The travel insurance company Staysure has told 93,000 of its customers that their credit card details may have been stolen by hackers. While most of the stolen details were encrypted, the CVV or 'security code' was not.
News reports suggest that Staysure wrote to affected customers just over a month after becoming aware of the security breach and that there has been some customer criticism of the delay.
Sir Alan Beith MP, Chair of the House of Commons Justice Select Committee which is responsible for supervision of the Information Commissioner’s Office (ICO), said that "customers are entitled to be informed as soon as a company knows and that should be much clearer".
Other than for specific sectors such as telecoms, there is currently no mandatory requirement to notify either the ICO or affected customers of a data security breach, although ICO Guidance is that serious breaches of data security should be reported at an early stage, both to the ICO itself and to the affected data subjects. Whether a breach is 'serious' is determined by the degree of potential detriment to the data subjects, the volume of data lost and the sensitivity of that data.
The draft EU Data Protection Regulation, which is intended to reform current data protection law, does include a general data breach reporting requirement. The latest 'compromise text' of the Regulation proposes an obligation to report 'without undue delay', which is less strict than the previous proposal of 24 hours.