By Phil Bradley-Schmieg and Gemma Nash
On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint.
Commission Regulation No 611/2013 (“the Notification Regulation”) and the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), require telecommunication service providers to report personal data breaches within 24 hours of their “detection.” TalkTalk’s appeal focused on the extent to which an internal investigation can take place before it is deemed to have “detected” a breach.
The Notification Regulation states that “[d]etection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.”
The Notification Regulation also sets out the requisite contents of data breach reports. If the necessary information is not immediately available following “detection,” an abridged initial report, at least, must be delivered within the initial 24-hour period, but this must be followed up with further information within three days, and then with more details as and when they become available.
A company can therefore be deemed to have “detected” a reportable breach even though it does not yet have all the information needed to make a full report.
TalkTalk was fined for reporting a breach two weeks after it received a customer complaint (by telephone and with a detailed follow-up letter). Another customer had alerted the complainant that it was able to access their data, thanks to defects in the online account login process.
TalkTalk appealed the £1,000 fine subsequently imposed by the Commissioner, on the grounds that it was not until TalkTalk carried out their own investigation of the breach that they had “detected” it. TalkTalk also submitted that this was standard industry practice (tacitly agreed to, previously, by the Commissioner) for dealing with customer data breach allegations – of which TalkTalk received around 50 a month. This argument was rejected during the appeal.
The appeals tribunal held that there is a distinction between “detection” and “conclusive confirmation.” It held that TalkTalk had received sufficient evidence from the customer’s initial complaints.
In fact, it held that the customer’s complaint contained sufficient information to permit TalkTalk to make a full disclosure within the 24-hour period, without needing to rely on the staged (3-day plus) allowance for further information-gathering after an initial placeholder notification.
The appeals tribunal also stated that the fact pattern raised in the complaint could not credibly be explained other than by a personal data breach. TalkTalk was therefore deemed to have “detected” the data breach upon receipt of the customer’s detailed complaint, and failed to notify the Commissioner within the required 24-hours.
The Tribunal rejected TalkTalk’s argument that it should “read in” the requirement that there should “always” be an investigation before notification is made. Accepting that argument would risk undermining the time limits set out in the law. It also found no evidence that the Information Commissioner had tacitly accepted that industry practice.
The Tribunal did however distinguish this case from a generalized complaint of a suspected data breach that provides insufficient evidence and/or for which there might be another explanation. It gave the example of a “a complaint about junk mail which alluded to the recipient being a TalkTalk customer.” In this situation, an investigation may be necessary to “detect” the data breach; immediate reporting of the customer’s suspicion would not be required.
Whilst current EU rules generally only require personal data breach notification by telecoms companies (or in certain other heavily-regulated sectors), sweeping reforms taking effect in May 2018 (the General Data Protection Regulation, or “GDPR”) will generalize the obligation to all companies handling personal data. This change has been pre-empted by some EU Member States. The Netherlands, for instance, adopted a general breach reporting requirement in May 2015 (for more on which, see here). These developments highlight the increasing importance of having very rapid and efficient procedures in place for triage and external reporting of data breach allegations.