TalkTalk loses appeal at Information Tribunal: No leeway in data breach notification

The Information Tribunal (The First Tier Tribunal) has dismissed TalkTalk’s appeal against the ICO’s decision to fine it £1,000 for a late data breach notification.

The ICO had, on 17 February 2016, sent a Notice of Intent to issue a fixed monetary penalty for Talk Talk’s failure to notify the Commissioner of a personal data breach within 24 hours even if it was feasible for the company to do so. TalkTalk, as a telecoms service provider, is obliged to notify under the Privacy and Electronic Communications Regulation (PECR).

TalkTalk had been alerted of a possible data breach by a customer. TalkTalk says it was the norm for notification to take place within 24 hours of  the  conclusion  of  an  investigation  and  not  within  24  hours  of  the  receipt  of  a  complaint, and that the ICO had implicitly condoned this practice. TalkTalk also said that it could not possibly react to every complaint of a suspected breach from a four million customer base in a manner to treat them as  an  established  breach. It is estimated that the company receives approximately 50 such complaints a month.

However, the ICO said that in this particular case, the customer provided a detailed account of exactly what had happened, had supporting evidence, and had discussed this with a TalkTalk employee. In the ICO’s view there was a level of disorganisation rather than diligence in relation to the handling of the customer’s complaint.  The ICO also said that TalkTalk had failed to produce any evidence as to what investigatory steps it had actually undertaken.

The Tribunal  ‘distinguished  the  facts  of  this  current  case  (where  the  customer  had  provided considerable  detail  of  circumstances  that  could  only  be  explained  by  a  personal  data  breach) from the situation where a customer made a generalised complaint of a suspected personal data breach – for example, a complaint about junk mail which alluded to the recipient being a TalkTalk customer’.

The Tribunal concluded that TalkTalk had sufficient awareness of the breach and that a  personal  data  breach  had  been  detected  upon  receipt  of  the  customer’s  letter.

See the decision of the Information Tribunal (The First Tier Tribunal, General Regulatory Chamber, Information Rights) on 30 August at http://www.informationtribunal.gov.uk/DBFiles/Decision/i1867/Talk%20Talk%20Telecom%20Group%20PLC%20EA-2016-0110%20(30-8-16).pdf