Equifax fined £150 mn and $billions to follow – how the story could play

A £150mn fine for Equifax could have been imposed, had their breaches been post May 2018 with the exposure of millions of consumers around the world.  Their £500,000 fine from the UK ICO is dwarfed by what it could have been. It’s small beer for a multinational. But everyone should be paying attention as GDPR has yet to bite as the first GDPR notice is served with the threat of a GDPR level fine on data analytics firm AggregateIQ.

So what’s the fine about?

Equifax’s 2017 data breach (involving approximately 150 million American and 15 million UK citizens) resulted on 20th September 2018 in a fine of £500,000 from the UK’s Information Commissioner, which most people will have found slightly underwhelming. But that’s not the whole story, nor the end of it and so it’s important to go bit deeper and broader on this.

Why is it so small?

All this occurred under the pre-GDPR regulatory regime where in the UK (and EU) £500,000 was the maximum fine which could be levied by the regulator.

What could future fines be like?

Under GDPR, had the breaches occurred after 25th of May 2018, the maximum fine which could have been levied would have been between 2% and 4% of its global revenue. It’s this fining potential which has got GDPR so much attention. With global revenues in 2017 of over $3 billion that starts making a fine look a lot more like $200 million or £150 million – just from the ICO.   That should send shivers down the spine of any CEO or investor.

Partially fuelled by the Equifax –  and other  – experiences, politicians and legislators in the US have gone from questioning the fortress Europe approach to data protection to asking why on earth the US does not have similar powers and requirements. So if we are to play a game of  ‘what if’, Equifax looks at the moment to have at least so far avoided action in the US but a quick look just at June 2018’s newly passed California Consumer Privacy Act  is salutary. This would make provision for penalties or damages of between $100 and $750 per resident which some have suggested could have meant for Equifax billions of dollars had their breaches occurred once the Act takes effect in 2020.

What is most worrying?

However, what is really worrying in the Equifax case is the way in which their vulnerabilities were known to them and indeed were pointed out to them by individuals and organisations such as US Homeland Security. But they did not apparently rush to fix and when the breaches occurred, they incurred delays in informing consumers, many of whom would not even have been their customers, so that those consumers did not have the opportunity maximised to do something about their own firewalls, security, passwords and be extra vigilant in looking for anomalies in bank and other accounts.

What worries TCF?

Three things worry us at TCF in all of this.

The first: Equifax’s delays in notifying this.  We see how this can happen regularly.We see businesses and organisations, presented with problems in systems and codes (for example) who just seem to find it hard to deal with these almost on a ‘too hard to deal with’ basis. But to paraphrase a very experienced chairman with whom we have worked, ‘if an issue is that hard to get to grips with, then you’ve just got to make it a priority to get to grips with it’. And it’s just too easy to confuse the paraphernalia of having a project or programme, with the inevitable email-exchange and waiting-for- someone-to-come-back, with concerted progress and completer finishing on the issue so it’s resolved, fixed. Having a programme isn’t the thing. Having a programme that delivers, that is the thing.

The second: Most challenges with data protection which TCF sees in firms, aren’t fundamentally about data or privacy – they are about business management.They are essentially about general compliance standards, operations quality, design rigour and Board and management engagement. Moreover, in our experience, breaches and the response to them are as much about governance, engagement, project and remediation discipline, and thinking from the customer or individual point of view as they are about knowing what GDPR means. This means that when you look for support, it’s important to have the capability to range across those areas with a practical applied  privacy and data protection expertise – which is exactly where TCF is.

The third: Where is the Financial Conduct Authority  (FCA) in this?The ICO has stated that it carried out its investigation in parallel with the FCA. Equifax is an credit reference agency authorised by the FCA and required, in addition to compliance with specific rules, to have adequate systems, resources, governance and a culture of putting the customer first as a condition of its being authorised. So what will the FCA do? This looks – and this is a lesson for all other regulated firms – like a data issue andasystems, controls and governance issue which ought to take a firm into Enforcement and de-authorisation territory, especially one where the failure is in the core of their business – data.

How the FCA responds to this is crucial as in most respects – and pre GDPR – it has more powers than the ICO. Arguably, if this involved a bank (for example, the TSB IT failure), the FCA would be all over it.  So as a systems and controls issue, a £500,000 fine from the ICO should not be the end of it.

So where could this go?

First, the door is not necessarily closed on further repercussions for Equifax. But second, anyone looking at this should ask ‘could it happen here?’ and be real about how it can. And lastly, anyone with breaches since May 2018 should remember that what has happened with Equifax pre GDPR does not dictate what might happen to them.

September 2018