72 Hours

You look at the clock. 16:10. DPC/IMI portal is open through the weekend. The 72-hour clock runs in real time, not business hours. Fran pings your phone. Marcus pings your phone. Imran hasn't left.

A Magecart-class actor compromised a third-party VPN credential at Quilltree Remote Access, a small Dublin-based contractor managing the support platform maintenance window. The same fact pattern that led to the Meta Ireland decision has repeatedly cost controllers nine-figure fines. The statutory clock starts at the moment you become aware. Imran's 60% confidence number is already enough.

12 alerts arrived in the last 24 hours. Sort each into In scope of breach / Out of scope / Needs more info. Your categorisation drives Imran's forensic prioritisation.

Fran is on your desk phone: "Let forensics finish. If we file and we were wrong, we've just told the market the platform is unsafe."

Marcus is on Teams: "Aisha — call it."

Question: When does the Art 33 clock start?

You've applied the Art 33 72-hour clock correctly against EDPB 9/2022 'becoming aware' and the EDPB 9/2022 codification.

You've also protected Cerulith's later defensibility — in BA and Marriott the DPC treated notification delay as an aggravating factor under Art 83(2)(a). Starting the clock timely is a mitigation that lives through the whole investigation.

Legally tenable — Art 33(1) does not require immediate filing, only filing within 72 hours — but it narrows your margin. If Saturday's forensic window slips, or a new surprise adds to scope, you have less runway to file by Monday 16:10.

Awareness under EDPB 9/2022 does not require forensic certainty. The 60% + the credential anomaly + the egress volume meet 'reasonable certainty.'

In Marriott the DPC accepted that full certainty is rare — delayed filing did not help the fine calculation.

Imran calls at 07:04. Forensics is closed. 428,302 records confirmed exfiltrated. Of which:

• 39,241 contain Art 9 health data (blood pressure, adverse events, treatment logs).
• 4,112 contain payment details (last 4 + expiry; CVVs never stored).
• 14,802 EU-resident users (triggering Irish DPC lead-SA considerations).
• 118 VIP users flagged under a previous customer-support escalation process — including one Paralympian on the Paralympic IE federation contract.

Clock at T-57h. High-risk to data subjects confirmed (Art 34 engages). DPC/IMI portal has a phased-submission option. Irish DPC has a parallel intake — lead-SA routing means one lead with concerned authorities, not two duplicate filings.

Imran's report is drafted. Categories are clear. Numbers will firm up but are unlikely to grow materially. Fran has calmed. Marcus is ready.

Question: How do you notify the ICO?

Art 33(4) phased notification is the path regulators expect for fast-moving incidents. The DPC has stated publicly (post-BA and post-Capita) that they would rather receive an honest initial notification they can update, than a late 'complete' one.

You've filed on time — good — but withholding category/number estimates when you have them fails Art 33(3)(a)/(b). The Article expects 'approximate numbers' and 'categories and approximate numbers of records' where possible. The DPC will treat this as substantively incomplete and open an information-notice thread early.

Filing close to the deadline with a 'complete' report is a pattern criticised in every DPC decision on breach notification in the last five years.

Even if the filing is technically within 72 hours, the DPC reads the choice as prioritising presentation over transparency. Aggravating under Art 83(2)(b) (intent/negligence) and (f) (cooperation).

Ransom note received via a contact-us form address. $2.4M in BTC. 48-hour publish threat. Attackers name: Quilldark.

Fran's position hardens: "Pay it. Containment. No public notification. Attackers go away, we rebuild, board never hears about it."

You check OFSI / OFAC guidance. Quilldark is a known cluster — no current sanctions listing, but one allied cluster was listed in March 2026. Clock at T-18h. Art 34 is engaged — the question is how.

By tomorrow 16:10 you owe Marcus a board-briefed decision. Three postures. One the CFO wants. One the DPC expects. One is the compromise that looks sensible until someone is hospitalised.

Question: How do you handle the ransom and Art 34 notification?

Art 34 requires clear, plain-language communication 'without undue delay' where the breach is likely to result in a high risk. Health data with exfiltration confirmation is high risk by default. Refusing the ransom aligns with UK NCSC-IE + ENISA published guidance and preserves a cleaner regulatory posture.

A generic notification meets the technical Art 34 duty but falls short of 'plain language' and specific-consequences requirements for Art 9 health data exfiltration. The DPC has criticised generic notifications in Capita — customers who didn't know their health data specifically was affected could not take informed steps.

Non-notification is an Art 34 breach. 'Likely to result in high risk' is a legal test, not a business-risk test; exfil of Art 9 data on 428,302 people meets it.

When the payment becomes public — as it did in Uber 2018, and in every comparable case — the investigation widens. This decision becomes Exhibit B in Module 6, and moves the fine tier from Art 83(4) to Art 83(5).

Summing the three decision impacts.

No ransom. Tailored Art 34. ICO cooperative.

Technically correct. Substantively thin.

OFSI referral. 4% tier. Fran departs.

Next module: Two months from now, Priya Shah will demo Cerulith Clinic AI. Art 9 health data with automated triage. You will have six weeks to build a DPIA that Marcus does not want to hear about.

Five questions on Art 32-34, EDPB breach guidance, and the awareness threshold. Pass mark: 80%.

Defensibility score: — / 9

Quiz: —

Outcome: —

Your result has been recorded. Module 3 unlocked: Priya's DPIA.