Back in 2017, significant UK customer data that Equifax Ltd held on the servers of its US parent, and for which it acted as a data controller, was compromised in a cybersecurity incident. FCA took the unprecedented step of announcing at the time that it would be carrying out an investigation. Almost exactly six years later, it published its final notice on the matter – imposing a fine of over £11 million.
What happened, and what could Equifax Ltd have prevented?
Simply put, Equifax Ltd had transferred significant amounts of consumer data relating to two of its products to its US parent, Equifax Inc, to process on its behalf.
Equifax Ltd has fallen under FCA's regulatory remit since April 2014, when it obtained an interim permission to carry out credit reference agency and other services, and became fully authorised at the beginning of March 2017. It was obliged to comply with FCA rules as soon as it obtained its interim permission.
In March 2017, an unauthorised third party exploited known vulnerabilities in Equifax Inc's systems which had not been adequately patched. Equifax Inc became aware of the incident in late July 2017 and took action to secure its systems (having previously failed to take appropriate action on receipt of an alert about the vulnerability two days before the attack). One month later, it realised that UK consumer data may have been compromised by the incident, and it informed Equifax Limited about the incident around a week later. This meant that Equifax Ltd did not find out about the breach until 6 weeks after Equifax Inc had discovered it and only 5 minutes before it was announced by its parent company. FCA learned about the incident through press reports, and when it contacted Equifax Ltd to ask for more information the firm was unable to provide it because it didn't have it at the time..
As a result of the breach, personal data relating to approximately 13.8 million people in the UK (as well as nearly 150 million in the US and nearly 20,000 in Canada) was compromised by cyber-hackers because Equifax Ltd had outsourced it to servers of Equifax Inc in the US which did not have adequate security measures. The compromised data included information such as names, dates of birth, partially exposed credit card details and residential addresses.
In imposing the fine of £11,164,400, FCA found Equifax Ltd to have breached Principles for Business 3 (for failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems), 6 (for failing to pay due regard to the interests of customers and treating them fairly) and 7 (for failing to pay due regard to the information needs of its clients and communicate information to them in a way which is clear, fair and not misleading).
Equifax Ltd benefited from a 30% reduction in fine for settling the action, and a 15% credit for mitigation because of its high level of cooperation, the voluntary redress it offered to consumers and the group’s global transformation programme that followed the incident.
What did Equifax do?
Once the breach became public, Equifax Ltd was soon overwhelmed by the volume of complaints it received from consumers and took the decision to stop applying its normal quality assurance processes in relation to the complaints. It also struggled to assess the number of UK consumers who were affected, partly as a result of not having kept its own records of the data transferred as it wrongly believed that data had been deleted (and had failed to ensure that records that should have been deleted the previous year had indeed been deleted), and then as a result of a decision not to continue some avenues of investigation because it was too resource intensive.
It also made a number of public statements relating to the impact of the incident on UK customers that could be read in a misleading way, and which it took no steps to correct when it discovered this.
What could Equifax have done differently?
Key to Equifax Ltd's problems, and a large factor in FCA's findings against it, was that it had failed to treat the relationship with its US parent as outsourcing from a UK regulatory perspective. A risk framework and outsourcing policy put in place within Equifax Ltd in late 2015 had failed to identify and address the risks of an intragroup transfer and storage of UK consumer data and it had inadequate policies relating to security breach incidents for this scenarioAs a result of the decision not to treat the arrangement as outsourcing, Equifax Limited did not provide sufficient oversight of how data it was sending was properly managed and protected. FCA stressed that where the processing of data is outsourced, including intra-group, UK regulated firms remain responsible for ensuring that all regulatory requirements are met. Equifax Ltd did not do this. FCA found that it was aware of serious security patching problems at Equifax Inc before the incident occurred but did not take action in response – which it would have done had it treated the arrangement as an outsourcing. The breach was, therefore, entirely preventable.
To make matters, worse, because Equifax Ltd discovered the information so late, because Equifax Inc had delayed taking legal advice on whether the breach was reportable to the UK authorities and because it did not have in place arrangements with its parent that allowed it quickly to get the information it needed on affected UK customers, this caused the delays in dealing with complaints which led to it both breaching the provisions of the DISP rules and failing to treat customers fairly by not maintaining quality assurance checks for the complaints.
And, to make matters worse again, the "Security Executive" appointed under the Equifax Ltd procedures reported directly to Equifax Inc (which told him about the incident on 1 September but both refused to confirm or deny whether UK consumers were affected and threatened him with dismissal if he asked any more questions or told anyone about the incident).
Had Equifax Ltd properly recognised the outsourcing for what it was, it should have ensured the arrangements complied with the provisions in SYSC 8 of FCA's Rules. As it was, it was clear that intra-group arrangements were not subject to the same risk assessments as non-group outsourcings. And, while the intra-group arrangements over time did include some provisions that could have been helpful, such as an ability for Equifax Ltd to carry out audits, it did not in fact carry out any audits (and the FCA Final Notice suggested Equifax Inc would have been unlikely to have allowed it to do so).
FCA stressed that regulated firms must have effective cyber-security arrangements to protect the personal data they hold and to keep systems and software up to date to prevent unauthorised access. If there is a breach, the firms must notify affected individuals as soon as possible in a way that is fair, clear and not misleading. Jessica Rusu, Chief Data, Information and Intelligence Officer at FCA also noted the raising of standards that the Consumer Duty requires.
Lessons to be learnt
The FCA's decision demonstrates that UK regulated firms which suffer major cyber security incidents, and, in particular, those leading to the compromise of consumer personal data should be cognisant not only of the risk of significant regulatory penalties from the ICO, but also from the FCA. Although in relation to this incident the ICO issued a much smaller financial penalty than the FCA for Equifax Ltd's identified failures relating to its obligations under the Data Protection Act 1998 (£500,000), it is worth remembering that this was the maximum financial penalty that could be issued by the ICO under the old regime, and that if comparative findings were to now be made by the ICO under the UK GDPR and DPA 2018 regime they would likely attract much higher penalties.
The decision also serves as a stark reminder that UK regulated firms should have policies and procedures in place that enable them to identify all arrangements that constitute outsourcing, to appropriately risk assess them, and to ensure they comply with FCA's rules by including in their outsourcing agreements appropriate controls to enable them to monitor the performance of the provider – and, of course, properly to exercise these powers. And that this equally important whether the service provider is a group company or a third party. An added complication where intra-group outsourcings are concerned are the possible conflicts and compliance risks presented where a key individual has reporting lines outside the regulated UK entity. So, while the FCA's Final Notice shows many faults on the part of Equifax Inc, it also shows not only how the initial incident was preventable, but also how stronger arrangements could have helped Equifax Ltd manage the crisis once it had occurred.