Time is of the essence: reporting data security breaches

TalkTalk Telecom Group Plc v Information Commissioner [2016]

TalkTalk unsuccessfully appealed against a fixed monetary penalty notice of £1,000, for failing to notify the Information Commissioner’s Office (ICO) of a personal data breach within 24 hours of detection of the breach, as required by the Privacy and Electronic Communications Regulations 2003 (PECR) and the Notification Regulation (611/2013).

Although a small fine, the ruling lays down an important principle that businesses must comply with the notification rules in relation to data security breaches, or be penalised.

Background facts

On 16 November 2015, a TalkTalk customer accidentally gained unauthorised access to the personal data of another customer. TalkTalk were notified of the data breach on the same day. The customer also sent TalkTalk a detailed letter of complaint on 18 November 2015 and provided a copy to the ICO. TalkTalk notified the ICO on 1 December 2015 that the personal data breach had occurred.

Issue

Whether TalkTalk could be said to have ‘detected’ or acquired ‘sufficient awareness’ of the breach, so as to trigger an obligation to notify the ICO, prior to 1 December 2015.

Decision

TalkTalk had sufficient information to ‘detect’ a data breach at the time of the customer’s detailed letter and probably at the time of the phone calls. They did not require more time to investigate the incident before reporting it to the ICO. To allow time for internal investigations would undermine the strict timescales of the PECR and notification regulations.

An important distinction was made by the Tribunal between this case, where detailed particulars of the breach were provided and a situation where a customer makes a generalised complaint of a suspected personal data breach. The latter may merit a period of investigation, before a personal data breach is detected and reportable.

Analysis

The ruling indicates that the ICO expects to be notified of data breaches as soon as they are detected, and not necessarily after an internal investigation has taken place. The results of the Lloyd's “Facing the cyber risk challenge” survey, published on 20 September 2016, show that 92% of European businesses suffered a cyber security breach in the last five years. Consequently, businesses should be aware of their obligations and have appropriate data breach response policies and procedures in place to ensure compliance with notification deadlines.

The decision is pertinent in light of the incoming General Data Protection Regulation (GDPR), applicable from 25 May 2018. The GDPR will require organisations handling EU citizens’ data to report any data breaches within 72 hours, failing which they must provide reasoned justification for the delay. A failure to secure data may also result in penalties of up to €20 million. Despite this the “Facing the cyber risk challenge” survey found that 57% of European business leaders admitted to not fully understanding the potential implications of the GDPR on their company – including the financial consequences, regulatory investigation, impact on share price, reputational damage and a loss of customers. 

Related items: