ICO issues record £500,000 fines to Equifax and Facebook

The Information Commissioner's Office (ICO) has recently fined both Equifax Ltd and Facebook Ireland Ltd and Facebook Inc. £500,000 for their failure to protect the personal data of UK citizens.

Equifax suffered a cyber attack in 2017, where the data compromised included phone numbers, birth dates, names, passwords and financial details. An estimated 15 million UK citizens were affected.

Facebook were held to have unfairly processed the data of users by allowing application developers access to their information without proper consent being given, with one of the developers having access to 87 million users' information worldwide (the Cambridge Analytica scandal).  

Applicable Data Protection Legislation

Due to the timing of the events that related to the failures of both Equifax and Facebook, the penalties applied were under the old regime of the Data Protection Act 1998 (DPA 1998). It should be noted that the fines imposed were the maximum amount allowed under the DPA 1998, indicating the severity of the breaches.

Since 25 May 2018, the GDPR has taken effect in the UK. Under the GDPR the ICO is able to impose far greater fines in relation to personal data breaches - up to a maximum of either €20 million or 4% of global turnover. The ICO commented in relation to the Facebook breach that the "fine would inevitably have been significantly higher under the GDPR", indicating that they will not be afraid in the future of imposing super fines on companies that reflect the severity of the breach.

Practical Lessons

These two fines are a good reminder to businesses that the level of protection they afford to the personal data they hold is a matter which needs to be taken very seriously. Below are some ways for businesses to improve the level of protection they provide in respect of individuals' personal data for which they are responsible.

1. Update and maintain security systems

This would include ensuring that adequate anti-viral software is installed on computers and any hand held devices used, as well as considering the most secure way to store the personal data of individuals.  Equifax follow a long list of high profile cyber attacks (e.g. NHS WannaCry) where out of date software was being used and / or patches were not applied to address vulnerabilities.

2. Training for staff

Businesses need to ensure that all staff are adequately trained and that they are provided with refresher training sessions. There is a high likelihood that personal data breaches will occur due to an employee error (e.g. clicking on a link in a phishing email). Employees should be confident that they are aware of the risks and of the systems in place within a business, should a breach occur, to attempt to minimise the damage caused.

3. Encryption of personal data

Businesses should consider encrypting the personal data that they hold. A data breach may occur due to human error, such as an employee leaving a memory stick which contained personal data in a public place. Items like memory sticks should be encrypted and, to add an additional level of protection, they could be restricted to use by only particular personnel for restricted purposes.

4. Minimising the data held

It was reported in 2017 that J.D. Wetherspoon deleted all the email addresses of customers that it held on their mailing list following a data breach they had in 2015, in order to minimise the data they held. Although businesses do not have to take such extreme action, they should consider what data they hold and why, and whether it ought to be securely deleted. The less personal data held by the business, the less risk of personal data being compromised.

5. Data Protection Policy

Businesses should consider having a well drafted Data Protection Policy, setting out how the business should process and handle the personal data they hold to ensure compliance with data protection legislation. Not only will this serve as a good indicator of any current inadequacies that the business may have with how they currently process the personal data, it will also serve as a reminder to employees of the procedures in place to protect the personal data held.

6. Data locations

You need to know where your data is held, particularly sensitive information. There were echoes of the TalkTalk October 2015 cyber attack as Equifax failed to identify the system as vulnerable so did not therefore apply the relevant patch. Businesses must know what systems and databases they control.

There were also two other important practical lessons:

1. Transfers of data outside the EEA

You must ensure the transfers comply with Chapter V of the GDPR. The ICO were critical of Equifax Ltd not having a legal basis for such transfers as they had not entered into the appropriate model clauses with Equifax Inc.

2. Intra-group transfers

The ICO were also critical of Equifax Ltd failing to take appropriate steps to ensure Equifax Inc was appropriately protecting its data. We appreciate auditing your parent or checking they have adequately secured or removed data can seem pointless as "they are all part of the same group" – but in fact group companies can be operated in very different ways.

For more information please contact Tom Torkar or Hannah Drew in our Commercial team. 

This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.