On September 7, 2017, Equifax, a credit protection services company and one of three major consumer credit companies within the U.S., experienced a data breach that affected a current estimate of 143 million customers, including people within the U.S., Canada, and the U.K. The cyberattack was discovered by Equifax on July 29th, and it was reported the attacker(s) had access to Equifax’s systems and information between mid-May through July 2017. The data compromised included social security numbers, birth dates, addresses, driver’s license numbers, credit card numbers, and more.
Given it’s such a large breach, there are obviously many “what if” scenarios being floated regarding this Equifax scandal. In that vein, I thought it would be interesting to run through some hypotheticals on possible outcomes had this Equifax breach been found in violation of GDPR—especially since Equifax disclosed that 693,665 residents in the U.K. were affected by said breach, with their email addresses, usernames, passwords, secret questions with answers, partial credit card information, driver’s license numbers, and phone numbers put at risk.  The EU General Data Privacy Regulation (GDPR), enacted on May 4, 2016, becomes mandatory on May 25, 2018.
Because it is not, in fact, mandatory at this current date, please note that that this exercise in no way is intended to make claims or assertions that Equifax violated GDPR, nor is it possible to be positive on the exact GDPR penalties that would be assessed had they been found in violation.
GDPR Points of Interest & Equifax’s possible Culpabilities under GDPR
An EU based data controller and processor falls into its scope where personal data is processed “in the context of its activities” - a broadly interpreted test.
Equifax identified personal information from UK residents within the breach. Roughly 693,665 U.K. residents were found to be a part of the breach from a file of 15.2 million UK records stolen. (KrebsonSecurity)
GDPR will apply to organizations which have EU “establishments”, where personal data are processed “in the context of the activities” of such an establishment. “Establishment” was considered by the Court of Justice of the European Union (“CJEU”) in the 2015 case of Weltimmo v NAIH (C-230/14). This confirmed that establishment is a “broad” and “flexible” phrase that should not hinge on legal form. An organisation may be “established” where it exercises “any real and effective activity – even a minimal one” –through “stable arrangements” in the EU.
According to their website, Equifax is “headquartered in Atlanta, GA. Equifax operates, or has investments, in 24 countries in North America, Central and South America, Europe and the Asia Pacific region.”
Equifax Limited and Equifax Secure Limited had an office in London, according to the ico. Data Protection Register. Additionally, while searching under employment openings, it became clear they had positions and locations within EU countries including:
- United Kingdom
As Equifax has multiple physical locations within the U.K. and Ireland, it should be safe to say they would be considered as having EU establishments.
Where no EU presence exists, the GDPR will still apply whenever: (1) an EU resident’s personal data is processed in connection with goods/services offered to him/her; or (2) the behaviour of individuals within the EU is “monitored.”
Recital 22: Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.
Recital 23: …the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment…factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Had Equifax not had physical presence within the EU, they could still be found liable for processing EU residents’ personal information under GDPR. Equifax operates a website with a U.K. country code and offers services in British Pounds (£).
- Equifax has equifax.co.uk website which means they are offering services directly to a member of the EU
- Equifax offers Identity Watch Pro which could be considered behavior monitoring
The GDPR does not apply to the processing of personal data (General Provisions Article 2(a-d)):
in respect of activities which fall outside the scope of EU law (e.g. activities concerning national security);
in relation to the EU’s common foreign and security policy;
by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences and associated matters
by EU institutions, where Regulation 45/2001/EC will continue to apply instead of the GDPR.
by a natural person as part of a “purely personal or household activity.”
Equifax would not fall into any of these exemption GDPR categories.
Recital 31: Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law.
For a portion of their business units, Recital 31 could qualify as a win for Equifax within the GDPR. Equifax’s business operations included services to the U.S. government, including the IRS for identity validation of taxpayers. If any of the EU data obtained was for the purposes of these services, that data could be considered outside GDPR regulations.
As a side note, the IRS renewed this contract with Equifax on September 29th, but the contract was suspended due to additional security issues and public concerns that were identified on October 10th.
Recital 32: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Equifax is a large service provider to financial institutions, credit monitoring services, and other institutions. As one of three major consumer credit companies, Equifax often managed consumer data without consumers’ knowledge. Many consumers were not notified of where their data was going or being stored.
Recital 34: Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
Equifax is a big proponent within the biometrics field, including voice for identification and other methods, such as fingerprints, for the replacement of passwords. Currently, no biometric data has been listed as data compromised within the Equifax breach.
Recital 39: The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used… Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed… Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
I have assumptions that Equifax lacked transparency at the time of the breach, and did not use clear and plain language for relaying information to consumers on the use of data. Especially since many consumers were unaware Equifax managed their personal information. However, at the time of this article, there is nothing concrete to corroborate those assumptions. One definite failure of Equifax was in “preventing unauthorized access to or use of personal data,” as they did fail to have a sound patch management process within their organization, which was one factor that lead to the breach.
Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Equifax acts as a service provider for a large amount of organizations. Many consumers compromised within the current Equifax breach did not have direct contact or interactions with Equifax services, but were affected because they utilized a product from one of Equifax’s clients. If GDPR was currently enforceable, there is a case that could be made that all businesses must disclose that Equifax, as their service provider, will be processing and storing customer personal information.
Article 33 Paragraph 1: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Though Equifax internally confirmed a breach at the end of July 2017, they did not report the breach until September 7th. They were significantly outside the 72-hour period for notification.
Recital 146: The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage.
Equifax would more than likely be found partially responsible for the damages incurred from the breach, as they publicly claimed the breach was a result of missing security patches. As Equifax was responsible for patching their systems, they should be unable to claim exemption under this article.
Article 5 Paragraph 1(f): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ('integrity and confidentiality').
Equifax failed to protect the confidentiality and security of the personal data they maintained. Equifax had patching breakdowns within their organization that allowed a breach of data to occur. Based on the information obtained by the attackers, including credit card numbers and passwords, it appears Equifax may not have been properly protecting data at rest with methods such as encryption or hashing. Either attackers obtained access to decrypted information with elevated privileges or access to encryption keys, or highly sensitive information was not properly protected at rest.
Article 6 Paragraph 1(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Article 6 Paragraph 1(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
A large complaint raised during the Equifax breach was the factor that many consumers did not realize Equifax was managing their personal data, nor did they give permission to Equifax to perform these actions. Some consumers were affected by the breach due to affiliations with other companies that utilized Equifax as a third-party service provider. As many may not have realized this connection, and as such, did not give direct consent to Equifax, Paragraph 1(a) of Article 6 would have been non-compliant for Equifax.
Equifax’s main role is to maintain credit reports on behalf of US citizens. They also perform identity verification for at least one government agency--the IRS. In this scenario it is plausible, Article 6 Paragraph 1(e) could allow Equifax to process data without the consent of the data subject, when processed on behalf of a government agency.
Administrative fines Article 83 Paragraph 2(a-k)
Nature, gravity and duration of infringement…number of data subjects affected and level of damage suffered
Intentional or negligent character of infringement
Action taken to mitigate damage suffered
Responsibility of controller including technical and organizational measures implemented
Previous infringements by controller
Cooperation with supervisory authority to remedy infringement
Categories of personal data affected
Notification of infringement processes to supervisory authority
Whether another a prior case on same subject matter existed
Adherence to codes of conduct
Any other aggravating or mitigating factors such as financial benefit or losses avoided
- Email addresses, usernames, passwords, secret questions with answers, partial credit card information, driver’s license numbers, and phone numbers were the reported compromised information.
- According to Equifax, they are cooperating with the U.K. to remedy breach issues. However, the glaring fact remains that Equifax should have reported breach within 72 hours, but instead, they waited well over a month.
- Equifax has had prior breaches within their organization. In 2016, one of Equifax’s customers, the grocery retailer Kroger, had over 430,000 W2 records compromised due to Equifax’s online access practices.
- Equifax’s technical and organizational measures appeared to fall short during the breach.
- Equifax waited until September 7, 2017 to report on the breach identified on July 29, 2017. Equifax took actions to investigate and reportedly remediate the areas breached, while also offering those affected new services to monitor for malicious attempted use of breached information.
- I don’t think anyone would claim the Equifax breach was intentional. There could be a case for negligence, as there was a lack of data protection procedures in place.
- The Equifax breach reportedly happened between Mid-May through the end of July 2017. Over 693,665 U.K. residents were affected by the breach. Damage suffered is yet to be determined; however, 15.2 million U.K. records were reported breached.
- Bullets 8-10 would be difficult to discuss, as Equifax was not held to GDPR at the time of the breach.
- However, this last bullet is interesting for Equifax. They were breached, compromising personal information for millions of consumers, and then turn around and offer a service for monitoring consumers in the event that breached information is utilized maliciously. Additionally, customers who utilize Equifax as a service provider, such as LifeLock, were advertising and pushing services for protecting those involved in the breach. LifeLock services utilizes Equifax, which means everything comes full circle, and Equifax profits once again from their own breach. Moreover, some of Equifax’s executives took large payouts upon their resignations post-breach--some cashed in stock days after the breach was identified.
GDPR Possible Damages for Non-Compliance
- Equifax reported revenues in 2016 to equal $3.144 billion2, or at current rates, roughly €2.61 billion Euros.
- Tier 1 maximum: “The higher of 4% or €20 million Euro” which would equate to ~$125.8 million or ~€104.0 million.
- Tier 2 maximum: “The higher of 2% of global turnover or €10 million” which would equate to ~$62.9 million or ~€52.0 million.
- Consumers would have the right to directly sue Equifax for damages (Article 82(1)).
- Supervisory authority would have the ability to temporarily or definitively suspend data flows.
Under GDPR a EU citizen has the right to:
- Withdraw consent for further processing of information Article 7 Paragraph 3
- Request information on what and how my personal information is being utilized
- Request Equifax “forgets” me aka removes all traces of my information that has not been pseudonymised from their systems Article 17 Paragraph 1(a)
To a company the size of Equifax, the highest tier fine—4% of their annual revenue—would translate to $125.8 million, which is not a substantial amount. However, it must be taken into consideration that this is just one of many compliance violation penalties the company could be facing. Additionally, under GDPR they could be looking at lawsuits stemming from individuals personally affected by the breach.
For example, without any GDPR fines, the Target breach reportedly cost the company over $300 million, and the breach at Home Depot was found to cost around $179 Million. If you take these figures and tack on an additional $125.8 million for GDPR violations, you can now start to see the impact.
At the end of the day, the fines are still chump change. Home Depot’s breach was in 2014 and in 2016, just two-years, later they claimed record earnings of $8.0 billion. Similarly, Equifax will more than likely take a financial hit this year and possibly next, but, at the end of the day it will never amount to the value of the information exposed during their breach.
About the Author
Kate Donofrio is a Senior Associate with Schellman. Prior to joining Schellman in 2016, Ms. Donofrio has worked as a Senior Security Assessor specializing in PCI DSS compliance audits and information security consulting engagements. Ms. Donofrio also led and supported various other projects, including HIPAA, social engineering exercises, information security training, and technical risk assessments which included vulnerability scanning and penetration testing. She has nearly 15 years combined experience within the information technology and information security fields, comprised of serving clients in various industries, including call centers, financial institutions, healthcare, hospitality, and e-commerce. Further, she has experience with performing both systems and network engineering. Ms. Donofrio is now mainly dedicated to performing PCI DSS assessments.More Content by Kate Donofrio