FCA fines Equifax Ltd £11m following 2017 cyberattack of US parent

In 2017, one of the largest data breaches in history gave hackers access to Equifax Limited’s parent company in the US, Equifax Inc. As a result of an outsourcing agreement between the two companies, the personal data of approximately 13.8 million UK customers were compromised. On 3 October 2023, the UK’s Financial Conduct Authority (“FCA”) imposed a £11,164,000 fine on Equifax Limited (“Equifax”) for “failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US”. The FCA’s action follows the £500,000 fine levied against Equifax by the Information Commissioner’s Office (“ICO”) in 2018 for the same incident (which was the maximum fine available to the ICO at the time). The FCA’s Final Notice outlines serious failings by Equifax, both pre- and post-incident, and serves as a salutary reminder to companies to properly manage their outsourcing arrangements (whether intra-group or not), to have robust incident response and communications plans in place and that multiple regulators have an interest in data and cyber protection.

Between 2014 and 2016 Equifax outsourced the processing of UK customer data in connection with two of its products to Equifax Inc. This data remained on Equifax Inc’s servers, despite the fact Equifax ceased the arrangement in September 2016. As a result, personal data (including dates of birth, phone numbers, credit card details and residential addresses) relating to approximately 13.8 million UK customers was exposed when Equifax Inc suffered one of the largest cyberattacks on record.

The FCA found that Equifax breached principles 3, 6 and 7 for failing to:

• manage its outsourcing arrangements effectively;
• identify and inform affected individuals promptly that their personal data had been accessed without authorisation;
• implement appropriate quality assurance checks for complaints, exposing customers to the risk of unfair outcomes; and
• provide clear statements about the severity of the breach.

The FCA’s response demonstrates that it takes a robust approach to mismanagement of personal data and security of systems. It also highlights that financial services firms must comply with both sector-specific and general data protection obligations. Individual firms are expected to remain responsible for the data they collect, even if that data is outsourced to a controlling entity. Furthermore, accurate, clear and timely communications with consumers affected are essential following an incident.

Regulated firms must:

• ensure they can identify and mitigate both actual and potential risks that may arise from transferring data to another firm/entity,
• apply risk management frameworks equally to both intra-group and third-party outsourcing arrangements;
• keep records of what data has been outsourced (which will make it easier to identify affected individuals in the event of a breach);
• encourage clear communication and information sharing across their networks to reduce the chances of data management errors; and
• notify individuals affected by a data breach as quickly as possible and ensure that all public communications (i) accurately reflect the nature of the breach; and (ii) are regularly updated as new information comes to light.