Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a recent information rights tribunal decision (10-page / 151KB PDF) in a case involving internet service provider TalkTalk provides clues as to how regulators will view compliance with data breach notification deadlines under the new General Data Protection Regulation (GDPR). The GDPR will apply from 25 May 2018.
"Although the case is relevant to data breach notification rules under the existing e-Privacy framework and not the GDPR itself, it is likely that the ICO will adopt the same approach to notification under the GDPR as it did in this case," Wynn said.
"The ruling shows that the ICO's expectation, which it received support from the tribunal for, is that data breaches should be reported to it as soon as they are detected and not necessarily after an internal investigation has been completed into the incident. In that case businesses should be prepared to follow up an initial notification with further reports to the watchdog providing more details once they are available," she said.
In the TalkTalk case, the information rights tribunal upheld a decision by the UK's Information Commissioner's Office (ICO) in which the watchdog fined TalkTalk £1,000 for failing to notify it of a personal data breach within 24 hours after the detection of that breach.
Under e-Privacy rules, electronic communication service providers are obliged to report personal data breaches to national regulators within 24 hours of detecting the breach where it is feasible for them to do so.
The information rights tribunal ruled that TalkTalk was obliged to report the data breach it suffered within 24 hours of receiving a letter from a customer who complained that he had accidentally obtained unauthorised access to the personal data of another customer on the internet.
The customer sent the letter on 18 November 2015, but TalkTalk did not report the breach to the ICO until 1 December. It said that it had met its data breach reporting obligations, however, as its notification to the ICO came within 24 hours of the conclusion of its internal investigation into the customer complaint.
TalkTalk claimed that its approach to data breach notification, in investigating the customer complaint to determine whether a personal data breach had in fact occurred, was "standard industry practice", according to the ruling. The company suggested that the ICO "was aware of this practice and implicitly condoned it", the ruling said. It also raised the fact that the breach had not been corroborated by any of its other customers at the time it received the customer complaint letter.
The ICO had said that TalkTalk should have recognised that a breach had occurred because the complaint "provided a detailed account of exactly what had happened" and because the customer "provided supporting evidence to corroborate that account". The watchdog said that the e-Privacy rules provide for "a multi stage reporting approach" to data breach notification and that the rules did not require internal investigations to be complete before notification obligations arise.
The ICO also took issue with the way in which TalkTalk appeared to handle the incident reported to it by the customer.
According to the ruling, TalkTalk's information security officer had initially told the ICO that the reason for the company's delay in notifying the breach was because the incident had not been reported to either TalkTalk's information security or fraud teams. The ICO said this showed "a level of disorganisation rather than diligence in relation to the handling of the customer’s complaint", the ruling said. The ICO also said TalkTalk had failed to demonstrate what steps it had taken to investigate the complaint it had received.
The information rights tribunal said that "the level of detail in the customer’s letter" meant that "there was no other explanation for what had occurred other than that there had been a personal data breach". It said TalkTalk was sufficiently aware of the breach as a result of the letter.
The tribunal also said that the data breach notification rules under the e-Privacy framework make "no specific provision for investigations and consequently [set] no express time limit on the conduct of such an investigation". It said TalkTalk was able to meet its reporting obligations on 18 November last year as a result of the information contained in the customer's complaint letter. It said "none of the provided information appeared to derive from any subsequent investigation".
The tribunal said, however, that data breach notification obligations may not be triggered in other cases where customers only make "a generalised complaint of a suspected personal data breach". Internal investigations could first be required to be undertaken in those cases to determine whether such a breach has occurred, it said.
Wynn said the ruling should remind businesses of the importance of documenting the steps they take to investigate apparent data breaches.
"It is noteworthy that the ICO looked into why TalkTalk had failed to report in time and discovered faults with internal reporting channels," Wynn said. "Under the GDPR, organisations need to have an audit trail evidencing any reasons for delay in meeting the specified deadlines for notification, particularly since the potential level of penalties for non-compliance will be far greater than under the existing e-Privacy framework."
Under the GDPR data controllers are generally required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
A higher threshold for notifying affected members of the public of data breaches will apply under the GDPR. Data breaches must be "likely to result in a high risk to the rights and freedoms of natural persons" before notification would be required, but there are further conditions set out in the legislation to restrict the circumstances in which notification would need to be made.
If data controllers have applied "appropriate technical and organisational protection measures" to the personal data affected by a breach then they would not have to notify data subjects about those incidents. This includes cases, for example, where encryption has been applied to data to render it "unintelligible to any person who is not authorised to access it", according to the GDPR.
Alternatively, if data controllers take action after a breach to "ensure that the high risk to the rights and freedoms of data subjects … is no longer likely to materialise" then notification of those incidents to data subjects would not be mandatory.
When the threshold for notification to data subjects is triggered, notification must be made by data controllers without undue delay.