The alleged data breach at Independent News & Media could have a range of complicated and potentially very expensive repercussions, according to data law solictors and others.

Among other implications, it could require the plc to notify those affected by the alleged breach, which would include staff and people outside the organisation who were in communication with staff members, including journalists.

People can also request copies of personal data held by a company, which in the case of the Independent could include data about possibly improper use of their data.

It has been known for some time that data from the group was given by its then chairman, Leslie Buckley, to a company in Wales, Trusted Data Solutions.

Mr Buckley has said this was part of a cost-reduction exercise but it appears that it was not sanctioned by the Independent board or senior management. Bills arising from the exercise were paid by a company owned by the Independent group’s largest shareholder, Denis O’Brien.

Duty of care

The alleged data breach and its purpose is one of the issues covered in an affidavit to the High Court by Ian Drennan, the Director of Corporate Enforcement, supporting an application for the appointment of inspectors to the plc.

Companies have a duty of care to staff who have privacy rights that are protected under the Constitution. Ironically, the constitutional right to privacy was established in an important case involving an Irish Independent journalist, Bruce Arnold, who sued the State for bugging his phone.

Former ‘Irish Independent’ journalist, Bruce Arnold, and the former editor of ‘The Irish Times’, Geraldine Kennedy, sued the State for bugging their phones. Photograph: Paddy Whelan

The former editor of The Irish Times, Geraldine Kennedy, also successfully sued the State in the 1987 case that established those rights. There is no obligation to show a financial loss in order to be entitled to damages.

The disclosure of data to a third party for other than legtimate business reasons is also a breach of data protection laws, according to lawyers, though the law as it stands is regarded as weak.

However, at the end of next month a new regime comes into effect by way of the European Union General Data Protection Regulation (GDPR) which, according to information law solicitor Fred Logue, of FP Logues solicitors, contains a provision that allows damages to be paid without an injured party having to show they suffered any financial loss.

This provision would apply to anyone whose data was breached, whether they are employees or persons in communication with those employees by way of email, Mr Logue said.

Test case

According to a report in the Irish Independent on Wednesday, Mr Drennan’s affidavit suggests that the emails of one affected executive which were examined by the party that was given the data, went back to 1999. The alleged data breach occured in 2014.

According to Daragh O’Brien, managing director of Castlebridge data consultancy, a test case will probably be needed in the Irish courts to establish whether the introduction of the GDPR at the end of May, will mean that persons whose data was breached in advance of that date are entitled to damages even where they do not show a financial loss arising from the breach.

He said it was his view that a data breach involving a significant number of people required the data holder to notify those parties whose data had been compromised.

The alleged data breach also raises questions for the plc in relation to company law and common law issues as they affect officers of the firm.

Mr Buckley was chairman at the time and any finding that the data was given to third parties for reasons that were other than in the normal business interests of the Independent group, would raise questions as to compliance with general fiduciary duty obligations to the group.

The Independent group’s board is examining the affidavit from Mr Drennan to decide if it contains sufficient grounds for the appointment of inspectors. It is receiving legal advice from McCann Fitzgerald solicitors, and from barristers Paul Gallagher SC and Shane Murphy SC.

Mr Gallagher is a former attorney general and known for his involvement in complex corporate and civil litigation. Mr Murphy is best known for his role in criminal law. He is currently acting for An Garda Síochána at the Charleton Tribunal.

The group has also been notified that the Data Protection Commissioner, Helen Dixon, is investigating a potential data breach at the Independent, and is currently conducting a scoping exercise.

If the inquiry does not officially begin until after the introduction of GDPR, she will be conducting the exercise with much more substantial powers than currently apply. The new regime also includes vastly greater potential penalties.

Mr Logue said that in his view there is a role to be played by Irish Human Rights and Equality Commission in the alleged Independent data breach, given the role played by journalism in society and the importance of confidential sources to journalism.

The issues facing the INM board also include its duty to establish facts and disclose them to its shareholders, to whom they are primarily responsible.