In September Equifax suffered a major cyber security attack which resulted in the personal data of an estimated millions of people being compromised globally. The manner in which the company reacted in the aftermath of the hack is evidence of an organisation that was ill-prepared and is likely to trigger an investigation on several fronts by several different regulators.
Not only did the company appear not to have a plan for how to react to an event of this nature, it seems that it may not have been in compliance with key data protection principles embodied in current European Union (EU) data privacy regulation and expanded upon in the new General Data Protection Regulation coming into force in the EU next year.
Gaps in compliance exposed
While most of the customers affected were thought to be Americans, it is estimated that the data of 693,665 British consumers was also feared stolen. Equifax and its UK subsidiaries boast the likes of BT, Capital One and British Gas as customers in Britain which means that the personal data of their customers and customers of hundreds of other British companies using the services of Equifax to carry out credit checking, could have fallen into the wrong hands. Many of those British consumers would not have been aware that their data had been transferred to, and was being processed in, the US. The legitimate grounds on which Equifax transferred that data and processed it in a location outside of the EU is something that will be scrutinised by regulators and acted upon if the company is found to have failed to legitimise the transfer and processing of personal data of EU citizens in a country not seen as providing adequate safeguards for the protection of that personal data. Equifax is also likely to find itself facing claims from its customers as individual data subjects challenge the legitimacy of the transfer of their data to the US and seek redress from the EU-based service providers like BT, British Gas and Capital One with which those data subjects have contracts.
Bungling the clean-up
In the aftermath of the attack Equifax set up a website where customers could go and check if they had been affected. However, customers could only access the information if they waived any rights to sue Equifax. Later the company changed the website to remove the waiver but those customers who wanted to freeze credit checks were first asked to pay. That certainly does not seem to be in the spirit of taking mitigating steps to minimise further damage and loss occurring from the initial breach. To top it all, Equifax directors sold shares after the breach had been discovered but before it had been made public. The company insists there was no insider trading as those directors who sold their shares in the three days between the hack taking place and it being made public did not themselves know about the breach. That, in itself, is a cause for concern as a breach of that nature should have been communicated to decision makers within Equifax without delay as part of a well- executed mitigation and disaster recovery plan which would have also included instructions regarding share dealing by directors and employees at such a time.
On the regulatory radar
Lawyers and regulators are queuing up to investigate not only the circumstances of the breach to determine if there was anything that Equifax could have, and should have, done to prevent it but also to address the actions taken in the hours after the breach was discovered.
It seems that Equifax’s lack of a plan, or failure to smoothly execute a plan, to address the issue and to mitigate further damage and to restore confidence in its customers and in turn in their customers, will damage its reputation and its business for a long time to come. Add to that its apparent lack of transparency in transferring and processing the personal data of millions of EU customers, to and in the US, potentially without having a legitimate mechanism for doing so, and Equifax could well find itself under further scrutiny.
The cost of lack of planning
Failure to put in place lawful and robust data processing procedures and failure to formulate a plan and ensure that it was communicated and executed upon could prove to be very costly. It could also prove costly for Equifax’s customers that used its services to check on the credit ratings of their EU-based consumers without ensuring that Equifax was either only processing the personal data within the EU or transferring it by legitimate means to the US for processing there.
How to do better
So what should Equifax have done to save itself the bad press and the costly investigations which must surely now follow?
It is not the only organisation to suffer a high-profile cyber security attack. They are on the increase as hackers get more and more sophisticated and security solutions struggle to keep up with the infiltration methods of the perpetrators. As a result, it is now more than a question of concentrating efforts on preventative measures.
Organisations need to take a multi-layered approach.
- Firstly, preventative measures are still paramount: building systems with robust security is key.
- Secondly, having built the secure system, organisations also need to do regular maintenance to ensure that the security is kept updated, gaps plugged and improvements made such as segregating different chunks of data into separately secured bundles. Organisations need to be smarter about the way they store the data.
- Thirdly, building internal policies and procedures and ensuring that those accessing and handling personal data and other sensitive company data and secrets are educated on the importance of security and follow the policies and procedures designed to protect the integrity of such data.
- Lastly, but certainly not least important, establishing a plan on what to do if a breach occurs to mitigate the effects and ensure disaster recovery steps are taken as quickly as possible and to ensure effective communication. This should include making an informed assessment of whether notification of the breach to data controllers and/or regulators and data subjects is required, communicating with regulators and data subjects as required or by choice to restore confidence, as well as using technological solutions to recover lost data and re-secure storage and processing systems as quickly as possible.
Focus on what to do in the aftermath
Focusing on mitigation and disaster recovery is relatively new to technology companies that tend to put all of their energy and resources into prevention. Slowly companies are learning that to avoid the embarrassment of an Equifax-style bungle they need to plan in advance how to react to a data breach. This includes having a plan to execute which applies to all data controllers and processors in a chain of processing activities and must include effective communication and cooperation with data privacy regulators.
In the Equifax case, its customers would also have needed to communicate with their customers regarding the breach. The likes of BT, British Gas, Capital One and other EEA-based organisations using the services of Equifax to credit score their customers may also need to demonstrate to regulators that they had carried out adequate due diligence on the processing activities of Equifax and taken all necessary steps to ensure that Equifax processed personal data relating to their customers in compliance with the relevant data privacy laws and regulations.
Securing data as an asset and not a liability
While data is an asset of most organisations today, it is also a liability where it is not properly secured and where the processing activities are not properly documented and traced, as the loss and damage associated with a leak of such data can outweigh the advantages of having that data. While it is impossible to prevent cyber security attacks altogether, the amount of data which is compromised and the manner in which such attacks are handled and the leaks redressed are key.
For advice on putting together effective and legally compliant policies and procedures for the collection, storage, transfer and processing of personal data and for managing a data breach, please contact Carolyn Bertin.
Carolyn is a technology lawyer specialising in data protection law with over 20 years’ experience working for organisations in the technology sector and more particularly in the cloud services industry.
This is the first of a two part series. To view the second installment please click here.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.