In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings.
On 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.
The incident, which occurred between 13 May and 30 July 2017 in the US, affected 146 million customers globally. The personal information lost or compromised during the incident ranged from names and dates of birth to addresses, passwords, driving licence and financial details. The ICO’s investigation found that, although the systems compromised were in the US, the UK arm of the company failed to take appropriate steps to ensure its US parent Equifax Inc, which was processing the data on its behalf, was adequately protecting the information. The ICO, which carried out its investigation in parallel with the Financial Conduct Authority (FCA), identified multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access. The outcome of the FCA investigation has not yet been made public.
The ICO investigation was carried out under the old Data Protection Act 1998 (DPA 1998), rather than the current GDPR, as the incident occurred before the new law came into force in May this year. The Equifax fine is the maximum allowed under the previous legislation. The ICO ultimately found that Equifax had contravened five out of eight data protection principles of the DPA 1998, including failing to keep personal data secure, poor retention practices, and inadequate intra-group data processing agreements and international transfer arrangements. This enforcement action therefore highlights some key areas that the ICO is likely to consider aggravating factors in the context of a data breach. In particular, it carries important learnings for controller-processor relationships and especially those which occur intra-group, which organisations have historically tended to see as lower-risk. It highlights the risk that a data breach can expose broader practices – such as retention policies – which then become part of the subject matter of enforcement action.
In the second part of this article here we focus on key learnings from this case.