Six years after it announced the commencement of its investigation, the Financial Conduct Authority (FCA) has issued a Final Notice against Equifax Ltd (Equifax) and fined the firm a total of £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company, Equifax Inc, based in the US.
Equifax agreed to resolve all issues of fact and liability and therefore qualified for a 30% settlement discount. Were it not for this discount, the FCA would have imposed a financial penalty of £15,949,200 on Equifax.
Equifax is a credit reference agency and data, analytics and technology business. Due to the nature of its business, Equifax holds and analyses vast amounts of personal data. Equifax is authorised by the FCA.
In 2017, Equifax Inc, the parent company of Equifax, was subject to a large-scale cybersecurity attack which resulted in cyber-hackers gaining access to the personal data of approximately 147.9 million individuals in the US; 13.8 million individuals in the UK; and 19,000 individuals in Canada, thus exposing them to the risk of financial crime. The UK consumer data that was accessed by the hackers included names, dates of birth, phone numbers, credit card details, Equifax membership login details and residential addresses.
The hackers were able to access UK consumer data on Equifax Inc's servers in the US because Equifax outsourced its data to Equifax Inc for processing. Equifax Inc is not authorised and regulated by the FCA. The FCA concluded that the cyberattack and unauthorised access of data was entirely preventable. The FCA found that Equifax failed to put appropriate frameworks in place to monitor and manage the security of the UK consumer data and was therefore vulnerable to cyber attackers. Equifax were aware of weaknesses in Equifax Inc's data security systems and failed to take appropriate action in order to protect UK consumers data.
Equifax Inc did not notify Equifax of the cybersecurity incident for six weeks. Equifax were informed of the incident approximately five minutes before Equifax Inc announced it to the public. As a result, Equifax were unable to appropriately deal with the complaints it received. The FCA also concluded that Equifax exposed its customers to unfair treatment by ceasing vital quality assurance checks on its complaints handling processes, resulting in complaints being mishandled.
Following the cybersecurity breach, Equifax published statements regarding the impact of the incident on UK consumers. The FCA determined that these communications did not meet its requirements in terms of being fair, clear and not misleading. It was noted by the FCA that Equifax failed to take appropriate action to correct its public statements when it became clear that they were being interpreted in an inaccurate way.
Consequently, the FCA found that Equifax was in breach the following Principles of Business:
- Principle 3 - a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems;
- Principle 6 - a firm must pay due regard to the interests of its customers and treat them fairly; and
- Principle 7 - a firm must pay due regard to the information needs of its clients and communicate information to them in a way which is clear, fair and not misleading.
This is the latest in a long line of cases involving FCA authorised firms outsourcing functions to overseas companies within the same group. Following a major regulatory failure, the FCA will typically investigate and find that the overseas firm's operations did not comply with UK regulatory requirements. However, because the overseas firm falls outside the jurisdiction of the FCA, the FCA's findings will be directed at failures on the part of the UK firm properly to document and manage the outsourced relationship.
In determining the penalty, the FCA imposed two fines on Equifax. The first was for failings that led to the incident itself and the immediate aftermath. The second penalty related to Equifax's failure properly to handle complaints. Interestingly, the FCA applied a 15% discount to the first penalty, in part, because Equifax implemented a voluntary redress programme such that consumers were offered identity protection products free of charge. The FCA records that Equifax estimates that it would have cost consumers in the region of £324,509,428 if all redress products offered had been taken up and purchased on the open market. On its face, this does appear generous in circumstances where the FCA had already made a finding that complainants were not treated fairly. Furthermore, the cost to Equifax of providing the redress products to consumers would be significantly less than the retail cost.
It is notable that the FCA fine comes a full five years after the UK's Information Commissioner's Office ("ICO") fined Equifax £500,000 for an infringement of the then applicable Data Protection Act 1998. That was the maximum fine available to the ICO at the time; if the infringement had occurred after May 2018, then the GDPR maximum fine of £17.5m or 4% of global annual turnover (whichever is higher) would have been available.