FCA fines Equifax £11 million for 2017 data breach - five years after the ICO

Summary

The UK’s Financial Conduct Authority (“FCA”) recently fined Equifax Ltd (“Equifax”) £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company in the US, following a data breach in 2017. The 2017 incident was one of the largest known in history and allowed hackers to access the personal data of millions of people, including around 13.8 million UK consumers. The FCA fine marks the conclusion of an investigation which it began in 2017 and follows the UK Information Commissioner’s Office (“ICO”) £500,000 fine in 2018 in relation to the same incident, which was the pre-GDPR maximum that the ICO could impose at the time. The FCA’s involvement is a reminder that incidents involving personal data are not necessarily just the preserve of the data protection regulator, and that many of the controls deemed appropriate by the ICO will likely also be required by regimes in other sectors – especially financial services.

Background

The incident in question allowed cyber-hackers to access the personal data of millions of UK consumers, which Equifax had outsourced to its US parent, Equifax Inc, for processing. The UK consumer data affected included names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses. Equifax reportedly did not find out that UK consumer data had been accessed until 6 weeks after Equifax Inc had discovered the hack, and was only informed of the incident approximately five minutes before it was announced to the public by the US parent company.

Like the ICO before it, the FCA identified multiple failures at Equifax in relation to the data concerned, and considered that the cyberattack and unauthorised access to data had been entirely preventable. In particular, the FCA considered that Equifax had failed to:

• adequately manage the risks inherent in outsourcing the processing to its US parent;
• pay due regard to the interests of its customers and treat them fairly; and
• have regard to the information needs of those customers and communicate with them in a way which is clear, fair and not misleading.

The FCA accordingly concluded that Equifax had breached Principles 3, 6 and 7 of the FCA’s Principles of Businesses which apply to regulated financial firms. We have set out further details below.

Principle 3: Management and control

Principle 3 requires a regulated firm such as Equifax to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. The FCA considered that Equifax had breached Principle 3 because it had failed to put in place an appropriate risk management framework that allowed it to identify, manage, monitor, and mitigate the risks inherent in outsourcing the processing of data to its US parent, Equifax Inc. The FCA’s investigation found that there were specific risks that Equifax should have identified and sought to mitigate. In particular:

i. Equifax was subject to certain internal incident handling policies and procedures which meant that, in the event of a security breach affecting data processed and stored by an intra-group company, there was a risk that the interests of other parts of the Equifax group could be placed above the interests of Equifax;

ii. the Security Executive that was responsible for Equifax’s security function reported to Equifax Inc’s global security executive, further contributing to the risk in (i) above;

iii. there were also risks common in many cases of intra-group outsourcing, including that known weaknesses at the group entity level would not be treated by Equifax with the same degree of seriousness as would be the case if the outsourcing had been to a third party, and that the risks associated with the outsourced processing of data by Equifax Inc would not be managed with the degree of rigour required.

The FCA therefore found that Equifax had breached Principle 3 in the following ways:

• Prior to the incident, Equifax was aware of serious security patching problems at Equifax Inc. Had Equifax treated the arrangements as outsourcing (as that term is defined in the FCA Handbook), it would have been required under its Outsourcing Policy and risk management framework to take action in response.
• Equifax had failed to keep adequate records of the data it had sent to Equifax Inc, because it wrongly believed that that data had been deleted. This, coupled with access restrictions implemented as a security measure following the incident, meant that Equifax was unable to obtain the subset of UK data residing on Equifax Inc’s servers which had been accessed in the incident and therefore caused delays in Equifax identifying and notifying affected UK consumers. Furthermore, Equifax failed to properly ensure that millions of data records were deleted from Equifax Inc’s servers when it substantially ceased outsourcing one of the affected financial products to Equifax Inc in September 2016.
• When the incident occurred, the way that Equifax had managed the outsourcing arrangements meant that it was not made aware in a timely manner by Equifax Inc that UK consumer data had been accessed. This contributed to delays in contacting UK consumers and in Equifax’s inability to cope with the complaints it received when the incident was announced.
• In addition, Equifax had failed to put in place adequate systems and controls for ensuring the security of UK consumer data processed by Equifax Inc and stored on its US servers (it is worth noting that the ICO also made a similar finding in its 2018 penalty notice). In particular, the FCA found that Equifax had not taken sufficient steps to ensure that Equifax Inc’s security arrangements were adequate, relying on the “security” annexes in two data protection agreements (“DPAs”) between Equifax and Equifax Inc for assurance that the security measures in place were adequate. However, the FCA noted that Equifax was unable to provide a copy of the security annex to one of the DPAs, and the other DPA contained only a short summary of the security measures used. Furthermore, Equifax admitted, in the course of the FCA’s investigation, that it had not treated Equifax Inc with the same rigour as other outsourced service providers, given the intra-group context.

Principle 6: Customers’ interests

Principle 6 requires a regulated firm to pay due regard to the interests of its customers and treat them fairly. This means that when a firm becomes aware of a data breach, it is essential to promptly notify affected individuals and inform them of the steps they can take to protect themselves. The FCA considered that Equifax had breached Principle 6 because Equifax had:

• failed to properly manage its outsourcing arrangements with Equifax Inc, with the result that Equifax was not notified of the incident or provided with copies of the underlying data until around 6 weeks after Equifax Inc became aware of the issue. In addition, as stated above, Equifax did not keep proper records of the data it had supplied to Equifax Inc. This meant that, even once Equifax had become aware of the incident, Equifax was unable to effectively identify the UK consumers affected and the categories of data compromised, and was therefore unable to promptly notify the affected individuals or to execute a remediation plan;
• failed to inform over half a million individuals whose names, dates of birth, and telephone numbers were accessed without authorisation that this had occurred. Although Equifax contacted the other individuals who fell into this category, it declined to inform this subgroup because it could not confirm their addresses without applying a special process to the data, a process it considered too “resource intensive”;
• exposed consumers who complained to the risk of unfair outcomes by failing to exercise appropriate quality assurance checks for complaints following the incident, with the result that complaints were not appropriately handled.

Principle 7: Communications with clients

Principle 7 requires a regulated firm to pay due regard to the information needs of its customers and communicate information to them in a way which is clear, fair and not misleading. The FCA considered that Equifax had breached Principle 7 because it had published several statements following the incident which gave an inaccurate impression of the number of consumers affected by the incident. For example, an early press release issued following the breach stated that Equifax intended to contact 400,000 individuals in relation to the incident, when in fact Equifax had been aware at the time of this press release that up to 15.1 million UK individuals were potentially affected. As a result of this, UK national news outlets reported that the incident affected “up to” 400,000 UK consumers, which the FCA found Equifax did not take timely steps to correct. Equifax also did not reveal that 15.2 million records equating to 12.3 million unique name and date of birth combinations (which represented the maximum number of individuals potentially affected by the breach) until more than two years after the incident.

The level of the fine

In setting the level of the fine, the FCA followed the five-step process set out in chapter 6 of its Decision Procedure and Penalties Manual and took into consideration both the failings that led to the incident and the immediate handling of the incident, as well as the subsequent failings in relation to complaints handling. It is worth highlighting the final figure of £11,164,400 includes a reduction applied by the FCA to take account of the high level of cooperation displayed by Equifax during the FCA’s investigation, as well as the fact that Equifax had instituted a global transformation programme to remedy and had implemented a voluntary redress programme for consumers. The FCA indicated that had it not been for these mitigating factors, the fine would have been just under £16 million.

Takeaways

This FCA fine is of interest to data protection practitioners for a number of reasons:

• Firstly, the FCA’s investigation and enforcement action in relation to this incident, which was carried out in parallel with that of the ICO, reminds us that data breach management may engage sector-specific security and reporting obligations as well as general data protection and security requirements. Organisations operating in regulated sectors such as financial services should therefore take note that they may face enforcement action from multiple regulators for breach of their obligations where they are subject to overlapping regulatory regimes. This is against a broader backdrop of increasing cooperation and collaboration between the FCA and the ICO following a Memorandum of Understanding entered into in 2019, which established a framework for coordination and information sharing between them.
• Secondly, the fine underscores the importance of ensuring that the security measures in place in respect of any outsourced processing, as well as any DPAs, are given sufficient attention even in the intra-group context; organisations should not assume that intra-group arrangements are necessarily lower-risk. In particular, the FCA has made clear that regulated financial firms remain responsible for the data they outsource, and should ensure that systems and software are kept up to date and fully patched to prevent unauthorised access.
• The fine also highlights that an effective PR and communication strategy following a breach is critical. In this case, Equifax was not informed of the breach by its US parent until a few minutes before the incident was publicly announced – information which came, in the words of an Equifax senior executive, as a “bad surprise”. As a result, Equifax was not adequately prepared to deal with customer complaints. In addition, the fine illustrates the importance of ensuring that any public statements made following a security incident are accurate and do not mislead consumers. Although in practice there may be many unknowns when dealing with the early stages of an incident, organisations should still take steps to ensure that any public statements made in relation to an incident reflect the known facts, and ensure that any such statements are updated as necessary as the situation evolves and new information comes to light (and that any statements subsequently found to be inaccurate are promptly corrected).
• However, on a more positive note, the FCA’s penalty notice also highlights some of the mitigating steps that organisations can take following an incident. In particular, if an organisation demonstrates a high degree of cooperation with regulatory investigations and can show that it has taken appropriate remediation steps in response to an incident, then these may be taken into account by the FCA as mitigating factors in considering the amount of any fine. It is likely that the ICO would also follow a similar approach – see our separate article on this here.