Greetings from Brussels!
Interesting development out of the U.K. this week. Equifax, the U.S. credit reporting company at the heart of the recent and much publicized breach, will now face formal investigations by not one, but two regulatory authorities in the U.K. over its data breach last month where some 15.2 million U.K. data records were accessed. Both the Financial Conduct Authority and the Information Commissioner's Office are now investigating the credit reference agency.
In a brief statement this week, the FCA announced opening a formal investigation. Publicly revealing investigations is a rare move for the financial watchdog, which said it was doing so because of the “public interest” in the case. The U.K. Treasury select committee wrote to the FCA earlier this month to demand details about what it was doing over the cyber-attack that Equifax first revealed in September. In the letter from the chair of the U.K.’s House of Commons’ Treasury Committee it was questioned whether Equifax had violated terms of its license to operate in the U.K. and querying whether the regulator has the power to compel the company to provide compensation to U.K. consumers impacted by the breach.
The select committee’s heightened interest arose from Equifax increasing its forecast of affected U.K. customers to 700,000, from its original 400,000, which already made it the U.K.’s biggest cyber attack to date. Levels of personal data compromised range from credit card information to driving license data and contact details. "Hundreds of thousands of people in the U.K. have been affected by the Equifax data breach," said Nicky Morgan, chair of the House of Commons Treasury Committee. "The FCA is right to investigate the circumstances surrounding it."
A spokesperson for the U.K.'s ICO said: "It is a complex and fast-moving case and we are working closely with other U.K. regulators and our counterparts in Canada and the U.S." The case is certainly complex, and what the ICO will make of all this is anyone’s guess, but it’s a reminder that the biggest data breach to ever to affect U.K. citizens happened in the U.S. — a foreign jurisdiction — beyond the oversight of the U.K.’s data protection regime. This brings into question so many different aspects, including international data transfers and the protection afforded U.K. (EU) data beyond the borders of the EU. It’s not even a given whether the new and much improved EU-U.S. Privacy Shield agreement could have made a difference in such a case; it was, after all, seemingly a case of human error — of one employee — involving network security errors that facilitated the breach.
Equifax said in a statement that it was already working closely with the FCA and other authorities: “We welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future.”
Since the scandal broke, Equifax’s chief executive has resigned and U.S. lawmakers have threatened the credit-checking industry with a legislative crackdown in the wake of the episode, which has put a staggering estimate of half the adult population of the U.S. at risk of identity theft. Lawmakers have called for reforms that threaten to upend not only Equifax but also its two big rivals, TransUnion and the London-listed Experian. The big three, which have expanded their clientele beyond banks into sectors such as insurance, government and health care generated about $9 billion in total revenues last year.
There is still some way to go in this case, taken the multitude of involved regulators and other government entities across international jurisdictions. Notably though, while the ICO’s fining powers only stretch to £500,000, the FCA can impose far more severe fines for breaches. We will have to wait and see where the conclusion to this story lands.
If you want to comment on this post, you need to login.