essential for the public health good”, they would inform an employer of a Covid-19 positive test result prior to informing the employee. The HSE has since requested guidance from the Data Protection Commissioner (DPC) and has suspended the practice in the interim. Nonetheless, the issue has provoked serious concerns regarding the protection of employees’ sensitive medical data and whether there are any “exceptional circumstances” wherein the data protection rights of data subjects can be overridden in such a way.

Guidance from the Data Protection Commissioner (DPC)

Mass Covid-19 screening has been taking place across a number of sectors including meat processing plants and nursing homes, and which involves the processing of large amounts of personal data including employee names, addresses and dates of birth and sensitive ‘special category’ medical data over a relatively short period of time and with a high degree of urgency.

The Data Protection Commissioner has issued advice regarding data protection law and the measures being taken by governments, employers in the public and private sector and voluntary bodies in the wake of the pandemic. Firstly, any protection measures implemented as a result of the pandemic that involves the processing of personal data need to be proportionate and necessary. The pandemic does not give organisations the authority to circumvent data protection standards and the applicable law.

  • If an organisation is acting on the advice or direction of public health authorities or other authorities, the processing of personal data and data relating to health is permitted under the GDPR and the Data Protection Act 2018, provided the relevant safeguards are in place to include the deletion of the data under strict time limits, limitations on who can access the data and ensuring that staff are adequately trained regarding the protection of the data rights of individuals.
  • Under the Safety Health and Welfare at Work Act 2005, employers are legally obliged to protect their employees. Personal health data can be processed if it decided it is necessary to do so and it is proportionate under the 2005 Act and the GDPR.  The data should be processed in a confidential manner meaning that if there is an employee who has tested positive for Covid-19, staff should be advised without identifying the particular employee.
  • Organisations must be transparent regarding how they process personal data and sensitive ‘special category’ personal data, why they are collecting this data and how long the data will be retained in plain and clear language.
  • Confidentiality must be maintained and the necessary safeguards put in place to ensure the security of the data. There must be a very strong justification for identifying any individual affected by Covid-19 to a third party or colleagues.
  • Only the minimum amount of data required to implement the objective of preventing or containing the spread of Covid-19 must be gathered and any decision-making process of an organisation regarding their response to the pandemic which involves the processing of personal data should be retained by the data processor.

While the pandemic has rapidly changed the way organisations are functioning, the fundamentals of data protection remain intact.  Organisations must exercise caution when processing personal data and in particular when the data is health-related.

Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.
For further information and advice in relation to “COVID-19 and Data Protection Rights”, please contact Daragh Burke, Amorys Solicitors daragh@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys.

Transfer of Personal Data – The Max Schrems and Facebook case

Privacy Rights Campaigner Max Schrems claims the transfer of his personal data by Facebook from Europe to its US parent company is unlawful and in breach of his right to privacy under article 7 and 8 of the EU Charter of Fundamental Rights. Individuals in the European Union have a specific right to privacy under European law. Individuals in the US do not have the same protections. In the US personal data is subject to mass State surveillance which is a breach of European citizen’s rights. The Irish Data Protection Commissioner refused to investigate Mr. Schrems complaint, this was overturned by Court Order and the Data Protection Commissioner was directed to investigate Mr. Schrems’s complaint.

The complaint was then investigated by the Irish Data Protection Commissioner. A draft decision on this complaint was then issued by the Irish Data Protection Commissioner, who then issued High Court proceedings seeking to refer a number of questions to the European Court. The key question raised is whether standard contractual clauses approved by the EC to be used by parties when they are arranging for the transfer of personal data of individuals to other countries outside the EU provide sufficient protection for EU citizens.

Ten parties applied to be joined as amici curiae (parties who have an interest in the proceedings) to assist the High Court in relation to this case. The High Court ordered that the USA Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre be joined as amici curiae on the basis that this will have significant economic and commercial consequences for companies and individuals. The USA BSA were joined as restrictions on transfer of data would have considerable adverse effects on US commerce. Business Software Alliance is a not for profit international trade association of global technology providers. EPIC is a public interest, not for profit organisation with expertise in privacy, freedom of information, and government surveillance and has appeared frequently in the US as amici curiae and before the European Court of Human Rights. EPIC is a member of the advisory panel of Mr. Schrems. Digital Europe is the principal representative body for Europe for the Digital Technology Industry and is a not for profit association. The US Government were also represented in the case.

The case was heard in the High Court in Dublin in March 2017 before Ms. Justice Costello for a number of weeks. Judgment has been reserved and will issue shortly.

Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.
For further information and advice in relation to “Transfer of Personal Data- the Max Schrems and Facebook case”, please contact Deirdre Farrell, partner, Amorys Solicitors deirdre@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys.

Corporate Manslaughter Bill 2016

The Corporate Manslaughter Bill 2016 which is making its way through the Oireachtas at the moment creates 2 new criminal offences which will have significant impact on healthcare service providers. Firstly, an offence of “Corporate Manslaughter” is created when a person’s death is caused by gross negligence by an organisation. Corporate manslaughter can be committed by an “undertaking” which is a company, or corporate body, charity, government department or statutory body and can result in a large fine for the organisation. Secondly, management employees may be in addition charged with a criminal offence of “grossly negligent management causing death” in an organisation which has been convicted of Corporate Manslaughter. This occurs when a member of staff (“high managerial agent”) knew or ought to have known of risk of death or serious personal harm, and failed to take reasonable efforts to eliminate the risk which contributed to a death. This means a Director, Manager or Senior Official in a company or state body could also be charged and given a jail sentence in the event of a death.

Corporate Manslaughter occurs when an organisation which has a duty of care to an individual fails to meet the standard of care required to prevent substantial risk of death or serious personal harm, and to take all reasonable measures to anticipate and prevent risks. The size and circumstances of the organisation will be taken into account. The duty of care applies to all employers, subcontractors, owners/occupiers of property, producers of goods and service-providers. A Court will take a number of factors into account in assessing whether there is a breach of the standard of care required and specifically the management, rules, policies, allocation of responsibilities, training and supervision of staff, previous response of the organisation to other incidents involving death or serious personal harm, the organisation’s goals, communications, regulation, assurance systems and whether it is a licensee or contractor.

All management and officeholders should be aware that they might come within the definition of a “high managerial agent”. A “high managerial agent” is a Director, manager or officer of an organisation or someone acting in that capacity. A Court will consider the actual and stated responsibilities of the employee to establish if the employee should have known of the risk, and whether it is in the power of the employee to eliminate the risk. If it is not in the power of the employee to eliminate the risk, whether the employee passed information on the risk to others who can eliminate the risk in considering a charge of “grossly negligent management causing death”. Prosecutions for the 2 offences are on indictment in the Circuit Court. An organisation which is convicted of Corporate Manslaughter will be liable for a substantial fine. A “high managerial agent” convicted of “grossly negligent management causing death” will be liable for a fine and or term of imprisonment of up to 12 years.

In addition to other sanctions, a Court may make a Remedial Order to address the problems identified to prevent any recurrence and can consult with relevant trade unions and regulatory and enforcement authorities in considering the conditions. The organisation may be subject to a Community Service Order or Adverse Publicity Order where it is required to publicise its conviction for Corporate Manslaughter, the fine and any Remedial Order online or by other means. A “high managerial agent” who is convicted of “grossly negligent management causing death” can also be disqualified from acting in a management capacity for up to 15 years on indictment or subject to a fine of a maximum of 5 million euro and or up to 2 years in prison. The Court is entitled to enquire into the financial circumstances of an individual in setting the fine. If an organisation has been dissolved and reformed and the Court is satisfied the purpose of this is to avoid criminal liability, the Court can disregard the fact that an organisation has changed name.

This is a summary of the bill which has been published and specific legal advice should be obtained in any situation. If you have any comment on this article or would like any further information, please contact Deirdre Farrell, partner, Amorys Solicitors deirdre@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys

Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.

Recruitment and Vetting of Candidates by Employers

The National Vetting Bureau (Children and Vulnerable Persons) Act 2012-2016 requires that all employees employed whether on a temporary, or agency contract, as an intern or on a voluntary basis who provide services to children under 18 or to a “Vulnerable Person” must be vetted by the National Vetting Bureau (formerly Garda Vetting Bureau). This came into force on 29 April 2016. A “Vulnerable Person” is an adult with a mental illness, dementia or intellectual disability or is a person who is suffering from a physical disability to such a degree which restricts the capacity of the person to guard themselves against another person and requires assistance with daily living activities, washing, walking, and eating. This includes hospital and elderly patients.

All persons and organisations providing services to children or Vulnerable Persons must be registered with the National Vetting Bureau. Where the person or organisation was registered with the Garda Vetting Bureau prior to 29 April 2016, this registration transfers over. Existing employees of organisations or persons registered with the National Vetting Bureau prior to 29 April 2016 do not require to be vetted, however, all new employees of organisations or persons from 29 April 2016 onwards must be vetted prior to providing any services to children or Vulnerable Persons. Failure to do so is an offence. The new e-vetting process is completed in a number of weeks.

The candidate who has applied to be vetted should be notified that information regarding criminal records or a finding or allegation of harm to another person from the Garda Siochana or a regulatory organisation which reasonably gives rise to a bona fide concern that the person may harm, cause a child or Vulnerable Person to be harmed or put at risk may be disclosed to a prospective employer. Where an individual has one conviction only, which was over 7 years previously, and was minor, this will not be disclosed to allow the individual to move on. The candidate can make a submission in response to the National Vetting Bureau’s notification.

In considering whether to disclose the information received about a candidate, the Chief Bureau Officer will not disclose this unless he has a bona fide concern that the individual may harm or incite another person to harm a child or Vulnerable Person, the disclosure is necessary, proportionate and reasonable, takes into account the submission made by the candidate, and fair procedures in making a disclosure to a potential employer. Where this information is disclosed to an employer, the employer must consider carefully the suitability of the candidate and fitness for the role in light of the disclosure of a criminal record or finding or allegation of harm to another person. This will require detailed consideration of the type of role being offered, and the nature and extent of access to children or Vulnerable Persons by the candidate.

Under the regulatory regime in the UK which vets candidates who work with children and Vulnerable Persons, a decision is made by an assessing officer regarding what information should be disclosed to a potential employer. In a recent case, the assessing officer decided the fact that a candidate had been acquitted of the rape of a 17-year-old should be released to a potential employer. The individual who was accused of rape is a taxi driver and former teacher. This individual challenged the lawfulness of this disclosure as a breach of his human rights under Articles 6 and Article 8 of the European Convention on Human Rights. Article 6 gives the presumption of innocence to individuals and Article 8 the right to privacy of individuals. The decision of the assessing officer to disclose this acquittal was upheld by the UK Court of Appeal as reasonable, proportionate, and necessary in the circumstances. The incident was an isolated incident but a very serious one. The officer believed that a correct balance was struck in disclosing the acquittal in order to protect children and Vulnerable Persons and reconciling the rights of the individual who was acquitted. Even though this impacts on the candidate as he may not get employment in a chosen profession, it does not prevent him from gaining employment in another profession to support his family.

Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.
For further information and advice in relation to “Recruitment and Vetting of Candidates by Employers”, please contact Deirdre Farrell, partner, Amorys Solicitors deirdre@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys.

The Importance of “the Right to be Forgotten”

At the moment, the Data Protection Acts 1988-2003 provide that employees have the right to request their employer (who are “data controllers”) to rectify, erase, or block personal data accessible by them if it is incomplete, inaccurate or not up to date.

Personal data includes an employee’s HR file, reference checks, medical information, details of accidents or other claims, information in investigation and disciplinary processes, redundancy or dismissal of the employee.  There are restrictions preventing access by employees to certain data, for example information relating to investigating or detecting offences, and legally privileged information.

The European Court of Justice ruling in Google Spain, Google Inc. –V- AEPD and Gonzalez (C – 131/12) in 2014, said that Mr. Gonzalez could require the Google search engine to remove information linked to his name about the repossession of his home, some 16 years earlier. The Court said that individuals have the right to ask search engines or “data controllers” to remove links to personal information which is inaccurate, inadequate, irrelevant or excessive. This right of removal is subject to the right of freedom of expression and of the media.

This ruling has stirred up debate about what should be removed and whether individuals should be able to whitewash their reputations through the “right to be forgotten” and their right to do so where time has passed. Similar concerns arise for organisations when requests are made by employees to rectify, delete or block their personal data, where it relates to their HR file.

Employees “right to be forgotten” is strengthened in the new General Data Regulation which will be in force in 2 years’ time, and this provides:

  • An employer is obliged to erase an employee’s personal data where requested without undue delay
  • Employees will be able to supplement incomplete information held by an employer with a statement
  • If the information to be removed under the “right to be forgotten” has been made public, an employer shall take reasonable steps (taking account of technology and cost) to require that links and copies are erased

Employees “right to be forgotten” is not unlimited and will be subject to:

  • the right to freedom of expression
  • the processing required by law, or in the public interest, or for public health
  • archiving in the public interest or for historical, statistical and scientific reasons
  • the establishment, exercise or defence of legal claims

An employee will have the right to restrict an employer from processing personal data, where its accuracy is being verified, or when it’s not necessary but is required for legal reasons, or if it is pending verification as to whether the grounds of the employer override the rights of the employee to rectify, erase or block the data.

The General Data Regulation allows fines of up to 4% of the annual worldwide turnover of a company who does not comply with the rights of employees “right to be forgotten”.

WHAT STEPS SHOULD AN EMPLOYER TAKE NOW?

  • The organisation should review its Data Protection Policy to ensure compliance with “the right to be forgotten”.
  • When a request to rectify, erase and block data is received by an employer, the request should be assessed on a case by case basis, as an employee’s right to rectify, erase and block data is limited.
  • Relevant factors to be considered by an employer are the time that has passed, the reason for the retention of the information, its relevance, whether this is required for legal proceedings or other processes which are ongoing.
  • The “right to be forgotten” request should be complied with within 40 days.
Whilst every effort has been made to ensure the accuracy of the information contained in this article, it has been provided for information purposes only and is not intended to constitute legal advice. Amorys Solicitors is a boutique commercial and private client law firm in Sandyford, Dublin 18, Ireland.
For further information and advice in relation to “The Importance of The Right to be Forgotten”, please contact Deirdre Farrell, partner, Amorys Solicitors deirdre@amoryssolicitors.com, telephone 01 213 5940 or your usual contact at Amorys.

Pin It on Pinterest