Equifax Ltd (Equifax) has been fined £11,164,400 by the Financial Conduct Authority (FCA) for a major security breach. The FCA found that it failed to manage and monitor the security of UK consumer data, which it had outsourced to its US-based parent company and which was stolen in a cyber security breach. The FCA’s long-running investigation follows the 2018 investigation by the Information Commissioner’s Office (ICO) into the same data breach, as a result of which Equifax was fined £500,000.
The case serves as a stark reminder of the importance of regulated firms having effective information management arrangements in place to ensure the protection of personal data that they hold, as well as appropriate response mechanisms should that data be compromised. It also reinforces the fact that FCA authorised firms retain full accountability for discharging their responsibilities under the UK regulatory framework and cannot delegate or transfer regulatory responsibility for any of the functions that they outsource to third parties (intra-group or otherwise).
As a credit reference agency and data analytics business, Equifax holds and is responsible for the protection of significant volumes of customer data.
The 2017 hack of Equifax’s US parent company Equifax Inc. was one of the largest cyber security breaches in history. The personal data of approximately 147.9 million individuals (including 13.8 million UK consumers) was compromised by hackers, including full names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses. According to the FCA, the cyber-attack was “foreseeable and entirely preventable”’.
Intruders were able to access the UK consumer data stored on computer servers based in Alpharetta, Georgia, because Equifax had transferred this information to its US parent company for processing. However, the FCA found that Equifax did not treat the arrangement with its parent as an outsourcing from a regulatory perspective. Consequently, the arrangement was treated internally under Equifax’s Outsourcing Policy and risk management framework, and Equifax consequently failed to provide sufficient oversight of how the UK consumer data it was transmitting was properly managed and protected.
Equifax reportedly did not become aware that UK consumer data had been stolen until approximately six weeks after the US parent company had discovered the hack. The UK company was reportedly also only informed about the breach five minutes before the incident was made public by the US parent company. This meant Equifax in the UK was left “unable to cope” with the volume of complaints it received and led to significant delays in it contacting affected customers. Certain public statements made by Equifax regarding the impact of the incident were also found by the regulator to be misleading.
In its Final Notice, which was published on 13 October 2023, the FCA concluded that Equifax had breaches Principles 3, 6, and 7 of its Principles for Businesses, which apply to all regulated firms. More details on the breaches are set out below.
Principle 3: management and control
Under Principle 3, regulated firms must take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.
The FCA determined that Equifax breached Principle 3 by failing to put in place an appropriate risk management framework that allowed it to identify, manage, monitor, and mitigate the risks inherent in outsourcing the processing of sensitive UK consumer data to its US parent company.
In particular, Equifax approved an incident handling framework under which, in the event of a cyber security breach affecting data processed and stored by an intra-group company, there was a significant risk that the interests of other parts of the Equifax group (and in particular its US elements) could be placed above the interests of the UK company. There were also risks common in many cases of intra-group outsourcing, including that known weaknesses at the group level would not be treated with the same degree of seriousness and rigour as would be the case if the outsourcing had been to an independent third party.
Prior to the hack, it was found that Equifax was already aware of serious security issues at its US parent company, and had Equifax treated the arrangements as material outsourcing, it would have been required under its risk management framework to take action. Equifax had also not kept records of the data it had transferred, because it wrongly believed that the data had been deleted. Combined with access restrictions which were imposed when the breach was discovered by the US parent company, this meant that Equifax was unable to obtain a copy of the relevant UK consumer data. This then caused delays in Equifax identifying and notifying affected customers. As noted previously, Equifax further failed to properly ensure that sensitive data was deleted from its parent’s servers when it substantially ceased outsourcing to the parent in September 2016.
Principle 6: customers’ interests
Under Principle 6, regulated firms must pay due regard to the interests of their customers and treat them fairly. In the context of a data breach, this means that it is essential that firms promptly notify affected individuals and inform them of the steps that they can take to protect themselves.
It was found by the FCA that Equifax breached Principle 6 by failing to properly manage its outsourcing arrangement with its US parent, leading to delays in Equifax finding out about the incident. As noted above, Equifax also did not keep sufficient records of the data transferred, resulting in further delays in it promptly identifying and notifying affected individuals. Further, the FCA identified significant shortcomings in Equifax’s complaints handling process in relation to the incident, exposing customers who complained to the risk of unfair outcomes.
Principle 7: communications with clients
Under Principle 7, firms must pay due regard to the information needs of their clients, and communicate information to them in a way which is clear, fair, and not misleading.
The FCA found that Equifax breached Principle 7 by publishing several statements after becoming aware of the incident that gave a significantly inaccurate impression of the number of customers that had been affected. For example, in September 2017, Equifax published a press release stating that it intended to contact 400,000 individuals, when it was already aware by this point that up to 15.1 million individuals could have been affected. While the FCA did not believe Equifax intentionally set out to mislead the public, when it became apparent that the language was interpreted in an inaccurate way, Equifax did not take steps to clarify the position until nearly a month later.
The FCA’s investigation into Equifax raises several key issues that are likely to be of interest for regulated firms that handle personal data of customers, particularly where outsourcing is involved.
- Perhaps most importantly, the fine highlights how crucial it is for firms to have sufficient policies, procedures, and systems in place to protect any personal data that they hold. As noted above, the FCA has made clear that regulated firms remain responsible for such data even where its processing is outsourced. This is especially relevant in light of the FCA’s new Consumer Duty, which makes it clear that firms must raise their standards to avoid causing harm to consumers.
- The Equifax case also serves as a reminder that the same requirements apply to regulated firms even where outsourcing takes place intra-group. Firms should be mindful of this and avoid assuming that such arrangements are lower risk, and take steps to ensure clear lines of communication and accountability throughout groups.
- Equifax’s fine further reinforces the need for firms to have an effective communication strategy in place once it becomes aware of a breach. As noted above, the UK entity was only notified of the incident minutes before it was made public. Upon hearing of the incident, a senior executive leader at Equifax noted that the incident came before him as a “bad surprise”. Firms should ensure that they have sufficient policies and procedures in place to identify any data breaches immediately, and to enable them to execute an appropriate remediation plan in the event of a breach.
- Notwithstanding the gravity of the breach, the FCA recognised that Equifax displayed a high level of cooperation during the investigation. Equifax also implemented a voluntary redress programme whereby affected consumers were offered identity protection products free of charge. Firms should note that taking such steps may serve as a mitigating factor in the event of a similar cyber security breach.
This is not the end of the potential liability for Equifax, as claims by an estimated 10,000 claimants are being pursued in the English courts. The leading case of Bennett & Others v Equifax Limited  EWHC 1487 (QB) is currently tied up in procedural issues about how these clams might most efficiently and proportionately proceed. However, if the case goes to trial and the claimants are able to satisfy the thresholds for liability and have suffered sufficient harm to be compensated, then the additional liabilities for Equifax could be very substantial.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2023