A recent ruling by the Information rights tribunal provides a reminder that organisations need to act promptly to investigate apparent data breaches and document the steps taken as part of that investigation.
The Information rights tribunal has dismissed TalkTalk Telecom Group Plc's appeal against a monetary penalty of £1,000 imposed by the Information Commissioner's Office (ICO) for a data breach notification failure.
The Information Commissioner had served TalkTalk with a fixed monetary penalty notice of £1,000 for failing to notify the ICO of a personal data breach within 24 hours after detection of that breach, as required by the Privacy and Electronic Communications Regulations 2003 and the Notification Regulation.
TalkTalk had been alerted of the data breach by a customer who complained that he was able to access the personal data of another customer on the internet. The customer letter was sent on 18 November 2015, but TalkTalk did not report the breach until 1 December 2015. The telecommunications company stated that it needed time to investigate the customer's complaint in order to determine whether a personal data breach had in fact occurred.
The ICO dismissed TalkTalk's claim and stated that, in this particular case, the customer provided a detailed account of what had happened along with supporting evidence to corroborate that account. In its view, the information that was disclosed by the customer was sufficient and did not require an internal investigation before a personal data breach was detected.
It is also noteworthy that the ICO identified faults in the data breach notification response procedure adopted by TalkTalk. In particular, TalkTalk had initially told the ICO that the reason for the delay in notifying the data breach was that the incident had not been reported to either its information security or fraud teams. The ICO took the view that this showed a level of disorganisation rather than diligence in relation to the handling of the customer’s complaint.
The tribunal found that the customer letter provided TalkTalk with sufficient information about the events that occurred which could only be explained by a data breach. It further highlighted that an internal investigation was not required as it would undermine the notification period stipulated in the Notification Regulation.
The tribunal pointed out that the decision in this case was based on the fact that a detailed account of the incident had been provided by the customer. This should be distinguished from the situation where a generalised complaint of a suspected personal data breach is made, in which case an investigation might well be required in order to detect a breach.
The tribunal's decision reinforces the strict approach taken by regulators regarding data breach notification and the need to have data breach notification mechanisms in place to ensure compliance.
In this case, the ICO was interested to know why TalkTalk failed to report in time and whether there were any faults with internal reporting. As well as considering carefully whether an internal investigation is in fact necessary in the light of the evidence provided, organisations should also ensure that an audit trail is created to document the steps taken and the reasons for any delay in meeting notification deadlines.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.