TalkTalk: how quickly must you notify a personal data breach?
How quickly must you notify the ICO following notification of a personal data breach? And what lessons can be learned from the tight timescales currently imposed on communications providers as all businesses head towards 72 hour data breach notification under the GDPR?
Communication providers must notify a personal data breach within 24 hours of the breach, pursuant to the Privacy and Electronic Communications Regulations 2003 (PECR).
On 16 November 2015, one TalkTalk customer accidentally gained access to another customer’s personal information, including their name, address, telephone numbers, email address and date of birth. This occurred due to a fault with the password mechanism on which customers accessed their online TalkTalk accounts. The parties agreed that this constituted a personal data breach under the PECR. The customer whose data was accidentally accessed notified TalkTalk of the breach by phone on 16 November 2015 and in a detailed letter on 18 November 2015, which the customer also sent to the ICO. On 20 November 2015, the ICO wrote to TalkTalk about the breach. This was acknowledged by email on the same day by TalkTalk’s Information Security Offcer, who wrote to the ICO a week later to say that the incident was being investigated and that the ICO would be notified if TalkTalk concluded that a personal data breach had occurred. TalkTalk provided formal notification on 1 December 2015.
TalkTalk argued that its investigation concluded on 30 November and the notification on 1 December was therefore within the 24 hour time limit. It also argued that it was an “impractical burden” to expect companies to treat every suspected personal data breach as established and to notify the ICO within 24 hours. The ICO had taken the view that the breach should have been notified within 24 hours of receipt of the customer’s letter on 18 November or, at the latest, the Information Commissioner’s letter of 20 November. TalkTalk was fined £1,000 by the ICO. TalkTalk appealed against this monetary penalty notice.
The FTT dismissed TalkTalk’s appeal because (a) it considered that the level of detail in the customers 18 November letter led to the inevitable conclusion that there had been a personal data breach; (b) TalkTalk was unable to suggest any credible alternative scenario that could explain the customer’s letter; and (c) all of the information contained in TalkTalk’s eventual notification on 1 December was also contained in the customer’s letter of 18 November. The FTT rejected TalkTalk’s contention that it could not be said to have “detected” or acquired “suffcient awareness” of the breach until it had concluded its own investigation. TalkTalk was made aware of the breach when a customer wrote to the company to say that another customer had accidentally obtained their personal information. This was enough to warrant a notification under the PECR.
Why is this important?
This decision highlights that when a company has “suffcient awareness” of a data breach (as TalkTalk did here), the ICO and FTT will not accept any excuses for late notification. While PECR notification requirements only apply to communications providers, the business world at large needs to start preparing for much swifter notifications when the GDPR comes into force in May 2018 – noting that this will need to be within a 72 hour time period.
Any practical tips?
In its guidance on breach notification under the GDPR, the ICO accepts that it will be impossible to investigate a breach fully within a 72 hour time period. However, it does expect information to be provided in phases. Adopting this type of approach now (whether or not you’re a communications provider) could be a sensible strategy to adopt if you suffer from a data breach even before the stricter time limits come into play under the GDPR. Either way, the decision is a useful reminder to ensure that you have the necessary resources in place to respond quickly to a personal data breach. Gearing up now to what will be expected under the GDPR, and training the business accordingly, must be a sensible approach.