More than a year after it suffered a data breach affecting 146 million consumers around the world, Equifax has been served with its first financial penalty.

The U.K. Information Commissioner’s Office fined Equifax 500,000 GBP for multiple violations of the Data Protection Act 1998 after it was discovered 15 million unique records belonging to British citizens were affected in the breach.

The ICO investigation found Equifax violated five of the eight data protection principles within Schedule 1 of the Data Protection Act, including processing data in a fair and lawful manner, using data for limited purposes, ensuring data is not kept for longer than needed, keeping information secure, and only transferring data to other countries when it is properly protected.

The agency decided to levy the maximum monetary punishment it could under the Data Protection Act due to the number of data violations and records exposed. Within its monetary penalty notice, the ICO also cited failing to receive a satisfactory explanation for Equifax’s data inadequacies, and the length of time those vulnerabilities were in place and unaddressed, as reasons for the 500,000 sum.

All 15 million data subjects had their names and dates of birth compromised, with 637,430 data subjects having their telephone number also affected by the breach and an additional 19,993 having their telephone number and driver’s license number stolen in the cyberattack.

Since the data breach took place in 2017, the ICO had to follow the Data Protection Act rather than the EU General Data Protection Regulation when assessing potential fines.

“The fine could have been much higher under the GDPR, up to 17 million GBP or 4 percent of global turnover,” whichever would be higher, the ICO said in an emailed statement. “But as the breach was investigated under previous legislation it’s impossible to put a figure on it. What’s important is that people have to have trust and confidence in organisations to look after their personal information. Organisations have to get this right.”

With the ICO taking action in such a notable case, regulators around the world will surely take notice, including U.S. enforcement agencies. Perkins Cole Partner Janis Kestenbaum, who served as senior legal advisor to former FTC Chairwoman Edith Ramirez, said the Federal Trade Commissioner and other domestic regulators pay attention to the work of their global colleagues, but it's most important for agencies to make decisions based on their own statues and constituents.

The FTC announced it had launched its investigation into the Equifax breach last September. Given the transition the FTC has experienced over the past year, Kelley Drye & Warren Partner Alysa Hutnik, CIPP/US, who often defends clients in front of the FTC, said a lengthy inquiry into the incident was likely, adding it is possible progress could be announced on the probe in either quarter four of 2018 or the first quarter of 2019.

The enforcement action coming out of the U.K. could be used to jumpstart an ongoing debate between the FTC and Congress. Hutnik notes the agency asks lawmakers on a yearly basis to grant it civil penalty authority in data breach cases, and the Equifax situation, combined with the private right of action within the California Consumer Privacy Act of 2018, could be used as leverage by the FTC to obtain those powers.

Kestenbaum said while it is possible the ICO notice could be used by the FTC as an example of why it should have civil penalty authority, she believes a single enforcement action from a regulator outside of the U.S. will not move the needle for Congress.

However, even without the power to offer a civil penalty, the FTC has plenty of avenues it can pursue against the credit monitoring firm.

“I think what we’ve seen in the past is that the FTC has certainly been active on data breach enforcement, and the settlement orders without civil penalties are fairly expensive obligations on companies,” said Hutnik. “Under their Section 5 authority, they can do injunctive relief, and they can seek equitable remedies. I don’t see the FTC pursuing disgorgement here.”

Hutnik and Kestenbaum both said state attorneys general could look to issue penalties to Equifax, as many have the civil penalty authority the FTC lacks. Given the size of the Equifax breach, it is possible several AGs join forces to administer a fine of their own.

“Privacy has gotten so much discussion and affects every business, given the reach of GDPR, and I think the state attorney general working groups on privacy are sensitive to those global developments,” said Hutnik. “The state AGs are likely to see, particularly with a civil penalty authority levied, that this is a notable development, and evaluate that as it relates to how they may be exploring and using their civil penalty authority in data breach and privacy related investigations.”

There will likely be more massive data breaches similar to Equifax in the coming months and years, and with them will be more investigations and regulatory actions. The GDPR may give the European Union a clearer path to doling out those penalties, but the U.S. still has a long path ahead.

“These issues are still relatively new when you compare them to other legal issues that agencies deal with. It’s still really early and it’s going to be quite some time before we get to a place where this becomes routine, where people’s authority becomes well settled,” said Kestenbaum. “I certainly think it’s possible, for instance with the FTC, that while we may or may not see any kind of change in its authority in the near or even in the medium term, in the long term I think there’s lots of different things that may happen.”

photo credit: Project 365 Day 130: Flag via photopin (license)