Two telecoms companies have pleaded guilty to multiple breaches of data protection legislation at the Dublin District Court.
They have been ordered to pay a total of €30,000 to two charities.
The charges follow the theft of two unencrypted laptops from the office of Eircom Ltd, trading as eMobile, and Meteor Mobile Communications Ltd, trading as Meteor, in Parkwest in Dublin late in 2011 or early in 2012.
The laptops contained personal and financial information of customers. Both companies are part of the Eircom group.
They were charged with failing to protect the personal data held on the laptops, failing to notify the Data Protection Commission of this personal data breach without undue delay and failure to notify the affected individuals without delay.
It is the first prosecution taken with regard to the loss of personal data on an unencrypted laptop.
Both companies pleaded guilty to the charges before Dublin District Court this morning and received the benefit of the Probation Act, provided they make the donation to charity.
The court heard that the theft of the two password-protected but unencrypted computers took place sometime between 28 December 2011 and 2 January 2012 from Eircom's business premises at Parkwest in Dublin.
The laptops were discovered missing on 3 January and the matter reported to gardaí the following day.
The Office of the Data Protection Commissioner says all such breaches should be reported to its office within two working days.
However, the court was told that in this instance it was only notified of the breach 30 days after the laptops were found to be missing.
In total, the laptops contained details of 3,944 Meteor customers and 6,295 eMobile customers.
In the case of eMobile, the data included customer application forms, including passport details, utility bills, driving licence details, financial statements and credit and debit card information for 142 of the customers.
eMobile only began informing customers 38 days after the laptops were reported stolen, but it took up to 77 days to inform some customers.
The details of the remaining eMobile customers included names, addresses, telephone numbers and account details.
The Meteor data also contained application form information such as passport and driving licence details, and financial statements of 1,244 customers out of a total of 3,944 customers who were listed on the laptops.
Meteor began informing customers 38 days after the laptops were stolen, but in some cases it took up 73 days before everyone was informed.
Apologising for what had happened, Eircom's solicitor told the court that the personal data should not have been on the laptops, and the computers should have been encrypted.
The court was told that Eircom Group had in excess of 3,100 encrypted laptops prior to this data breach. Following this breach, the group identified approximately 160 laptops that were not encrypted.
However, the court heard that all unencrypted laptops have since been encrypted.
Eircom said it had difficulty identifying what exactly had been on the laptops, and it was this that had led to the delay in notifying the ODPC and the customers.
Judge John O'Neill said the procedures were there to be followed, but in this case they had not.
He said there had so far been no loss to customers in this instance, but it was not guaranteed that those affected would not suffer loss in the future.
Judge O'Neill said both companies should have notified the Data Protection Commission without delay, but he he also noted both had come in with their hands up and had not attempted to minimise their part in these offences.
He said under the circumstances, a payment to charity reflecting the maximum fines available under the legislation, was the most appropriate solution.
The judge gave the companies the benefit of the Probation Act, provided they pay a total of €30,000 to the Laura Lynn Foundation and Pieta House by the end of the month.
