It’s no surprise that the ICO fined Equifax Ltd the maximum fine under the DPA (£500,000, reduced to £400,000 for prompt payment): you can’t allow hackers to collect records relating to up to 15 million UK residents and expect to get fined much less. But there are some salutary lessons to be learnt from the full text of the ICO penalty notice.
First, if you are a business that holds large datasets relating to individuals, expect zero tolerance from the ICO if you don’t have in place a solid data protection regime. Equifax had a long list of failures which showed that they did not take data protection seriously: the main ones were failing to patch known vulnerabilities, holding passwords in unencrypted form (!), and little sense of urgency once the breach was discovered (it took Equifax US, the processor, over a month to inform Equifax UK, the controller, of the breach).
Second, beware of intra-group arrangements: they give a false sense of security. It’s fairly common in business to have noddy service contracts between different companies in the same group, mainly to keep the auditors happy. These won’t wash for data protection: like the FCA in relation to intragroup outsourcing, the ICO expects intragroup data processing arrangements to be no less robust than those with third parties. Equifax UK was heavily criticised because, in relation to Equifax US, it failed to carry out any risk assessment, the contracts put in place were deficient and toothless (no meaningful specification of information security requirements, and not even the model clauses), and no audits were carried out during the life of the contract.
Third, you need to know where your data is at all times. Equifax UK left data on the servers of Equifax US for no good reason: the clear implication was that the UK organisation had forgotten that it was there. Akin to this was the practice (common in many businesses) of allowing developers to pull data from the production system for the purposes of maintenance or application testing: it’s too easy for these datasets to get forgotten about (as happened with Equifax).
So: Equifax gets fined £500,000, the maximum under the DPA. Under the GDPR, the maximum is much higher, as we all know, but it’s unlikely that the ICO would have fined Equifax UK more than (at a guess) £2 million. However, for most companies suffering a breach, the fines are small beer compared to the overall costs of fixing the breach. Talk Talk’s costs of fixing the breach have been estimated at between £30 million and £60 million. In July 2018, Equifax US reported that it had already incurred $314 million of expenses related to the breach.
Given the risks, if you are a business that holds large datasets relating to individuals, what should you be doing to manage your risk? In other words, how do you put in place a solid protection regime (assuming that you haven’t ready got one)? In my view, there are two main elements.
1. Don’t expect people to do the work off the side of their desks. It’s too difficult. People need to be full time.
2. Get external help, ideally someone who has done it all before. The nature of externals is that they are more detached, and that makes it easier for them to see the wood from the trees. They don’t necessarily know more than you do, but they will help accelerate the process.