The UK Information Commissioner’s Office has announced the imposition of a fine of £500k on the consumer credit reporting agency Equifax Ltd. This follows the massive data breach at the parent company of Equifax in 2017 during which the personal data of 143 million US residents and 700,000 UK residents was accessed by hackers.
The fine of £500k imposed on Equifax and the fine of £500k imposed on Facebook earlier in the Summer represent a new record level of enforcement for the UK being a significant increase on the previous record of £400k imposed on TalkTalk during 2016. Following the implementation of the General Data Protection Regulation earlier this year which increased the maximum level of fines to potential 20m Euro (or 4% of global business turnover during the preceding financial year) many businesses will interested to know whether the fines imposed upon Facebook and Equifax are an indication of an upward trend in enforcement.
It is difficult to draw many conclusions about alterations to enforcement strategy from the recent cases. Prior to the implementation of the GDPR the Information Commissioner stated that the new legislation and increased enforcement powers would not alter UK enforcement strategy. However one of the strategic drivers behind the roll out of the GDPR across the EU was the desire to achieve a level playing field in enforcement in Member States and given this, it seems probable that enforcement in the UK will become more closely aligned with other EU members. This alignment is unlikely to be impacted in the foreseeable future post Brexit due to the probability that the UK will seek an agreement that there is “equivalence” of data protection legislation. If UK enforcement becomes aligned with other EU Member States it is reasonable to conclude that ICO enforcement activity will be influenced by the strategy of Regulators across Europe.
In addition enforcement action in these type of cases is highly “fact sensitive” and each case is usually quite distinct from previous enforcement actions. This can make it difficult to draw too many conclusions about the relevance of previous fines to new cases. However there are some valuable comparisons which can be drawn between the action against Equifax and the fine imposed upon TalkTalk which may assist businesses assess their own level of risk.
Both cases involved personal data (including financial information) being accessed following a “hack”. In the Equifax case a file containing data relating to UK citizens was accessed while it was being stored on servers located at the Equifax parent company in the USA. The US parent company (Equifax Inc) had been warned about critical vulnerability in it’s systems by the US Department of Homeland Security several months prior to the hack taking place but failed to take adequate steps to address the vulnerability. There is a parallel with the actions of TalkTalk which failed to take adequate steps to address a weakness in their systems following a hack and subsequently suffered a much more significant attack via the same system weakness during which a large quantity of personal data was accessed.
It is reasonable to conclude that businesses that fail to take, or take inadequate, action to address known weaknesses in their information security systems and subsequently suffer a data breach are unlikely to find favour with the ICO. The fines of £500k imposed on Facebook and Equifax was the maximum permitted under the previous enforcement regime and businesses which suffer a similar breach post GDPR will not be subject to the “protection” off this level of statutory limitation on fines. It is also worth noting that there is a developing trend of data subjects whose data has been accessed in these scenarios to pursue compensation via group litigation. Individually the value of these claims may be modest, however the exposure to a claim pursued by potentially 700k Claimants as in the case of Equifax could lead to a potential litigation risk in excess of £200m plus legal costs.
Now that the initial hysteria surrounding the implementation of GDPR has begun to subside it may be appropriate for businesses to consider whether their information security systems are adequate to match their appetite for legal risk and to take advice on mitigating their exposure if there are any concerns.