In May and June 2017, credit rating agency Equifax fell victim to cyber-attacks which reportedly affected 146 million customers globally, including 15 million UK citizens.
Today (20.09.18) the Information Commissioner’s Office (ICO) concluded in its investigation that Equifax had failed to lawfully protect its UK customer’s personal data from those attacks as it had not put in place appropriate steps to ensure that its data processor - its American parent company, Equifax Inc - adequately protected that information.
As a result, Equifax was fined half a million pounds; the maximum fine the ICO could impose under the old data protection legislation (The Data Protection Act 1998).
What A Difference A Year Makes
The BBC reported that an Equifax spokesperson said the firm was "disappointed in the findings and the penalty". However, they will no doubt be relieved that the cyber-attacks didn’t take place after 25 May 2018, when stricter rules on data protection took effect by virtue of the General Data Protection Regulations (GDPR).
Under the GDPR (which was implemented in the UK through the Data Protection Act 2018), Equifax could have seen an eye watering fine of up to £17m or 4% of its global turnover. The ICO has stressed in its communications today that it was bound by the old rules in this case, and therefore businesses should not expect to receive such low fines for similarly serious breaches which occur post-May 2018.
Equifax may be “disappointed” by the result, but it could have been worse. The cyber-attackers could have a waited a year…