Telecoms service provider TalkTalk has lost an appeal against it for a £1,000 fixed penalty after the Information Commissioner’s office (ICO) ruled it had failed to report a personal data breach within the required 24 hours’ notice period.

On 17 February 2016, the ICO sent a Notice of Intent to issue a fixed monetary penalty for TalkTalk’s failure to notify the Commissioner of a personal data breach within 24 hours of notification from a third party, which they are obliged to do so under the Privacy and Electronic Communications Regulation (PECR).

TalkTalk had been alerted to the data breach upon receiving a detailed account of what had happened by a customer. Having received this information TalkTalk conducted an investigation. TalkTalk says that it was usual practice to notify the Commissioner 24 hours from the conclusion of the investigation and not within 24 hours of the receipt of the complaint. The hack which affected 175,00 customers in 2015 was deemed to have been handled too slowly by the ICO.

Information tribunal judge Angus Hamilton said in his written judgement, “The sole issue in dispute in this case is when TalkTalk could rightly be said to have ‘detected’ the personal data breach or to have acquired ‘sufficient awareness’ of the breach.”

The Tribunal concluded that TalkTalk had more than ‘sufficient awareness’ of the breach at the time they received the customer’s letter. Companies subject to the ICO’s jurisdiction may draw a lesson from the Commissioner’s actions and make sure to promptly apprise the ICO of breaches of which they are aware.