25 September, 2018
The Information Commissioners Office has once again handed down the maximum fine available at its disposal, and in doing so has reinforced its recent trend of tougher punishments for breaches of data protection laws.
Credit referencing agency Equifax has been handed a fine of £500,000 by the ICO for incidences of hacking which affected as many as 146 million subjects worldwide, 15 million being within the UK. Whilst the majority of data hacked concerned only names and dates of birth, tens of thousands had additional data including contact details, car registration details and even passwords exposed by the hack.
As this particular cyber-attack occurred in March 2017, Equifax can take some consolation that the hacking occurred under the old rules of the 1998 Data Protection Act and not the more recent regime of the GDPR and 2018 Data Protection Act. Whilst the £500,000 amount represents the maximum the ICO were able to enforce under the old rules, had the hack occurred today then Equifax could have found themselves accountable for a far larger fine of up to 20 million euros.
This is only the second time that the ICO has opted to use the full weight of its enforcement powers by giving out the maximum fine available to it. However, given that the first instance concerned the Facebook/Cambridge Analytica data scandal only two months ago, there are many who will feel that this high amount is reflective not only of the seriousness of the data breach, but also indicates an increased willingness by the ICO to come down harder on any violation of data protection law.
This recent trend will surely give pause for thought to any organisation that is still to take GDPR with the level of seriousness it clearly requires. This case serves as another example that the ICO will not shy away from high-level fines that will only get higher once they begin investigating post-GDPR breaches.
In response to the ICO's investigation, Equifax commented that it is unfortunate that the fine was not lessened by the fact that, once the breach had occurred, their response was one of collaboration with the ICO. Unlike Facebook before them, Equifax was noted by the ICO as having cooperated fully with the investigation into the breach, yet this was clearly not enough to provoke any leniency in the amount of the fine given the size of the breach itself.
Where the ICO in the Facebook investigation commented that the social media giants had "consistently failed to answer the questions from the committee", and that responses received were "consistently slow and unsatisfactory", no such criticisms were made of Equifax. This is hardly surprising given that Equifax was the victim of a hack from an outside force, whereas Facebook was guilty of intentionally misusing the data in their control, so it is only natural that where the former was eager to provide assistance, the latter was eager to cover their tracks.
It is therefore very interesting that the outcome was the same in both instances; the maximum fine. This is indicative perhaps of a negative correlation between the size of a breach and an organisation's ability to mitigate their losses; as the size of a breach gets bigger, any mitigating factors that could assist the data controller will become of less significance.
An additional point of particular note in this case was the fact that Equifax was unable to escape the penalty even after demonstrating that the breach originated outside of the UK. Instead, the ICO acknowledged that whilst the hack may have occurred in the US, its responsibility is to "look after UK citizens' information wherever it is held".
This development should make it abundantly clear to any organisation which processes data by sending it to third parties overseas that it must take an active interest in the activities of those third parties; how they protect data that is given to them, the security that surrounds the data and the indemnities they are willing to offer, especially when the parties are based in territories without a data protection system equivalent to the GDPR. Final responsibility will always come back to the data controller.
Forbes regularly advises on matters concerning Data Protection and GDPR. If you have concerns over any GDPR compliance issues in your organisation, contact us at firstname.lastname@example.org find out more about how we can help.