You may have missed the news at the weekend that the personal data of 400,000 Britons was amongst the 143 million personal records compromised by a criminal hack on US servers way back in May.
All the more worrying is that the holder of the data is Equifax, which provides credit reports and “anti-fraud” services. The stolen information includes names, dates of birth, email addresses and telephone numbers, and the sheer number of UK victims surpasses the 250,000 victims of the Wonga data breach back in April.
Now, let’s suppose we’re in the UK post GDPR implementation in May 2018. How compliant would Equifax have been with the new code?
Article 33 – Report the breach to the ICO within 72 hours
The breach occurred in mid-May and was discovered by Equifax on 29th July. It wasn’t until 7th September that Equifax published a notification on their own website with the ICO publishing notification on the breach in the UK a day later.
Article 34 – Inform Data Subjects Quickly
To paraphrase Article 34 – Where the data breach is likely to result in a high risk to the rights and freedoms of the individual, the breach should be reported to the data subject without delay.5 weeks passed between discovery of the breach and notification to customers, yet an Equifax commissioned white paper available on their UK website states “Almost three quarters (73%) of GB adults online think that companies should tell them that they have experienced a data breach and 63% would expect to be notified of a breach within hours.”
Avoid the breach in the first place
It’s acutely embarrassing that Equifax UK’s website states “Companies that play fast and loose with people’s personal information risk the wrath of the ICO” when advertising the merits of its Equifax Protect product.Simply put, with the correct procedures in place a breach like this shouldn’t occur – in this instance Equifax failed to install a software patch for a vulnerability identified in March.
Breaching the GDPR could be exceptionally costly for firms that suffer a breach. Organisations that fail to comply with reporting obligations face a fine of €20 million or 4% of global turnover, whichever is the greater.
As for the long term cost of reputational damage, Equifax is a company that actively markets “anti-fraud” products to individuals and businesses. If the lawsuits begin to stack up in the US, this breach could begin to look very expensive.
For more information, contact us.
Article by: Jason Adderley