We have written extensively about the Equifax Inc September 2017 Data Breach in the US, its causes, its costs and consequences for Equifax here and here. In the latest update to the ongoing saga, the United Kingdom Information Commissioner’s Office (ICO) issued a monetary penalty of £500,000 on 20 September 2018 to Equifax Ltd, the UK based arm of the Equifax group. The relevance of the monetary penalty is that they are for breaches of the UK Data Protection Act 1998 (DPA) in relation to UK individuals and their data (UK Data) arising from the US breach.
The US breach involved a number of data sets relating to UK residents had been maintained by Equifax Inc. The retention of those data sets in the US was found to be in breach of the DPA. In particular, in relation to its identify verification product (EIV), Equifax moved the UK EIV database to the UK in 2006. However, a copy of that data set was retained in the US and the ICO considered that the process for migrating the UK EIV data to the UK and its subsequent deletion in the US was insufficient and/or not adequately effective, and accordingly in breach of the DPA.
There was also another UK data set in the US, called the GCS database in relation to over 20,000 UK individuals and it included the data subjects name, address, date of birth, username, password and secret question and answer for the service provided by Equifax and a number of these were held in plain text. This was in breach of the required standards to store passwords in encrypted, hashed, masked, tokenised or other approved form.
In addition, the dataset was held in a file share which was accessible by multiple users. While the specific regulations under the DPA differ in some respects from the Australian Privacy Act, a number of comments made in the penalty notice would be equally applicable in an Australian context. They included that:
When is consent a defence?
The vexed issued of consent as a defence to Equifax’s actions in relation to the GCS dataset was also specifically raised in the penalty notice. In the GCS dataset breach, the defence was raised that Equifax had the data subject’s full consent to held the data as they did. The ICO said that failing to inform data subjects that their passwords would be stored in plain text form meant that consent was not fully informed. While Equifax claimed that informing data subjects about this would create a security risk. The ICO took the view that holding passwords in plain form was a security risk and failing to be informed of this security risk, the consent was invalid.
What can Australian businesses learn?
One telling section of the penalty notice is the ICO’s listing of all the ways in which Equifax failed to take adequate security measures. These measures would be equally applicable to the Australian obligations to take all reasonable steps to keep personal information secure under APP 11 including:
How we can help
Avoiding the types of issues set out in the penalty notice involve ensuring you have a robust information governance platform that functions at an operational level and has full executive support. We can assist you to prepare protocols and policies for this, conduct workshops for staff and provide training for executives and boards.
Investing in information governance as a business process is often a less costly approach as the continuing Equifax saga illustrates.
Author: Lyn Nicholson
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.
Published by Lyn Nicholson