[BreachExchange] Dublin Circuit Court confirms €450,000 fine for Twitter delay in reporting data breach

[Terrell Byrd]

https://www.jurist.org/news/2021/10/dublin-circuit-court-confirms-e450000-fine-for-twitter-delay-in-reporting-data-breach/

The Dublin Circuit Court (DCC) on Monday confirmed the Irish Data
Protection Commission (DPC) decision to fine Twitter €450,000 for its delay
in reporting a data breach.

The fine, imposed in 2020, was implemented when Twitter failed to report a
General Data Protection Regulation (GDPR) data breach in enough time. The
breach related to Android users who had changed their settings to make
tweets private and could have had their data exposed due to a bug.

It was found that the delay in reporting this breach infringed Article 33
(1)(5)  of the GDPR. Article 33(1) requires the “controller” to report any
personal data breaches within 72 hours of becoming aware of the breach.
Article 33(5) further states that the controller must report personal data
breaches.

The inquiry, which began in January 2019, found that Twitter failed to
notify the breach and adequately document it. The fine imposed by the DPC
was to act as a deterrent to further breaches of GDPR.

The DCC confirmed the legitimacy of the fine, in line with section 143 of
the Data Protection Act 2018. This case was one of the first media giants
to go through the Article 65 dispute resolution process since the
introduction of the European Data Protection Board published decision.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211020/794357bc/attachment.html>