Equifax Ltd - Maximum Monetary Penalty handed down by the ICO
This article considers the recent ICO fine levied against Equifax following its 2017 data breach that affected 15m UK individuals.
Facts
On 19 September 2018, the Information Commissioner (Elizabeth Denham) issued Equifax Ltd, the credit reference agency, with a £500,000 fine following a cyber-attack which took place in May-June 2017. The attack affected data held by Equifax in the USA, including personal data contained in up to 15m unique records of UK individuals, with 14,961 of these including names, addresses, dates of birth, usernames, passwords (in plaintext), secret question and answer (in plaintext), credit card numbers (obscured) and some payment amounts.
The breach related to some proprietary technology which allows Equifax’s clients to verify a customer’s identity online, over the telephone or in person. The service was hosted in the US by Equifax Inc until 2016, when Equifax moved it the UK. At this point, all UK data should have been transferred and removed from the US, or, at a minimum, a process to achieve this should have been implemented. Equifax Inc discovered the data breach in July 2017 and became aware that UK data might have been affected in late August 2017.
Fine
The Commissioner found that Equifax had contravened multiple data protection principles, which entailed several systemic inadequacies in Equifax’s technical and organisational measures for the safeguarding of the relevant personal data. Cumulatively, this multi-faceted contravention was extremely serious. The Commissioner further considered this was the kind likely to cause substantial damage or substantial distress to the individuals involved.
The Commissioner identified a number of aggravating factors, including the number of individuals affected (146m, of which 15m were in the UK), a failure to ensure appropriate security measures, and the fact that the data breach exploited a known vulnerability. While certain mitigating factors were present (including the prompt report of the breach), the Commissioner decided to fine Equifax £500,000 - the maximum amount under the Data Protection Act 1998 (DPA).
The Commissioner considered the financial position of Equifax and considered that the level of fine would not cause Equifax undue hardship.
Analysis
This fine could have been much larger had it not predated the GDPR and the Data Protection Act 2018. Equifax’s revenues in 2017 were $3.4bn: assuming a maximum fine of 4% of its annual global turnover, in theory, a breach today might cost Equifax as much as £136m (although given the difference in the level of fines available to the ICO under the DPA 1998 and the GDPR, it is perhaps unlikely that a maximum fine under the former would equate to a maximum fine under the latter).
Nevertheless, the new powers available under the GDPR and DPA 2018 open up big multinationals like Equifax to significantly larger fines. Following the ICO’s £500,000 fine of Facebook over the Cambridge Analytica breach, it would seem there is now a real emphasis on the need for multinational data companies to understand what personal data they hold and ensure they protect it, or face severe consequences. While mitigating factors may exist, they are unlikely to offset any aggravating factors that suggest that the breach could have been prevented.
