The Information Commissioner’s Office (ICO) in the United Kingdom has today announced a £500,000 fine for Equifax Ltd in response to its security breach in 2017. The breach affected 146 million customers globally and compromised up to 15 million British citizen’s personal information.
ICO is the United Kingdom’s independent regulator for data protection and has been investigating Equifax’s security breach in cooperation with the Financial Conduct Authority (FCA) in the UK. The investigation revealed that Equifax had failed on multiple ways to take adequate measures to prevent information loss and that the company had been retaining data for longer than necessary.
While hackers compromised Equifax Inc systems in the USA, ICO determined that Equifax Ltd had been responsible for the protection of customer data of its UK customers. Equifax Inc had been processing Equifax Ltd customer data in the USA and according to ICO Equifax Ltd should have been more stringent in their steps to ensure that their parent company followed adequate data processing methods.
ICO conducted its investigation in line with the Data Protection Act 1998, which allowed ICO to issue a maximum fine of up to £500,000. ICO could not conduct their investigation under GDPR rules as the breach occurred before the date by which GDPR came into effect. ICO’s inability to retroactively apply GDPR’s harsher fines is somewhat of a win for Equifax, as GDPR rules would have allowed ICO to levy a fine of up to €20 million or 4% of global turnover.
According to ICO’s report, Equifax must pay the fine by October 19th, 2018. ICO will reduce the fine by 20%, or to £400,000, if Equifax pays by October 18th, 2018. If Equifax fails to pay the fine by this date, ICO can then apply to a County Court or the High Court in England or Wales for an order to recover the outstanding money.
Equifax Ltd also has a right to appeal to a Tribunal but doing so would mean that they would have to pay the full £500,000 if the Tribunal dismisses the appeal.
Equifax Ltd has reported that they have received the notice and are “considering the detailed points made”.
You can read the details of ICO"s investigation here and Equifax"s full response too at this link.
Sources: techcrunch.com | ICO | Equifax