Tag Archives: Information Commissioner’s Office

Security breaches always get a lot of press attention but to date there haven't been that many large fines imposed by the Information Commissioner's Office (the "ICO") in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA's seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk's failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/ This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656. When imposing … Continue Reading ››
The case of TalkTalk v ICO UK: Service Providers must comply with the 24 hour notification rule when a customer provides detailed complaint of a personal data breach On August 30, 2016, the Information Rights Tribunal (the "Tribunal") dismissed an appeal from TalkTalk Telecom Group Plc ("TalkTalk") challenging a £1,000 monetary penalty which had been imposed on the company by the ICO for a delay in issuing a personal breach notification back in in March 2016. Whilst a small amount of money, at stake was an important principle as to the point at which the time limits for notification of a security breach commence. The Tribunal held that the ICO did have legal basis for imposing the monetary penalty notice.  TalkTalk should have notified the data breach within 24 hours after the detection of the breach, and it was feasible for the company to have done so. Whilst this specific to the … Continue Reading ››
The latest responses by the UK government and the ICO to the EU reform proposals will (mostly) resonate with businesses concerned about some of the more far-reaching changes. The latest developments and time line Datonomy has been taking stock of two recent UK developments: the Government's response to the Justice Select Committee's opinion on the European Data Protection framework proposals published by the MOJ on 11 January, and the "latest views from the ICO" 2 –pager  on 22 January. Datonomy readers are no doubt au fait with the intricacies of the EU legislative process, but may nonetheless enjoy the blog post by Deputy Commissioner David Smith with its helpful insight into the current state of play and user friendly time line. Despite the strength of the European Parliament's support for the Commission's proposals, it still has a way to go, procedurally speaking. And not everyone shares the EP's wholehearted support for every aspect … Continue Reading ››