The TalkTalk data breach may have been branded a “car crash” by industry observers, but it has also been a wake-up call for thousands of companies which had never once even considered they could be under threat.
The final bill for the breach could be as high as £60m but it is a fine of just £1,000 issued by the Information Commissioner’s Office which has really put the cat among the pigeons.
The ICO has yet to conclude its full investigation into the incident but in the early summer it slapped the company with the £1,000 fine for failing to notify the regulator of a personal data breach within 24 hours.
Although the news of the hack attack broke in October, the first sign of an actual breach came when a customer sent a letter to the company on November 18 informing them that he had been able to obtain unauthorised access to the personal data of another customer on the Internet. However, TalkTalk did not report the breach to the ICO until December 1 after it had concluded its own investigation.
Given the huge costs TalkTalk had already shouldered, it raised more than a few eyebrows by appealing against this minimal fine at the information rights tribunal.
It hired expensive barristers – who probably do not get out of bed for less than £5,000 an hour – to argue that the firm had met its data breach reporting obligations because it had notified the ICO within 24 hours of the conclusion of its own internal investigation. But the tribunal did not buy this argument and threw out the TalkTalk appeal.
So what does this mean for companies in a similar situation? According to data protection law specialist Kathryn Wynn of Pinsent Masons, it suggests that businesses in the UK should be prepared to make multiple notifications to the ICO in the event of a data breach. She claims the case provides clues as to how regulators will view compliance with data breach notification deadlines under the new General Data Protection Regulation (GDPR) or its UK equivalent.
Wynn said: “The ruling shows that the ICO’s expectation, which it received support from the tribunal for, is that data breaches should be reported to it as soon as they are detected and not necessarily after an internal investigation has been completed into the incident.
“In that case businesses should be prepared to follow up an initial notification with further reports to the watchdog providing more details once they are available,” she said.
Wynn said the ruling should remind businesses of the importance of documenting the steps they take to investigate suspected data breaches.
“It is noteworthy that the ICO looked into why TalkTalk had failed to report in time and discovered faults with internal reporting channels,” Wynn said. “Under the GDPR, organisations need to have an audit trail evidencing any reasons for delay in meeting the specified deadlines for notification, particularly since the potential level of penalties for non-compliance will be far greater than under the existing e-Privacy framework.”
TalkTalk claims bounceback despite slump in profits
Three held at TalkTalk call centre for data theft
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack