Talk Talk, in response to the recent revelations about the compromising of the data of up to four million of its customers, says rather boldly
Has TalkTalk breached the Data Protection Act?
No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months.
And it got me to wondering how well this rather novel approach could be extended in other legal areas.
The defendant, a Mr Talk Talk, was travelling at a speed of ninety-four miles per hour, and had consumed the equivalent of two bottles of gin. However, as the other driver involved in the collision had failed to renew his motor insurance we find that the defendant was evidently merely the victim of a crime, and my client could not, as a matter of law, have broken speeding and drink driving laws.
Furthermore, although the defendant later viciously kicked an elderly bystander in a motiveless attack, he cannot be guilty of an assault because the pensioner was recently convicted of watching television without a licence.
And finally, although my client picked up a police officer and threw him into a duck pond, the fact that the said officer once forgot to pay for a milky way in the staff canteen provides an absolute defence to the charge of obstructing a police officer in the line of duty.
Let’s see how well Talk Talk’s defence washes with the ICO.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
Definitely a non sequitur!
A similar non sequitur arises in some (not all, I hasten to add) of the commentary / Tweets on this issue, which seem to be close to saying that, by virtue of the hackers obtaining personal data, TalkTalk has breached Principle 7 (and possibly others). There *might* be a breach, but this is, of course, not the relevant test for determining that. If TalkTalk had in place appropriate protection, proportionate to the foreseeable risks, there is no Principle 7 breach, even if personal data has been obtained by the hackers.
Saying they have not broken the DPA is a piss poor excuse. The ICO fined Sony after the “Hack”. Hacking and gaining access to PII, etc. is illegal. Many ICO investigations are the result of somebody hacking something, and PII being stolen. Principal 7 has been broken. Do Talk Talk really think they can hide behind this? Do they really think the ICO should filter out any activities that were a “hack” and hence criminal activity, and ignore them?
As much as I agree with you in general, I don’t think it is possible yet to say with certainty that the seventh principle has been contravened.
One of the reports I heard stated that TalkTalk had created 4 million accounts with the credit reference industry for their affected customers. Is it known if that is accurate and was anybody paid by the credit reference industry for those accounts. (Because of the heavy media coverage many people are likely to access those accounts and update their financial information.) Question must also arise out of any data matching during the creation of those accounts.
If some financial gain was garnered out of the creation of those accounts, and whilst personally not against enterprises attempting to offset the costs of security breaches, if such a thing has happened it would be completely wrong for an organisation to be able to take advantage of people who have been disadvantaged by that organisations inadequate security. If such a situation were to develop or become accepted, I would suspect less attention to be paid to security and more to damage limitation.
Is anybody able to authoritatively comment on the real situation in respect of that issue?
Those are all flawed analogies though. Surely the correct analogy is to a self-storage centre that fails to install any security system then says it’s not their fault that their customers’ property is stolen because the stealing was itself a criminal act.
You’re right, of course, but I’d hope you’d recognise I was being light heartedly imprecise to make a point.