Data handlers who fail to report security breaches to the Information Commissioner (IC) within 24 hours can be hit hard in the pocket. Exactly that happened to a mobile phone company which delayed almost two weeks before informing the IC of a detailed complaint that it had received from a customer.
Due to a failure in the company’s password mechanism, the name, address, phone numbers, email addresses and date of birth of one customer had been viewed by another. The customer wrote to the company giving precise details of what had happened. The complaint was logged but nearly a fortnight passed before the IC was notified. In those circumstances, the company was issued with a monetary penalty for failing to meet the 24-hour deadline imposed by the Privacy and Electronic Communications (EC Directive) Regulations 2003.
In challenging the decision before the First-tier Tribunal (FTT), the company argued that it was standard industry practice to delay reporting such incidents until after the occurrence of a data breach had been confirmed by an internal investigation. The company had some four million customers and submitted that it would face an impractical burden if it had to report every complaint within 24 hours.
In dismissing the appeal, however, the FTT rejected arguments that the IC had implicitly condoned the practice of only reporting incidents after an internal investigation. The customer had given a detailed account of what happened in her letter and, at that point, the company had sufficient awareness that a data breach had occurred in order to trigger the 24-hour time limit.