Cordery

Legal.Compliance.

TalkTalk data breach notification appeal fails

TalkTalk’s appeal to the First-Tier Tribunal against the Monetary Penalty Notice issued by the UK Data Protection Authority (The Information Commissioner’s Office or ICO) was heard in August with a decision made on 30 August rejecting the appeal. The case is relevant not just to telecommunications operators but also to businesses at large given that similar data breach reporting obligations will be in force across the board from May 2018 as part of the General Data Protection Regulation (GDPR).

Background

TalkTalk are a telecoms provider who provide a range of telecoms services across the UK. They are a UK listed entity with a turnover of about £1,795m in 2015.

In October 2015 TalkTalk announced a data breach which they said was the result of a “significant and sustained cyber-attack” and they said that the personal and banking details of up to four million of their customers had potentially been exposed. A few weeks later however TalkTalk issued a new statement saying that a “materially lower” amount of customers had been affected and in early November they said that the number was “much more limited than initially suspected”.  They thought that the banking details of 15,656 customers was at risk.

Second data breach

The case before the ICO concerned a second breach. On 16 November 2015 a customer told TalkTalk that he was able to see another customer’s details online.  That customer told the second customer who called TalkTalk to tell them of the breach on the same day – 16 November 2015.  She was given a reference number and she wrote a detailed letter to TalkTalk on 18 November.  She also wrote to the ICO.

As a telecoms operator as well as being subject to the Data Protection Act 1998, TalkTalk are also subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). PECR includes an obligation to report security breaches.  They have to be reported to the ICO within 24 hours of the organization concerned becoming aware of the essential facts of the breach.  Failure to report a breach incurs a fixed penalty of £1,000.

What did the ICO do?

On 20 November 2015 the ICO wrote to TalkTalk about the breach enclosing the customer’s letter. TalkTalk’s Information Security Officer acknowledged the letter by email on 20 November and on 27 November he emailed the ICO to say that they would be notified if TalkTalk concluded that a personal data breach had occurred.  TalkTalk notified the ICO on 1 December 2015.

The ICO asked TalkTalk to explain why the breach had not been reported within the 24 hour period stipulated by PECR. TalkTalk said in an email that this was because “the incident had not been reported to either the Information Security or Fraud Team”.

In February 2016 the ICO told TalkTalk that it intended to issue a fixed monetary penalty. TalkTalk provided submissions as to why it should not be fined but the ICO decided that there was still good grounds for a penalty and issued a penalty notice on 24 March 2016.

The Appeal

TalkTalk launched an appeal as they said that they could not rightly be said to have “detected” the breach or to have had “sufficient awareness” of the breach. TalkTalk argued that they only had sufficient awareness when their investigation concluded on 30 November and as a result their notification on 1 December was within the 24 hour time limit.  TalkTalk also said that it was standard industry practice for an investigation to take place before the ICO was notified.  Additionally TalkTalk said that given the number of customers it had (around four million) an impractical burden would be placed on them if every complaint from a customer had to be dealt with and reported to the ICO within 24 hours.  TalkTalk said that they thought they got around 50 complaints like this a month.

What did the Tribunal decide?

The Tribunal decided that the level of data in the customer’s letter of 18 November was sufficient and noted that TalkTalk had no credible alternative scenario to explain what had happened other than a data breach. The Tribunal decided that TalkTalk had sufficient awareness of the breach on 18 November and in fact strongly suspected that TalkTalk had sufficient awareness when the customer telephoned on 16 November.

The Tribunal noted that PECR made no specific provision for time to conduct an investigation and that as a result the strict time limits in PECR had to be observed whether or not that left enough time to do an investigation.

How does this relate to GDPR?

GDPR will impose general data breach reporting obligations both to regulators and to those affected. You can find out more about this in our FAQs here –http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/. Under GDPR breaches will have to be reported usually within 72 hours.  It is important to remember that separate obligations will still exist for telecoms companies both  under PECR and also from 2018 under the NIS Directive.  You can find out more about the NIS Directive here – http://www.corderycompliance.com/eu-cyber-security-rules-adopted/. This case sends a clear message that companies will have to invest in proper processes to enable them to report breaches properly.

One small comfort however might be that the fines under PECR are not great. A fine of £1,000 compares with a possible penalty of around £72million for an organization of TalkTalk’s size for serious offences post-GDPR.  Again you can find more details of the GDPR fining regime in our FAQs here – http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and in our detailed guidance in GDPR Navigator here – http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.

Next steps

Clearly then as part of the GDPR process businesses will have to consider:

  1. Making more effort to stop breaches happening;
  2. Having a robust data breach plan in place;
  3. Training individuals to make sure they know how to respond;
  4. Making sure any communications with regulators are done through the right team. TalkTalk may have identified the issues more quickly had their legal team been involved;

Investing in proper processes to identify breaches quickly and assist in investigating the breach and outlining the details to a regulator’s satisfaction.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong

Office: +44 (0)207 075 1784

jonathan.armstrong@corderycompliance.com

André Bywater

Office: +44 (0)207 075 1785

andre.bywater@corderycompliance.com

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.