Honouring the Breach

August 31, 2016

In TalkTalk Telecom Group PLC v Information Commissioner (Appeal No. EA/2016/0110), the full judgment from which can be downloaded from the panel opposite, is an appeal against the imposition of a monetary penalty notice imposed under the Privacy and Electronic Communication Regulations 2003. It raises a simple point: when does time start to run on the duty to notify a personal data breach within 24 hours after detection of that breach? The TalkTalk view was that the duty arose only after it had completed its investigation of the alleged breach. The ICO view was that, on the facts, the duty arose within hours, and certainly no more than a few days, from the TalkTalk customer giving TalkTalk details of the breach.

Facts

On 16 November 2015, one TalkTalk customer (A) accidentally obtained unauthorised access to the personal data of another customer (B) and was able to see online B’s name, address, telephone numbers, email addresses and date of birth. This occurred due to a problem with one of TalkTalk’s password mechanism. This was a personal data breach under the PECR. A told B about this and B notified TalkTalk of the personal data breach by telephone immediately and then, on 18 November, wrote a detailed letter to TalkTalk and raised the matter with the Information Commissioner.

On 20 November, the Commissioner wrote to TalkTalk about the personal data breach, enclosing B’s letter of 18 November. TalkTalk acknowledged that letter by email on 20 November, via its Information Security Officer, Mike Rabbitt. On 27 November, Mr Rabbitt emailed the Commissioner to say that the incident was being investigated and that the Commissioner would be notified if TalkTalk concluded that a personal data breach had occurred. TalkTalk provided the requisite notification to the Commissioner on 1 December 2015.

The Commissioner then asked TalkTalk to explain why the personal data breach had not been reported within the 24-hour period stipulated by the Notification Regulation. The Commissioner took the view that the personal data breach should have been notified within 24 hours of the receipt of the customer’s letter of 18 November or, at the latest, within 24 hours of the Commissioner’s letter of 20 November. In an email on 3 December, Mr Rabbitt explained on behalf of TalkTalk that this was because ‘the incident had not been reported to either the Information Security or Fraud team’.

Law

The key issue in dispute turns on the interpretation of Commission Regulation 611/2013 (the Notification Regulation), Article 2(2), which addresses the timing of the obligation to notify the Commissioner:

The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible. The provider shall include in its notification to the competent national authority the information set out in Annex I. Detection of a personal data breach shall be deemed to have taken place when the provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification as required under this Regulation.

Recital 8 to the Notification Regulation deals with the meaning of ‘detection’:

Neither a simple suspicion that a personal data breach has occurred, nor a simple detection of an incident without sufficient information being available, despite a provider’s best efforts to this end, suffices to consider that a personal data breach has been detected for the purposes of this Regulation. Particular regard should be had in this connection to the availability of the information [required to be given in a detailed notification].

As the judgment puts it: ‘The sole issue in dispute in this case is when TalkTalk could rightly be said to have ‘detected’ the personal data breach or to have acquired ‘sufficient awareness’ of the breach.’

Submissions

TalkTalk’s principal contention in the case was that they only ‘detected’ or acquired sufficient awareness of the personal data breach after they had concluded their own investigation into the issues raised by the customer. That investigation was designed to confirm that a personal data breach had in fact occurred and also to establish how it had occurred with a view to taking remedial action. Their investigation concluded on 30 November and notification on 1 December would therefore be within the 24 hour time limit. TalkTalk also submitted that it was standard industry practice for a customer’s complaint of a possible personal data breach to be investigated and confirmed before the Commissioner was notified and suggested that the Commissioner was aware of this practice and implicitly condoned it. It would be impractical, said TalkTalk, for a company with 4 million customers to notify following every complaint.

The ICO countered by pointing out that customer’s original notification was detailed and gave rise to sufficient awareness – ‘detection’ was not ‘conclusive confirmation’. The Notification specifically provided for multi-stage reporting in Article 2(3) and the basic information required for a notification could have been provided following the customer’s letter.

Conclusions

The Tribunal dismissed the appeal for the following reasons:

·        The level of detail in the customer’s letter of 18 November led to the inevitable conclusion that there was no other explanation for what had occurred other than that there had been a personal data breach.

·        TalkTalk’s representatives were not able to suggest any credible alternative scenario apart from a personal data breach that would explain the contents of the customer’s letter of 18 November.

·        TalkTalk therefore had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter of 18 November. The Tribunal strongly suspected that TalkTalk in fact had sufficient awareness of the breach when the customer telephoned on 16 November but were hampered in reaching any conclusion on this point by the failure of TalkTalk to provide any details of that initial complaint.

·        The Regulations made no specific provision for time to conduct an investigation by a service provider beyond permitting a strictly time-limited staged notification process in certain circumstances. The Tribunal considered that to ‘read in’ the requirement that there should always be a period of investigation before notification risked undermining the strict time-limits in the Regulations as there was no specific provision for investigations and consequently no express time limit on the conduct of such an investigation.

·        The Tribunal agreed with the Commissioner’s submissions that all the initial information that had to be provided was available to the company from the customer’s letter of 18 November and that none of the provided information appeared to derive from any subsequent investigation. ·

·        The Tribunal distinguished the facts of this case – where the customer had provided considerable detail of circumstances that could only be explained by a personal data breach – from the situation where a customer made a generalised complaint of a suspected personal data breach – for example, a complaint about junk mail which alluded to the recipient being a TalkTalk customer. In the latter case an investigation may well be required before a personal data breach was detected. Given this distinction and given TalkTalk’s own submissions that the complaints received about potential personal data breaches amounted to about 50 per month, the Tribunal were unimpressed by the contention that holding that ‘sufficient awareness’ in this case arose from the customer’s letter would place an unreasonable burden on service providers.

·        The Tribunal did not accept that the Commissioner had allowed a practice to arise whereby service providers only notified after an investigation and noted that no evidence to this effect had been provided.

Comment

The key lesson must surely be that procedures cannot be applied blindly. A supplier needs to apply some thought to the timing of notification. Each case will require a slightly different approach.

A tough lesson for robots to learn but one that should be well within the compass of an information security manager.