People entering/exiting building.

Equifax fined £500,000 for data breach of 15m UK customers

Published on 20 December 2018

Had Equifax taken adequate and effective measures to protect customer data?

The background

Equifax, one of the world’s biggest credit agencies, offered a product called Equifax Identity Verifier (EIV) which enables clients to verify the identity of their customers in various electronic methods by entering the customer’s details into the Equifax system.  The EIV data was originally processed by Equifax’s US parent company, Equifax Inc in 2016. The data held for the EIV programme was transferred from the US to the UK.  Following transfer of the data, the US company did not then delete the customer data from their systems, despite having no lawful reason to continue storing it. 

Between 13 May and 30 July 2017, Equifax was subject to cyber-attacks on its global business where hackers stole 146m customers’ personal information created between 2011 and 2016, including passwords and financial details. 

Although Equifax Inc became aware of the cyber-attack at the end of July 2017 and a further smaller breach at the end of August, they did not warn Equifax Ltd until 7 September 2017, after which Equifax Ltd promptly notified the Information Commissioner’s Office (ICO) on 8 September.

In a probe by the ICO and Financial Conduct Authority after the breach, it was found that Equifax Inc was warned by the US Department of Homeland Security as recently as March 2017 about “critical vulnerabilities” in its cyber-security systems. 

The decision

Although the information systems in the US were compromised (owned and operated by Equifax Inc), the ICO found that the UK arm of the company (Equifax Ltd) failed to take appropriate steps to ensure its parent company was protecting the information. 

It was found that the company had breached five out of eight data protection principles in the Data Protection Act 1998, including a failure to secure personal data and having a lack of legal basis for international transfers of UK citizens’ data. 

Equifax was sanctioned with the maximum fine of £500,000 under the 1998 Act and investigations into potential fines for Equifax Inc are still ongoing. 

Why is this important?

Multi-national data companies must do all they can to ensure data protection compliance, not only within the UK but also in other jurisdictions where the data of UK citizens is being transferred between jurisdictions.

In addition to the reputational damage of a data breach and a failure to comply with basic data protection principles, the fines are now significantly higher under the General Data Protection Regulation and can be the greater of up to €20m or 4% of global turnover.  But this could be potentially small change compared to the potential liability of a class action claim with this number of people affected.

Any practical tips?

In the event of a data breach, you must have regard to Article 33 GDPR which requires data controllers to notify the ICO within 72 hours of becoming aware of the breach.  A delay by the parent company in telling its subsidiary would constitute a breach of the GDPR and could expose the subsidiary to massive fines. 

Where data is being transferred between jurisdictions, you must consider whether the transferring jurisdiction continues to have lawful reason to store the data.  If they do not, there must be an adequate process for the transferee jurisdiction to check and ensure that the data is deleted.

In any event, you must be clear that there is lawful justification for the transfer of data between jurisdictions and that stringent data processing agreements are in place to facilitate this.