Ironically, it has coincided with Amazon Web Services (AWS) experiencing a recent major outage in northern Virginia, which impacted thousands of companies and millions of end‑users globally — ranging from from gaming platforms, streaming, banking, mobile devices and government.

While security is usually thought of in terms of confidentiality (data leaks) or integrity (unauthorised changes), availability is an increasingly significant concern, and when essential cloud services go offline, all users suffer.

The event was also a salutary reminder that security teams in Ireland — and elsewhere in Europe — can be affected by incidents as far away as the eastern US and must treat major cloud‑provider outages as part of their risk profile.

Mícheál O’Dowd of O’Dowd Solicitors LLP is an expert in privacy and data security matters. The founder and managing partner of his firm, he has a first-class honours master’s degree in data protection law.

He has also regularly lectured to undergraduate and postgraduate students in data protection and cybercrime at University College Cork and worked with several large public bodies in ensuring compliance during the implementation of the EU GDPR, an area he continues to advise on. 

Co Cork-based O’Dowd has offices in Glanmire, Fermoy and Carrigaline, with Mr O’Dowd also dealing in complex conveyancing matters and in advising residential and commercial property developers. He is a registered trade mark agent and has been described by an e-sourcing expert as having “an outstanding knowledge in the key area of online/IT law”.

In 2015, with University College Cork emeritus professor Maeve McDonagh, Mr O’Dowd co-authored Cyber Law in Ireland, an authoritative volume covering issues that include intellectual property rights in the ICT sector, relevant competition rules, electronic transactions, privacy issues and computer crime.

Among influences in his career, he cites Bruce Schneier, who is an internationally-renowned security technologist, the author of 14 books on cybersecurity and writer of influential newsletter Crypto-Gram and blog Schneier on Security.

Mr O’Dowd encountered Mr Schneier’s views during a spell at EPIC, the Electronic Privacy Information Center, an independent non-profit research facility in Washington DC. 

“It was during my undergraduate years at UCC and they had an arrangement with EPIC that allowed me to go over there for a summer and work for a privacy NGO,” he says. 

“We had great exposure to the area, whether it was attending Senate hearings regarding privacy and data security or how it affected the United States Postal Service or the United States National Parkway.

“It was certainly an eye-opening experience and one that definitely piqued my interest in developments in the field and of the importance of keeping abreast of them.”

Coming from several generations of farmers in Co Cork, when Mr O’Dowd qualified as a lawyer he was faced with the Robert Frost dilemma: as he puts it, two roads diverged.

“There was the possibility of going down the academic route, and I wrote to the University of Leuven in Belgium, which has a strong international reputation for legal studies, and almost accepted a job there,” he recalls.

“But I decided to practice as a solicitor and founded the firm here in 2009.”

“Whether I made the right decision or not will probably haunt me forever, but here we are,” he smiles — adding that, after qualifying, he knew he didn’t want to be someone else’s employee.

“In our early days we were doing what was necessary to keep the doors open, such as conveyancing and District Court work.

“After that we were able to move increasingly into the litigious and contentious side and in recent years were fortunate in being asked to advise a few state agencies in implementing the GDPR, a period I really enjoyed.”

That area declined for mid-sized firms such as O’Dowd when major consultancies became involved. “The EYs and Mazars of this world were able to produce thousands of graduates who claimed to be experts in this speciality and it became more difficult to offer services to some of the bigger entities,” he says.

Some of these, including public service organisations, have nevertheless seen major repercussions regarding cybersecurity.

Mr O’Dowd cites the 2021 ransomware cyberattack on the Heath Service Executive (HSE), which led to the shutdown of all its IT systems nationwide, seriously disrupting healthcare services and leading to more than 473 data protection lawsuits related to the breach.

The firm wrote an open letter to the then health minister, Stephen Donnelly, calling on him to inform individual data subjects about what, if any, data of theirs had been obtained by nefarious actors, which the HSE was obliged to do in accordance with Article 34 of the GDPR.

Such mass data breaches have now become commonplace, and many people may have a right to claim for non-material losses; however, the response from many organisations is to respond that that there is no evidence of wrongdoing or that individuals’ data has been misused.

“That’s really cold comfort for the people concerned,” Mr O’Dowd says.

The Supreme Court recently ruled on an appeal brought by Patrick Dillon in a case seeking damages against Irish Life Assurance plc in relation to a data breach.

The ruling impacts non-material damage under the GDPR, involving as it does the alleged wrongful disclosure of personal data, and highlights the procedural hurdles facing claimants in the future.

“There’s much in the area of legal redress regarding cybersecurity that doesn’t currently sit well with me,” says Mr O’Dowd. “I find that when I write to some large organisations, I’m met with a formulaic letter stating that they can find no evidence of wrongdoing, with the implication being ‘this is modern life, get on with it’.”

He says that there has been a shift in the firm’s clientele since around 2017. “The corporate investment and interest in compliance with GDPR has now tailed off and many clients falling under the heading of data protection are now individuals — mostly people who are concerned about the failure and delays involved in getting real answers when they know their data has been hacked.”

Earlier this year, O’Dowd Solicitors LLP expanded its operation through the acquisition of Flynn Solicitors, enabling it to open the firm’s third office in Carrigaline.

“While the days of a sole practitioner trying to service even simple private client cases have gone, people still expect to have access to legal services in their own locality,” he notes.

“So, we can offer expertise in several areas including family law, probate, conveyancing and litigation to a local clientele.”

Mr O’Dowd met his wife, Deirdre Costello, at Blackhall Place when the Law Society of Ireland was conducting training in Cork and she is now a partner in the firm.

True to his rural roots, he’s a member of the Irish Farmers Association and, when not exploring the arcana of cybersecurity, is happy to be driving a tractor on the family farm, which he continues to run as a going concern.

Farming is a good way for him to — literally — keep his feet on the ground and, he says, is not as surprising as it might seem.

“Look, some people think nothing of spending every Saturday on the golf course and I have a good guy working with me on the farm who makes it easy for me to focus on the day job. 

“I’m fortunate enough to be able to vanish out of the office for a few days into the countryside. It’s a definite sense of release and, in a strange way, each side of what I do complements the other.”