Credit reference agency fined £500,000 for serious data breach

The Information Commissioner’s Office has today (20 September) issued a monetary penalty notice to credit reference agency Equifax Limited for serious breaches of data protection law. The £500,000 penalty represents the maximum possible fine that the ICO could give under the old Data Protection Act 1998, which was repealed and replaced with the General Data Protection Regulation and the Data Protection Act 2018 in May this year. The fine was issued under the old law because the breaches took place prior to May.

The penalty notice will not make happy reading for Equifax. It details a long list of failures which the ICO found led to breaches of five of the eight data protection principles under the 1998 Act. The breaches came to light as a result of a major cyber-security incident in 2017 against Equifax’s systems in the US, which affected personal data relating to 146 million people worldwide.

Whilst all organisations will be concerned about the possibility of a cyber-attack, it is important to note that the penalty has not been issued simply because Equifax was the victim of such an attack.  Instead, the ICO found that personal data relating to UK residents had been kept for too long in the US and that Equifax had failed to take appropriate measures to keep the data secure. This included failures on the part of Equifax Limited to have adequate contractual arrangements with its US-based processor and to carry out appropriate audits, as well as failures to ensure that particular security measures were implemented.

Although the penalty has been made under the old law, there are lessons for compliance with the new data protection rules. The GDPR imposes similar obligations on organisations to take appropriate technical and organisational measures to keep personal data secure and not to keep personal data for longer than it is needed.  Ensuring that data processing contracts are sufficiently robust, regular auditing of compliance, deleting data in accordance with retention and disposal schedules and ensuring that appropriate steps are taken to keep data secure are key actions that all organisations handling personal data need to take.

Of course, the one thing that everyone knows about the GDPR is that it gives the ICO powers to issue much higher fines (up to the greater of €20m or 4% of worldwide turnover). The fact that the ICO issued its maximum possible fine in this case strongly hints that these breaches may have merited a higher fine if they had happened under the new rules. However, it may be some time before we find out – the ICO was first notified of the Equifax cyber-attack in early September 2017, so it has taken just over a year to reach this point.