The Financial Conduct Authority (FCA) announced on 13 October 2023 that it has fined Equifax Ltd (Equifax) £11,164,400 for “failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US”. Equifax is a major credit reference agency authorised and regulated by the FCA. The fine relates to the Equifax Identify Verifier (EIV) service – this product allows Equifax’s clients to verify a consumer’s identity by checking it against other sources of data held by Equifax.
The FCA announced that it was investigating the Equifax incident in 2017 – it is not clear why it has taken six years for the investigation to be completed and for a fine to be issued.
Cybersecurity breach
In 2017, the servers of Equifax’s parent company – Equifax Inc – were accessed by hackers and, as a result, the personal data of approximately 13.8 million UK consumers were compromised. Equifax had outsourced the processing of this data to Equifax Inc.
The personal data accessed ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
Equifax’s failings
The FCA highlights a number of failings as summarised below.
Principle 3 of the FCA’s principles for businesses (Principle 3) requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. The FCA found that Equifax breached Principle 3 in the following ways:
- Equifax failed to put in place, approve, and operate an appropriate risk management framework that allowed it to identify, manage, monitor, and mitigate the risks inherent in outsourcing the processing of data to its parent, Equifax Inc. The FCA highlights that Equifax relied on Equifax Inc’s risk management arrangements without properly assessing whether they satisfy Equifax’s regulatory obligations.
- Equifax failed to put in place adequate systems and controls for ensuring the security of UK consumer data processed by Equifax Inc and stored on its US servers. Equifax was not able to produce full security annexes to the contract between Equifax and Equifax Inc. Also, whilst contracts between Equifax and Equifax Inc gave Equifax the power to audit, Equifax did not exercise that power. The FCA also notes that Equifax relied upon its security function for assurance that Equifax Inc’s security arrangements were appropriate, however, this function ultimately reported to Equifax Inc, and no consideration was given to the risks of outsourcing the processing of data to Equifax Inc.
- The FCA highlights that Equifax was aware of the security issues at Equifax Inc. In addition, Equifax had not kept records of the data it had sent to Equifax Inc and had failed to ensure that data records were deleted from the US servers when the majority of the outsourcing had ceased.
Principle 6 requires a firm to pay due regard to the interests of its customers and treat them fairly. When a firm becomes aware of a data breach, it is essential that it promptly notifies affected individuals and informs them of the steps that they can take to protect themselves.
- Equifax’s failure to properly manage its outsourcing arrangements with Equifax Inc meant that it did not promptly identify and notify individuals. Equifax did not find out that UK data had been accessed until six weeks after Equifax Inc had discovered the unauthorised access. In addition, Equifax did not keep proper records of the data it had supplied to Equifax Inc, with the result that, even when it finally did become aware of the breach, it was hampered in the steps it could take to identify and therefore notify consumers.
- Equifax did not notify a sub-group of 512,416 individuals on the basis that it could not confirm the addresses of these individuals without applying a special process to the data, a process it considered too “resource intensive”. Equifax had, however, applied those processes to the data which applied to thousands of other affected individuals.
- Equifax failed to maintain quality assurance checks for complaints following the cybersecurity incident, meaning complaints were mishandled.
Principle 7 requires a firm to pay due regard to the information needs of its clients and communicate information to them in a way which is clear, fair and not misleading. Equifax published several statements following the breach which gave, most significantly, an inaccurate impression of the number of consumers affected by the breach.
Reductions to the FCA fine
Equifax agreed to resolve this matter and qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedures. Also, Equifax also received a 15% reduction for mitigation in acknowledgement of its high level of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident.
Data protection actions
Equifax was imposed with a fine of £500,000 from the UK Information Commissioner (ICO) in relation to the same breach. The ICO’s fine was issued in 2018 under the Data Protection Act 1998. At the time, this was the maximum amount the ICO was able to fine. Under the current UK data protection regime – the UK GDPR and the Data Protection Act 2018 – the ICO has the power to issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
The ICO recognised in its monetary penalty notice that the relevant data was, for the most part, not itself highly sensitive in terms of its impact on data subjects’ privacy, however, the ICO identified aggravating factors – including the prolonged nature of the breach due to systemic inadequacies, failures to identify/ensure appropriate security measures such as the implementation of patches, the encryption of personal data and the appropriate security of passwords and inadequate contractual arrangements between Equifax and Equifax Inc.
In the wake of this breach, a group litigation order application was made on a number of potential claimants (the court stated that the number of potential claims may be in the region of 10,000). This mechanism is a procedure which enables the courts to manage large numbers of related claims together, but still requires individual claims for be issued for each claimant. In Bennett & Others v Equifax Limited [2022] EWHC 1487 (QB), the decision on whether to grant the application was deferred and will be considered by a managing judge at a case management conference. However, it was noted (in obiter) that “it may be unlikely that the entirety of the Claimant cohort will be able to establish either financial loss or distress to enable compensation to be awarded”.
Key take-aways
- Firms should ensure that entities are able to and are required to identify, manage, monitor, and mitigate the risks involved in intra-group outsourcing. Here, Equifax did not treat the risks at the parent company level with the same level of seriousness and rigour that would have been the case had the outsourcing been to a third party. Firms need to ensure that their intra-group outsourcings satisfy the relevant regulatory requirements in respect of appropriate oversight and effective access, auditing rights, data security arrangements and exit planning/arrangements.
- The decision highlights the importance of effective procedures to ensure the timely deletion of personal data when the processing is no longer required. The impact of the breach on Equifax would have been less significant had it ensured that the millions of records stored on the US servers were deleted when the intra-group outsourcing relating to the EIV service had come to an end in September 2016.
- This decision serves as a reminder that regulated firms are at risk of fines from both data protection authorities and the FCA in relation to personal data breaches.
For further information, please contact:
Gavin Punia, Partner, Bird & Bird
gavin.punia@twobirds.com