TalkTalk loses appeal at Information Tribunal: No leeway in data breach notification
The Information Tribunal (The First Tier Tribunal) has dismissed TalkTalk’s appeal against the ICO’s decision to fine it £1,000 for a late data breach notification.
The ICO had, on 17 February 2016, sent a Notice of Intent to issue a fixed monetary penalty for Talk Talk’s failure to notify the Commissioner of a personal data breach within 24 hours even if it was feasible for the company to do so. TalkTalk, as a telecoms service provider, is obliged to notify under the Privacy and Electronic Communications Regulation (PECR).
TalkTalk had been alerted of a possible data breach by a customer. TalkTalk says it was the norm for notification to take place within 24 hours of the conclusion of an investigation and not within 24 hours of the receipt of a complaint, and that the ICO had implicitly condoned this practice. TalkTalk also said that it could not possibly react to every complaint of a suspected breach from a four million customer base in a manner to treat them as an established breach. It is estimated that the company receives approximately 50 such complaints a month.
However, the ICO said that in this particular case, the customer provided a detailed account of exactly what had happened, had supporting evidence, and had discussed this with a TalkTalk employee. In the ICO’s view there was a level of disorganisation rather than diligence in relation to the handling of the customer’s complaint. The ICO also said that TalkTalk had failed to produce any evidence as to what investigatory steps it had actually undertaken.
The Tribunal ‘distinguished the facts of this current case (where the customer had provided considerable detail of circumstances that could only be explained by a personal data breach) from the situation where a customer made a generalised complaint of a suspected personal data breach - for example, a complaint about junk mail which alluded to the recipient being a TalkTalk customer’.
The Tribunal concluded that TalkTalk had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter.
See the decision of the Information Tribunal (The First Tier Tribunal, General Regulatory Chamber, Information Rights) on 30 August.