The Financial Conduct Authority (FCA) announced on 13 October 2023 that it has fined Equifax Ltd (Equifax) £11,164,400 for “failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US”. Equifax is a major credit reference agency authorised and regulated by the FCA. The fine relates to the Equifax Identify Verifier (EIV) service – this product allows Equifax’s clients to verify a consumer’s identity by checking it against other sources of data held by Equifax.
The FCA announced that it was investigating the Equifax incident in 2017 – it is not clear why it has taken six years for the investigation to be completed and for a fine to be issued.
In 2017, the servers of Equifax’s parent company – Equifax Inc – were accessed by hackers and, as a result, the personal data of approximately 13.8 million UK consumers were compromised. Equifax had outsourced the processing of this data to Equifax Inc.
The personal data accessed ranged from names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.
The FCA highlights a number of failings as summarised below.
Principle 3 of the FCA’s principles for businesses (Principle 3) requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. The FCA found that Equifax breached Principle 3 in the following ways:
Principle 6 requires a firm to pay due regard to the interests of its customers and treat them fairly. When a firm becomes aware of a data breach, it is essential that it promptly notifies affected individuals and informs them of the steps that they can take to protect themselves.
Principle 7 requires a firm to pay due regard to the information needs of its clients and communicate information to them in a way which is clear, fair and not misleading. Equifax published several statements following the breach which gave, most significantly, an inaccurate impression of the number of consumers affected by the breach.
Equifax agreed to resolve this matter and qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedures. Also, Equifax also received a 15% reduction for mitigation in acknowledgement of its high level of cooperation during the investigation, the voluntary redress it offered to consumers and the global transformation programme it instituted after the incident.
Equifax was imposed with a fine of £500,000 from the UK Information Commissioner (ICO) in relation to the same breach. The ICO’s fine was issued in 2018 under the Data Protection Act 1998. At the time, this was the maximum amount the ICO was able to fine. Under the current UK data protection regime – the UK GDPR and the Data Protection Act 2018 – the ICO has the power to issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
The ICO recognised in its monetary penalty notice that the relevant data was, for the most part, not itself highly sensitive in terms of its impact on data subjects’ privacy, however, the ICO identified aggravating factors – including the prolonged nature of the breach due to systemic inadequacies, failures to identify/ensure appropriate security measures such as the implementation of patches, the encryption of personal data and the appropriate security of passwords and inadequate contractual arrangements between Equifax and Equifax Inc.
In the wake of this breach, a group litigation order application was made on a number of potential claimants (the court stated that the number of potential claims may be in the region of 10,000). This mechanism is a procedure which enables the courts to manage large numbers of related claims together, but still requires individual claims for be issued for each claimant. In Bennett & Others v Equifax Limited [2022] EWHC 1487 (QB), the decision on whether to grant the application was deferred and will be considered by a managing judge at a case management conference. However, it was noted (in obiter) that “it may be unlikely that the entirety of the Claimant cohort will be able to establish either financial loss or distress to enable compensation to be awarded”.