Australia: Equifax Inc 2017 US data breach generates fines for Equifax Ltd in the UK

We have written extensively about the Equifax Inc September 2017 Data Breach in the US, its causes, its costs and consequences for Equifax here and here. In the latest update to the ongoing saga, the United Kingdom Information Commissioner's Office (ICO) issued a monetary penalty of £500,000 on 20 September 2018 to Equifax Ltd, the UK based arm of the Equifax group. The relevance of the monetary penalty is that they are for breaches of the UK Data Protection Act 1998 (DPA) in relation to UK individuals and their data (UK Data) arising from the US breach.

The US breach involved a number of data sets relating to UK residents had been maintained by Equifax Inc. The retention of those data sets in the US was found to be in breach of the DPA. In particular, in relation to its identify verification product (EIV), Equifax moved the UK EIV database to the UK in 2006. However, a copy of that data set was retained in the US and the ICO considered that the process for migrating the UK EIV data to the UK and its subsequent deletion in the US was insufficient and/or not adequately effective, and accordingly in breach of the DPA.

There was also another UK data set in the US, called the GCS database in relation to over 20,000 UK individuals and it included the data subjects name, address, date of birth, username, password and secret question and answer for the service provided by Equifax and a number of these were held in plain text. This was in breach of the required standards to store passwords in encrypted, hashed, masked, tokenised or other approved form.

In addition, the dataset was held in a file share which was accessible by multiple users. While the specific regulations under the DPA differ in some respects from the Australian Privacy Act, a number of comments made in the penalty notice would be equally applicable in an Australian context. They included that:

• the deletion of a dataset from the US environment was inadequate
• the GCS dataset was held when the company did not appear to be sufficiently aware of the purpose for which it was being used until after the breach. This suggested there was no lawful purpose to hold and process that data. If there was no purpose, it should have been deleted
• Equifax failed to adequately follow up the process of migration and deletion.

When is consent a defence?

The vexed issued of consent as a defence to Equifax's actions in relation to the GCS dataset was also specifically raised in the penalty notice. In the GCS dataset breach, the defence was raised that Equifax had the data subject's full consent to held the data as they did. The ICO said that failing to inform data subjects that their passwords would be stored in plain text form meant that consent was not fully informed. While Equifax claimed that informing data subjects about this would create a security risk. The ICO took the view that holding passwords in plain form was a security risk and failing to be informed of this security risk, the consent was invalid.

What can Australian businesses learn?

One telling section of the penalty notice is the ICO's listing of all the ways in which Equifax failed to take adequate security measures. These measures would be equally applicable to the Australian obligations to take all reasonable steps to keep personal information secure under APP 11 including:

• not adequately encrypting all personal data
• not adequately protecting user passwords including, in particular storing them in a plain text file
• failing to address known IT vulnerabilities
• not having fully up to date software
• failing to undertake sufficient and/or sufficiently regular system scans and/or using inadequate scanning tools
• failing to ensure appropriate network segregation
• permitting accounts to have more permissions than needed
• storing service account passwords in plain text files within files and allowing such files to be accessed by staff
• failing to ensure that other technical measures provided appropriate protection. Including an expired intrusion prevention system certificate which had expired in January 2016 and was not fixed until July 2017.

How we can help

Avoiding the types of issues set out in the penalty notice involve ensuring you have a robust information governance platform that functions at an operational level and has full executive support. We can assist you to prepare protocols and policies for this, conduct workshops for staff and provide training for executives and boards.

Investing in information governance as a business process is often a less costly approach as the continuing Equifax saga illustrates.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.