So the question is when do you press the red BREACH button?
- Is it when you first become aware a personal data breach could have occurred?
- Is it when you are sure that a personal data breach has occurred which triggers an investigation,
- or is it on conclusion of this investigation?
Booking.com decided on option 3.
Booking.com have been fined €475k because of this. They did report the breach but what is significant about this fine is that a minor incident reported by a customer of a hotel was dismissed on 9 Jan, then a second identical report from another customer of the same hotel triggered an investigation on 13 Jan. However, the report of the breach was not until 7 Feb, 3 days after the internal security investigation was concluded. The fine is because booking.com should -according to the Dutch DPA- have reported the breach on the 13 Jan.
In fact it is common practice, to not report the breach until one is sure there has been a breach, and sometimes even the circumstances of the breach. This case shows that this is not an advisable route.