In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.
Review intra-group data processing arrangements
The ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:
At the relevant time, Equifax did not have an adequate data processing agreement in place with Equifax Inc. In particular, the ICO highlighted that the intra-group contractual arrangements in place at the time had failed to include appropriate security measures or to incorporate the correct standard contractual clauses for ex-EEA data transfers.
Despite having contractual permission, Equifax did not audit and carry out checks on Equifax Inc to ensure it complied with relevant security checks.
Equifax did not undertake adequate risk assessments of the security arrangements put in place by Equifax Inc before transferring data to it and/or following the transfer.
Equifax UK allowed personal data to remain on a system based overseas without having an identified lawful purpose for continued processing (the processes for keeping track of personal information were deficient).
This case is therefore highly instructive in context of intra-group controller-processor relationships. Historically, organisations have tended to see these as lower-risk and so have often adopted a lighter-touch approach towards data processing agreements, international transfer arrangements and security measures. The Equifax decision underscores the risks of taking this approach; organisations should still take care to ensure intra-group data processing agreements contain the correct provisions and that the controller entity is holding the processor entity to proper account (for example by regularly reviewing the security measures used by the processor).
Put security policies into practice
The ICO highlighted a plethora of data security failings in this case, including inadequate encryption, failure to address known IT vulnerabilities, not having fully up-to-date software, and failure to undertake adequate system scans. The hack itself happened because Equifax Inc failed to identify a particular system in its estate which was subject to a known, high risk vulnerability – in other words, it set out to do the necessary patching, but simply didn’t know enough about its own systems to spot all those which needed the patch.
Of particular note, though, is the fact that Equifax appeared not to have been following its own security standards: the ICO observed that Equifax appeared to have been storing individuals’ passwords in plaintext form or must otherwise have been able to determine what those passwords were, despite the company’s own cryptography standards specifically requiring that passwords were to be stored in encrypted, hashed, masked, tokenised or other approved form.The lesson here is that having the right policies in place is only half the equation; ensuring they are followed in practice is just as important.
Don’t keep it if you don’t need it
The ICO gave considerable weight to deficiencies in the company’s data retention procedures, as Equifax had failed to identify a purpose and lawful basis for processing certain datasets compromised in the breach. The ICO concluded that absent any lawful purpose to process this data, it was not necessary to keep it; Equifax should have properly ascertained the purpose and legal basis for continuing to store that data and failing that, the data should have been deleted. In addition, Equifax had not taken adequate steps to ensure that UK datasets were deleted from its US parent’s systems once no longer needed.
This highlights the importance of a well-considered retention strategy and of proactively considering (and documenting) the purpose and legal basis for continued data storage or processing – including in an intra-group context. Organisations under investigation following a security incident will have a considerably more difficult battle to fight if they are unable to explain to regulators why they continued holding the compromised data in the first place. While the Equifax fine was issued under the pre-GDPR rules, we can expect this issue to become more important still in the GDPR world, given the new obligations to maintain records of processing and the general principle of accountability which permeates the GDPR.
Consider the risks inherent in your business
The ICO stressed that:
Equifax, as a major credit reference agency, held large volumes of data on large numbers of individuals, with a potentially serious risk of harm to those individuals if that data were compromised. It was “big enough to know better”, especially since its business is in effect the monetisation of data.
In addition, the ICO noted that in many cases the individuals whose data was compromised would not have been aware that Equifax was processing their data, and that learning of the breach out of the blue was likely to have caused them particular distress.
This was further compounded by the fact that the loss of their data by a credit rating agency was particularly likely to cause individuals distress because of the nature of its business. The ICO noted that affected individuals would be likely to fear (rightly or wrongly) that their credit rating may be adversely affected as a result of the misuse of the compromised data.
These all appear to have been key factors in the ICO’s finding that the contraventions at issue were likely to cause substantial damage or substantial distress.
Mitigating factors may not carry much weight
The ICO noted that a number of mitigating factors were at play in this instance. In particular, the ICO observed that:
the majority of the data affected was not highly sensitive in terms of impact
both Equifax and the affected data subjects were victims of malicious actions of a third party
despite it being quite some time after the breach itself occurred, Equifax reported it promptly to the ICO after learning of it from Equifax Inc
Equifax took steps to minimise consequences by engaging specialist IT security experts to manage the breach, offering free credit monitoring services to data subjects affected and working with regulators in US, UK and Canada
Equifax implemented measures to prevent recurrence following the incident.
However, the ICO was clearly not minded to reduce the level of the fine as a result. What seems clear is that the ICO is likely to view any corrective actions taken by the controller in the context of the number and severity of the controller’s contraventions. Where those contraventions are serious and/or multiple, other factors in mitigation may have little impact in reducing the fine, and here the ICO awarded the maximum available under the old law. What is not yet clear is whether equivalent facts under GDPR are likely to lead to a fine which is even close to the considerably greater “new” maximum.