The recent introduction into UK law of the more stringent General Data Protection Regulation rules (GDPR) has certainly raised awareness of data protection and security. The Information Commissioner’s Office (ICO) has just announced a record fine in relation to a very serious breach that took place in 2017, which meant that the fine was imposed under the Data Protection Act 1998 rules rather than the new rules enshrined in the Data Protection Act 2018.
Whilst the new rules are certainly stronger than the previous ones and fines can now be up to ‚Ç¨20m or 4% of total annual global turnover, it is likely that the general approach and principles used by the ICO in the Equifax fine would also be relied upon in calculating fines under the new rules..
Equifax is an international company which specialises in providing credit reference services. The relevant data processing arrangements were that Equifax Inc. in the US acted as a data processor, processing personal data on behalf of its UK company, Equifax Limited. A serious data breach occurred in the US between 13 May and 30 July 2017 which was later found to have affected 150m individuals, of whom approximately 15m lived in the UK. In most cases, the personal data compromised was just name and date of birth, but for approximately 15,000 UK individuals, personal data that was compromised also included passwords and user words in plain text, partial details of credit card numbers and recent payment history – i.e. information likely to be of interest and benefit to criminals and potential fraudsters.
Equifax Inc. initially discovered the breach on 29 July 2017 and later informed the UK company on 7 September and Equifax Limited promptly informed the ICO on 8 September 2017. The IT security investigation that took place after the breach was discovered found that:
- the breach was due to a known vulnerability in the Apache infrastructure used by Equifax Inc.;
- scans carried out by Equifax Inc. prior to the breach did not locate potential vulnerabilities in that part of the system that was later compromised.
Key points of the ICO investigation and decision
As a result of its investigation, the ICO concluded that Equifax Limited had breached 5 of the 8 key data protection principles underpinning the DPA 1998 and the most important failings included:
- failing to check/ensure that data relating to UK individuals was not deleted from the US company’s servers after a particular function processing such data was transferred from the US to the UK;
- the UK company’s failure to check that UK personal data was deleted from the US system after the service was migrated to the UK;
- personal data had not been lawfully processed by Equifax Limited as informed consent from individuals was not obtained as a result of their being ignorant of the fact that user words and passwords were stored in plain text;
- the data processing agreement between the UK company and its US parent was insufficient: inadequate security safeguards were in place and the required contractual clauses were also missing;
- despite having the contractual right, the UK company failed to carry out audits in relation to the way personal data was being processed in the US;
- Equifax Limited had failed to ensure adequate security measures were in place, including the failure to encrypt all personal data, not adequately protecting passwords, failing to address known IT vulnerabilities, storing passwords in plain text, and inadequate communications between the UK and US companies evidenced by the US company taking over a month to notify Equifax Limited of the data breach.
The fine on Equifax Limited
The ICO had little problem in satisfying itself that the necessary conditions for issuing a fine under section 55A of the DPA 1998 had been met and in deciding to fine up to the maximum amount allowed, it found the following matters to be relevant:
- Equifax Limited had breached several data protection principles, which had been severe and systemic in nature;
- the breaches were particularly problematic given the nature of the UK company’s business, the high volume of personal data processed and the high number of data subjects involved;
- the security inadequacies appeared to have been in place for a long period of time without being discovered or remedied;
- the data breach was not reported to the ICO until over 2 months from the beginning of the breach and 5 weeks after the breach was discovered;
- The breach impacted almost 150m data subjects worldwide and as it exploited a known vulnerability, it could potentially have been prevented from occurring.
Although the size of the fine was serious, it could have been much worse if it occurred under the new data protection rules – given Equifax’s worldwide turnover of over $3bn, it is calculated that the maximum fine of 4% of turnover would have equated to a fine of about £130m. In addition, the incident also shows that:
- organisations need to monitor carefully breaches that are occurring outside the UK or even the EU – in this case, the breach occurred in the US;
- the new data protection rules require serious breaches to be notified to the ICO within 72 hours as a general rule – in this case, notification after the initial breach was discovered took some 5 weeks, far too slow;
- although Equifax Limited did have a data processing agreement in place with its US parent, this was inadequate given that it did not contain the express terms required to ensure security and there was also evidence that Equifax Limited failed to exercise its right to carry out periodic audits;
- when it came to assessing the size of the fine, although the ICO acknowledged a number of important mitigating factors in favour of keeping the fine low, the seriousness of the breach was such that it had no problem in imposing the maximum fine available – it would appear that mitigating factors may have little impact in serious data breaches;
- class actions – given the high number of individuals affected, it is quite likely that a sub-industry of class actions is likely to arise whereby individuals group together seeking compensation in relation to the loss of their personal data;
- heads rolled – in addition to all of the other factors which should make organisations more careful in the way that they handle personal data, the fact that senior IT staff were replaced at Equifax is a stark lesson that data privacy and security need to be taken seriously by senior management.