The fallout from the recent Equifax data breach is continuing as the Financial Conduct Authority begins its investigation into exactly what happened. Meanwhile fresh hype is being created as it emerges that thousands have turned to identity-theft-protection company Lifelock in order to protect their personal information, unaware that in doing so they are actually signing up for services that still rely on Equifax data.

The fact that Lifelock uses the company in order to carry out credit-score checking and monitoring is not unusual; organisations often use other outfits to provide components of their overall service. It can be more efficient and cheaper to use a specialist third party for a particular matter such as credit checking than to try to carry it out in-house.

The real cause for trepidation lies in the lack of transparency involved as it appears that those concerned about the whereabouts of their personal data following the Equifax breach are, in essence, seeking help from the same organisation that lost their data in the first place.

This is concerning on two fronts:

  1. Equifax is profiting from its own breach as it is receiving revenues from carrying out checks for Lifelock customers that would likely not have become customers had the breach not occurred.
  2. Customers simply have no idea that the organisation they are trusting to check their data so they can regain control of it, is using an organisation in which those very same customers have lost trust because it compromised their data in the first place

This lack of transparency is symptomatic of an age in which vast amounts of personal data are shared amongst organisations without the subjects knowing with which organisations such data is being shared and their locations, along with why it is being shared. Sometimes those sharing the data in the first place lose sight of where it ends up and how it is used once it is out of the original disseminator’s hands.

Often a privacy policy will set out what data is shared with third parties, their location and the purpose for sharing it. Lifelock’s own policy says that personal data is shared with third-party service providers and it lists examples such as payment verification services and financial institutions. However, it does not actually name those service providers, nor does it state their location. The purpose for the sharing is also obscure in that it merely says generally for verifying identity, notifying of new features, services and for fulfilling billing orders or requests.

The new General Data Protection Regulation coming into force next year will place increased pressure on EU-based organisations. Greater transparency will be required from those outside the EU doing business with EU data subjects, in terms of who they are sharing data with, where and for what purpose. The GDPR has real bite too, as the fines are hefty if organisations breach the rules.

Consumers can also protect their data by ensuring that they read the online privacy policy before agreeing to it and signing up for services which involve sharing their personal data. The small print is a time-consuming and daunting task for most of us, but it is all too easy to skip over the legalese, making data susceptible to misuse. While a service provider may not agree to negotiate its privacy policy with the individual consumer, questioning its data-sharing activity will force it to rethink things or force regulators to take a closer look at its practices! Organisations that are collecting and using personal data need to start rethinking their practices and be more transparent before consumers, and ultimately regulators, force their hand.

Opting to climb to a new level on the transparency skyscraper makes business practices more visible and ultimately gives consumers a better view. It also means that organisations will be held to greater accountability. And while the consequences of the Equihack may loom for years, as a society we must be more proactive in our decisions on what to share and what to safeguard, and organisations that use personal data must be more transparent about their practices in order to preserve their ability to continue to legitimately to do so to achieve their business goals.

This is the second article in a two part series. To view the first installment please click here.

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.