The case of TalkTalk v ICO UK: Service Providers must comply with the 24 hour notification rule when a customer provides detailed complaint of a personal data breach
On August 30, 2016, the Information Rights Tribunal (the “Tribunal”) dismissed an appeal from TalkTalk Telecom Group Plc (“TalkTalk”) challenging a £1,000 monetary penalty which had been imposed on the company by the ICO for a delay in issuing a personal breach notification back in in March 2016. Whilst a small amount of money, at stake was an important principle as to the point at which the time limits for notification of a security breach commence.
The Tribunal held that the ICO did have legal basis for imposing the monetary penalty notice. TalkTalk should have notified the data breach within 24 hours after the detection of the breach, and it was feasible for the company to have done so.
Whilst this specific to the telecoms sector, this judgement provides a warning to all in terms of the ICO’s strict approach to breach notification. Something to bear in mind as the clock ticks on the implementation of the GDPR’s tighter security breach notification requirements.
On October 2015, TalkTalk experienced a “significant and sustained cyber-attack”, during which personal and banking details of up to four million customers are thought to have been accessed. TalkTalk’s official response was that they had received a ransom demand from a group claiming to be responsible. The case specifically relates to November 16, 2015 when one TalkTalk customer accidentally obtained unauthorised access to another’s personal data, who was able to see online the customer’s name, address, telephone numbers, email addresses and date of birth. This occurred due to a problem with one of TalkTalk’s mechanisms for keeping its customers personal data secure. The customer made calls to TalkTalk notifying them of the breach and sent a detailed letter on November 18, 2015.
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 and Commission Regulation Number 611/2013, service providers (such as telco providers) are bound to notify, without undue delay, that a breach has occurred within 24 hours to the competent National Authority. If the service provider is unable to provide all the details of the breach, it is permitted to make an initial notification followed by a second notification within at least 3 days. Note that this is a sector-based requirement that does not currently extend to all organisations.
TalkTalk’s central argument was that they only “detected” or acquired “sufficient awareness” of the personal data breach after they had concluded their own investigation. TalkTalk also argued that it is standard industry practice for a customer’s complaint of a possible data breach to be investigated and confirmed before the ICO is notified. Therefore, according to TalkTalk, the rule is that the notification requirement of 24 hours takes place after the investigation and not within 24 hours of the receipt of the complaint. Finally, TalkTalk argued that it would be impractical if every complaint from a customer of suspected data breach had to be treated as an established breach triggering the 24 hour notification rule.
The ICO in turn argued that “detection” is very different from “conclusive confirmation”. Its view was that detection materialises when a service provider has “sufficient awareness” that a personal breach has occurred. Taking into consideration the level of detail and supporting evidence provided by the customer, it held that this threshold was met well before TalkTalk concluded its own internal investigation. The ICO further submitted that the Privacy and Electronic Communications (EC Directive) Regulations 2003 provides for a multi-stage reporting approach, which suggests the gathering and provision of information to the ICO as such information is acquired by the service provider, rather than an investigation having to be fully completed before the obligation to notify arises.
The Tribunal’s judgment
The Tribunal found that, depending on the level of detail in a customer’s complaint, this could give a service provider enough evidence to consider that a personal data breach has occurred. The Tribunal concluded that, in the circumstances of this incident, TalkTalk did have “sufficient awareness” that a breach of personal data had occurred when this complaint was received and therefore should have given a notification of potential breach to the Commissioner within 24 hours of this point. The Tribunal noted that the regulations make no specific provision for the time to conduct an investigation by the service provider beyond permitting a time limited staged notification process.
However, worthy of note, and one bit of comfort for service providers, is that the Tribunal distinguished the facts of the case (where the customer had provided a considerable level of detail of circumstances that could only be explained by a personal data breach), from a situation where a customer has made a generalised complaint of a suspected data breach.