With this document you can:

This box is not visible in the printed version.

Notification of information security breaches

You must tell us about any security breach to your environment that could harm the confidentiality of customer data.

Published: 1 March 2022

Last updated: 1 March 2022

This version was printed or saved on: 8 December 2023

Online version: https://www.gamblingcommission.gov.uk/licensees-and-businesses/guide/notification-of-information-security-breaches

Overview: You must tell us about any security breach to your environment that could harm the confidentiality of customer data or prevent the licensee’s customers, staff, or legitimate users from accessing accounts for longer than 12 hours.

We use the information you report to monitor ongoing compliance and evaluate risk across the industry. If themes emerge that may be valuable to share (such as specific attacks targeting a number of businesses) this may be fed back to help you deal with emerging threats.

LCCP Licence Condition 15.2.1 (paragraph 16)

This guidance relates to LCCP Licence Condition 15.2.1. This licence condition applies to all operators and would include an information security breach for any operator who holds electronic records of customer information or gambling transactions.

Types of incidents

These are some common examples of incidents which may impact on the confidentiality of customer data or the availability of accounts:

When to report information security breaches

Minor incidents should not necessarily be reported. You can decide whether the severity of an incident means it should be reported. You should record and keep your evidence as to how the decision to report or not report was made by the appropriate PML (or in the case of a small scale operator the appropriate ‘qualified person’).

The Information Commissioner’s Office (ICO) provides guidance on when security breaches involving personal data should be reported to them and this should be considered when making a decision to report (both to the ICO and to us). The key considerations are:

As a general rule, if a large volume of customer data has been affected, this should be reported. If a low volume has been affected but there is the potential for serious detriment or the data is highly sensitive, this should also be reported. Consideration should also be given to notifying affected customers where warranted. Refer again to the ICO guidance in this area.

The ICO is primarily interested in breaches of personal information, our interest has a wider remit such as unavailability of customer accounts for more than 24 hours or the loss, corruption or unauthorised modification of other critical gambling records such as player account balances, prizes or gambling transaction records.

Which details to provide

You should provide sufficient information to describe the incident that has occurred, the severity of the incident and the volume of data affected.

Consider the following when submitting a report:

How to notify us of an information security breach

Information security breaches are Key Events and must be reported as soon as reasonably practicable and in any event within five working days of the licensee becoming aware of the event’s occurrence.

Our guidance on Key Events: Customer data security breach provides further information on submitting this key event.