A breach in data exposing a database containing over 337,000 records listing personal details of Maltese voters could result in sanctions against the parties involved, commented Paul Micallef Grimaud, Partner at leading local law firm Ganado Advocates.

The Information and Data Protection Commissioner will be investigating how the database, containing names, addresses, ID card details and telephone numbers of Maltese voters was breached.

Online monitoring service, Under The Breach, reported that the data had been left exposed by a Maltese IT company.

Times of Malta said it was informed by online security monitoring firm that the company in question was C-Planet IT Solutions Ltd, which, in turn, said it would not reply to any questions on what it described as a mishap, adding that the data was "old" and that it was expected to release a statement on the matter.

Dr Micallef Grimaud said the sanctions could include fines levied by the Information and Data Protection Commissioner, and noted that such measures had been taken when a leak occurred at the Lands Authority.

The public land watchdog had been fined €5,000 in February last year after the Commissioner found that the online application platform available on the Lands Authority’s portal “lacked the necessary technical and organisational measures to ensure the security of processing”.

Dr Micallef Grimaud heads the firm’s Intellectual Property, TMT and data protection practice group. His focus is dedicated to counselling and assisting clients in the media, technology and entertainment space, on the legal aspects of their operations, and to representing them in court and arbitration.

Dr Micallef Grimaud said the law empowered the Commissioner to impose an administrative fine on a public authority or body after giving due regard to the circumstances of the case in line with the law.

The fine cannot exceed €25,000 for each violation. However, the Commissioner can also impose a daily fine payment of €25 for each day during which the violation persists.

“The Information and Data Protection Commissioner will look to investigate the occurrence and the responsibilities of the parties involved, including the steps which were taken by the parties upon detecting or being made aware of the breach.

“Password protection and encryption is key. There are various measures that could be taken, and anyone handling personal data has a general obligation at law to adopt and use appropriate technical and organisational measures to ensure the protection of that data.

“It is also the responsibility of the local councils/authorities that made use of the services of the service provider who (accidentally) leaked the information to ensure that the necessary safeguards are in place,” Dr Micallef Grimaud pointed out.