Mismanaging client data can cost you! Lessons to be learned from Equifax
Late last year, UK based Equifax Ltd was issued with a penalty of 500,000GBP by the Information Commissioner (UK) (the Commissioner) in relation to a privacy breach. The breach occurred under pre General Data Protection Regulation (GDPR) laws which resulted in a significant “savings” for Equifax. If the same incident occurred now, the penalty could have been significantly higher as it would be based on four per cent of Equifax’s global turnover.
The breach arose as a result of a cyber-attack which occurred between May and July in 2017. The breach affected data held by Equifax Inc in the US. This included personal data of UK individuals held in approximately 15 million records.
Even though the cyber-attack was suffered by the US based entity (Equifax Inc), the UK entity (Equifax Ltd) was still liable for the breach of UK citizens’ privacy. Equifax Inc had transferred all data from the US to Equifax Ltd in the UK. However, Equifax Inc did not delete all of the data after the migration.
This resulted in Equifax Ltd being found to have failed to take appropriate measures against unauthorised and unlawful processing of the data.
The same situation can arise under the Australian Privacy Act 1988 (Privacy Act). That is, once an Australian entity collects personal information, the entity is obliged to comply with the Privacy Act. These obligations extend to taking reasonable steps to ensure that overseas parties that hold the personal information, also comply with the Privacy Act.
It is common for the cross-border exchange of information to be governed by contractual arrangements, which was the case with Equifax. However, the Commissioner found that the Data Processing Agreement between the entities was inadequate because it did not provide appropriate safeguards such as setting security requirements, and it also did not incorporate standard contractual clauses.
Lesson One: Australian entities must ensure that when transferring information to an overseas entity, there are measures in place to ensure that the overseas entity complies with the Privacy Act.
Lesson Two: Ensure that any written agreements relating to the cross-border exchange of personal information are robust and include all clauses necessary for ensuring compliance with the Privacy Act.
Processing / Using personal information
The Commissioner found that Equifax Inc had retained the personal information longer than was necessary after migrating the data to the UK system. Under the UK law, and GDPR this gives rise to the requirement of having a lawful purpose to process the data, and to not keep data when there is no lawful reason for processing it.
There are equivalent obligations in Australia. Personal information must only be used for the purpose it was collected (including permitted secondary purposes), and an entity holding personal information must take reasonable steps to destroy, or de-identify, personal information when the entity no longer needs the information for the purpose it was collected.
Even though Equifax Inc was the entity that held the information for longer than required when there was no purpose to hold it, Equifax Ltd was found liable for this. This is because the Commissioner found that Equifax Ltd did not adequately follow up on the removal of the data by Equifax Inc.
The same decision could be made in Australia, if the Australian entity was found to have not taken reasonable steps to ensure that the overseas entity destroyed or de-identified personal information when there was no longer a purpose for keeping the information.
Lesson Three: The best way to keep personal information secure is to not keep it if you don’t need it! Australian entities must ensure that personal information is not retained if it is no longer needed in light of the purpose for which it was collected, or to otherwise comply with the law.
Lesson Four: Australian entities should also ensure that any overseas entities which hold personal information provided by the Australian entity are also complying with this obligation.
Having adequate procedures and following them
Some of the personal information that was compromised was customer account information such as passwords, and security questions. Equifax Inc had a Cryptography Standard which stated that all such information should be kept encrypted.
Despite this, Equifax Inc had stored this information in a plain text file, kept in an accessible shared file, outside of the protected database.
Equifax argued that keeping the password information in the plain text file was a fraud prevention technique, and that it would be a risk to have disclosed this technique to consumers.
The Commissioner did not accept this argument. The Commissioner’s view was that processing the data this way was an inappropriate security risk, given other measures and the resources available to Equifax. Further, the Commissioner found that there was no valid reason for Equifax Inc to depart from its own Cryptography Standard when saving the information in a plain text file.
Lesson Five: If policies are implemented within the business, then there must be measures in place to ensure that they are being complied with.
Assess and monitor security measures
The cyber-attack was caused by exploitation of a vulnerability in the web application framework that Equifax Inc used in its consumer-facing online disputes portal.
Equifax Inc had been made aware of the vulnerability in March 2017 by the US Department of Homeland Security Computer Emergency Readiness Team, who informed Equifax Inc that this was a critical vulnerability, requiring immediate attention.
Equifax Inc disseminated the information internally, however the particular installation on the consumer-facing disputes portal was not identified and not patched. Internal scans did not identify the vulnerability on this portal.
The Commissioner found that Equifax Inc had failed in its security measures by:
- not adequately encrypting all personal data;
- not adequately protecting user passwords;
- failing to address known IT vulnerabilities;
- not having up to date software;
- failing to undertake sufficient and regular system scans;
- failing to ensure appropriate network segregation;
- permitting accounts to have more permissions than needed;
- storing service account passwords in plaintext files and allowing the files to be accessed by staff; and
- failing to ensure other technical measures provided appropriate protection due to an expired certificate in an SSL decryptor, which prevented traffic being properly checked by the intrusion prevention system.
Equifax Ltd was once again found responsible for the security failures of Equifax Inc, because in the Commissioner’s view, Equifax Ltd did not undertake an adequate risk assessment of the security arrangements in place with Equifax Inc. Similarly, even though Equifax Ltd had the contractual right to conduct audits of Equifax Inc’s security it did not do so.
Of interest was the Commissioner’s regard to the state of technological development and cost of measures available to Equifax Inc in light of the prevention measures which it actually undertook (or failed to undertake). As a large, well-resourced and experienced data controller the Commissioner expected more.
Lesson Six: If you enter into a contract with a third party in relation to the exchange of personal information, then it is reasonable to expect that you will be monitoring compliance with the third party’s compliance with those obligations.
Lesson Seven: Under the Privacy Act, an entity must take reasonable steps to protect personal information. The security failures identified in this case provide beneficial guidance on the type of matters that should be considered when assessing whether your security measures are reasonable. Those measures should be assessed in light of the size and nature of your organisation as well as the resources available to you.
Contact one of our privacy lawyers if you would like to understand more about your obligations.
Author: Fiona McCord (Senior Associate)