Financial Conduct Authority’s £11 million data breach fine

The FCA’s fine was issued to Equifax’s UK arm, Equifax Limited. The breach which led to this fine occurred at Equifax Inc, its US parent company. A hack at the US company led to UK consumer data being accessed. It is reported that the data included identifiers, contact information, login details and partially exposed credit card details.

Patchy security

The FCA has stated that Equifax Limited did not treat the handling of data by its parent company as outsourcing and it was its view that the arrangements were not subject to appropriate scrutiny. The problems are vividly captured in the following extract from the FCA’s decision notice:

“Prior to the Incident, Equifax Ltd was aware of serious security patching problems at Equifax Inc. Had Equifax Ltd treated the arrangements as outsourcing, it would have been required under its Outsourcing Policy and risk management framework to take action in response.” 

The FCA further stated that the risks were compounded because Equifax Limited had “failed to properly ensure that millions of data records were deleted from Equifax Inc’s servers when it substantially ceased outsourcing its EIV product to Equifax Inc in September 2016.”

Dealing with the aftermath

The FCA was also critical of a number of aspects of the post-breach management. Firstly, the UK company was only informed of the hack shortly before the parent company announced the hack which, in the FCA’s opinion, impacted upon its ability to deal with the complaints which followed. The FCA also criticised Equifax Limited for giving ‘an inaccurate impression of the number of consumers affected’ by the breach in a number of public statements, and ‘mishandled’ complaints following the incident.

The FCA’s expectations

The FCA determined that Equifax Limited had breached Principles 3,6 and 7 in the Authorities Principles for Businesses. These relate to the obligation to have appropriate risk management systems, and the obligation to have due regard to customers and treat them fairly, and to communicate with them in a way which is clear, fair and not misleading.

In its press release the FCA noted:

“When an FCA-authorised firm becomes aware of a data breach, it is essential it promptly notifies affected individuals in a way which is fair, clear and not misleading and implements fair complaints handling procedures.”

The role of mitigation

The FCA’s announcement indicated that were it not for Equifax Limited’s agreement to resolve the matter, its high level of cooperation with the investigation, its voluntary offer of redress to consumers and its global transformation program, the fine would have been just under £16 million.

Double jeopardy?

The ICO investigated the same incident in 2018 and fined Equifax £0.5 million (i.e. under the pre-GDPR regime). This case is a reminder that breaches of Data Protection requirements, and conduct related to the handling of data breaches can engage other regulatory requirements. That is true both for regulated businesses and regulated professionals. The potential consequences are not limited to financial penalties.

Key takeaways

Supply chain risks require active management. This includes appropriate due diligence prior to entering service agreements, proper contractual foundations, active management through the contract’s life and vigilance to risk management when relationships come to an end, including the return or deletion of data.

IT security requires getting the basics right. A properly managed program of security patching is essential.

Group companies are distinct legal entities. The shared interests across a group can lead to blurring of those distinctions and blind spots in relation to risk, and regulatory compliance. Properly mapping and formalising the sharing of services across the group plays an important role in risk management.

If you have a data breach, how you handle it matters. It matters to customers and regulators.