31.The ICO set out reporting requirements following data breaches in his supplementary written evidence. Under the Data Protection Act (DPA), there is no general obligation to report data breaches to the ICO, but the ICO would expect serious breaches to be reported. Under the Privacy and Electronic Communications Regulations 2003 (PECR), telecoms companies and ISPs must notify the ICO of personal data breaches, and in some cases, also inform individual users and subscribers. Under the EU General Data Protection Regulation (EU GDPR), agreed in December 2015 and due to be implemented by 2018, the obligation to report and inform following a data breach will be widened. The European Commission said “companies and organisations must notify the national supervisory authority [in the case of the UK, the ICO] of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.”
32.In the evidence given to the Committee, a clear tension emerged between the need to inform the police, who may wish to keep details about the attack restricted to allow criminal investigation, and the duty to inform those affected. We note the evidence given by TechUK cautioning that emailing consumers after a breach may expose them to tailored ‘phishing’ attempts. As Dido Harding said, on the day following the initial cyber-attack
The advice we received from the Metropolitan Police was not to tell our customers. I totally understand why the police wanted us to stay quiet, because they have a different objective. They want to catch the criminals. We had some constructive discussion with them … on how to marry the conflicting objectives of a company wanting to look after their customers and the police force rightly wanting to catch the criminals.
33.We welcome the close collaboration that TalkTalk established with the Metropolitan Police immediately after the October 2015 cyber-attack. We recognise that the TalkTalk Board decided to notify all customers potentially affected, and subsequently established that the number actually affected was much smaller. However, the tension between police investigation priorities and informing those affected may be further complicated by situations where it may take weeks or months from finding evidence of a possible breach (e.g. customers being contacted by fraudsters) to finding the source of the breach (in the organisation or its supply chain). The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisation, not just telecommunications companies and ISPs.
53 Information Commissioner
56 Dido Harding evidence Q105
57 Dido Harding oral evidence Q104
17 June 2016