On 20th September the Information Commissioner issued Equifax Ltd with a £500, 000 monetary penalty, the biggest fine it has issued to date, and the maximum allowed under the Data Protection Act 1998. Although half a million pounds might sound a significant amount of money, it represents a relatively modest amount compared to the fine the company might have received had the breech occurred 12 months late, under the GDPR regime.
In this blog we consider the incident, the actions of the parties and we speculate on what type of sanctions the company could have faced under the GDPR.
Equifax Ltd is a major credit reference agency based in the UK. Since 2011 it has offered a product called the Equifax Identity Verifier (EIV) which enables clients to verify the identity of their customers, online, over the telephone or in person. To verify an individual’s identity, the client enters that individual’s personal information on the Equifax system, which is then checked against other sources held by Equifax Ltd. Initially the EIV was processed by its US parent, Equifax Inc. Equifax Ltd in the UK was the data controller and Equifax Inc in the USA was the data processor. In 2016, Equifax Ltd transferred the data processing for the EIV product to the UK. This required the migration of the personal data to the UK. However, the US company did not then delete all the UK personal data from its system, which its should have done as it had no lawful reason for continuing to store this data.
The cyber-attack incidents
Equifax Inc was subject to a number of cyber-attacks, between 13 May and 30 July 2017. During this period the attackers exploited a vulnerability in the US company’s online consumer-facing disputes portal. This enabled the attackers to access personal data of about 146 million individuals in the USA. Additionally, they were able to access the name and date of birth of up to 15 million UK individuals, contained in the EIV dataset. In addition, in respect of some 637,430 UK data subjects their telephone numbers and driving license numbers were also a compromised.
An additional data set (the GCS dataset) was also attacked and this allowed the hackers to access the email addresses of over 12,000 UK individuals. More significantly, for another 14,961 UK residents the compromised data was account information for Equifax’s credit services and included data subjects’ name, address, date of birth, user name, password (in plain text), secret question and answer (also in plain text), credit card number (obscured) and some payment amounts. This personal data was held in a plain text file, as opposed to the actual data base. The storage of password data in plain text was contrary to the company’s Cryptography Standard which specifically required that passwords were to be stored in encrypted, hashed, masked, tokenised or other form. The file was held in a file share, which was accessible to multiple users.
In March 2017 Equifax Inc., received warning of the vulnerability of its Apache Struts 2 web application framework (that it used in its consumer facing online disputes portal). The warning came from the US Department of Homeland Security Computer Emergency Readiness Team which identified a critical level of vulnerability. The US company disseminated this warning to key personnel, but the consumer facing portable was neither identified or patched.
Equifax Inc. became aware of the cyber attack on 29 July 2017, and then further aware that the data of UK individuals had been compromised by late August 2017. However, Equifax Inc failed to warn Equifax Ltd until late September 7th, 2017, at least a week after it became aware the UK personal data had been compromised.
Equifax Ltd notified the ICO on 8thSeptember. In this respect, its behaviour would have met the strict breach notification requirements of the GDPR which require a data controller to notify the Commissioner within 72 hours of become aware of the breach. Initially they reported that about 1.49 million individuals’ data had been lost. This was later revised upwards to 15 million data subjects. They also indicated, incorrectly, that the data accessed did not include residential addresses or financial information.
The Information Commissioner’s Findings
On the facts, the Information Commissioner decided that although the information systems in the USA were compromised, Equifax Ltd was the data controller responsible for the personal data of its UK customers. The Commissioner found that Equifax had failed to take appropriate steps the ensure its US parent, and data processor, was protecting the information. The Monetary Penalty Notice lists the various contraventions of the DPA 1998:
- Principles 5, 2 and 1
- Following the migration of the EIV dataset from the US to the UK, it was no longer necessary for the US company to keep any of the data. The data set had not been deleted in full and was kept longer than necessary.
- In relation to the GCS dataset stored on the US system, Equifax Ltd was not sufficiently aware of the purpose for which it was being processed until after the breach. In the absence of any lawful purpose the retention was unnecessary.
- The UK company failed to follow up or check that the data had been removed from the US systems, or to have an adequate process in place to check this was done.
- Principle 7
- Equifax had not undertaken an adequate risk assessment (s) of the security arrangements put in place by its data processor before transferring the data to it or following the transfer.
- The Data Processing Agreement between Equifax Ltd and Equifax Inc was inadequate and failed to provide appropriate safeguards/ security safeguards or the standard clauses.
- Equifax Ltd had failed to ensure adequate security measures were in place. The Commissioner identified numerous examples of the inadequacy of the safeguard that were in place, including the lack of encryption; the use of plant text data, allowing multiple users to have access to plaintext files; failing to address IT vulnerabilities; having out of date software; failing to undertake sufficient and regular system scans
- Poor communications between the UK and US companies particularly in relation to the US company’s delay in making the data controller aware of the breach.
- Principle 8
- The Data Processing Agreement between Equifax UK and Equifax Inc was inadequate in that it failed to incorporate the standard contractual clause as a separate agreement and/or to provide appropriate safeguards for data transfers outside the EEA.
- There was therefore a lack of a legal basis for the international transfer of this data.
Overall the Information Commissioner found multiple failures at Equifax Ltd, which led to personal information being kept longer than necessary and vulnerable to unauthorised access. Given the nature of the breaches, individuals were exposed to the risk of financial and identity fraud. The Commissioner concluded that the maximum financial penalty it could levy was proportionate in all the circumstances.
What difference would it make if this happened under the GDPR?
If the same breaches had occurred post May 25th then both Equifax Ltd and Equifax Inc., might find themselves in a substantially different situation.
The level of fine: The most obvious difference would be in relation to the level of fine that the ICO could impose. Under Article 83 GDPR the ICO can impose a fine of up to £17 million (20m Euro) or 4% of global turnover. Equifax Ltd is part of a global group that operates or has investments in over 24 countries. According to its 2016 Annual Report the Equifax Group’s global annual revenue for 2016 was $3.144.9 billion. 4% of this is about $125 million. In 2016 the UK company, Equifax Ltd, recorded revenue of £114.6 million. This alone could lead to a fine of over £4.5 million.
Data Subjects’ rights to sue for damages: Although this is not a new right under the GDPR, the GDPR now expressly permits individuals to sue for both material (financial) and non-material damage, such as distress. In many respects this represents a bigger risk for companies such as Equifax who are processing data whose loss could cause significant harm to data subjects. Given the heightened awareness amongst the public of the GDPR, it is not difficult to anticipate that these type of high-volume breaches could result in class actions for compensation.
Breach Notification: Article 33 imposes a condition that data processors must notify data controllers ‘without undue delay’ if they become aware of a data breach. The delay on the part of the US company in informing the UK company would constitute a breach of Article 33.
Notifying Data Subjects: Under Article 34 GDPR the Data Controller has a duty to notify data subjects that their personal data has been breached, where the breach is likely to result in a high risk to their rights and freedoms. Equifax Ltd issued a press releaseon 7thOctober 2017 saying that I would we will now begin writing to all impacted customers with immediate effect. This again does not meet the requirements of notification ‘without undue delay’.
Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.