Financial Conduct Authority fines Equifax £11m

What happened

• On 13 October 2023 the Financial Conduct Authority (FCA) fined Equifax Ltd £11,164,400 for failing to manage and monitor the security of UK consumer data it outsourced to its parent company Equifax Inc in the US
• The FCA had announced that it was investigating Equifax in 2017. Equifax Inc had been hacked and the personal data of £13.8m individuals had been compromised
• The data included names, dates of birth, phone numbers, login details, partial credit card details and addresses
• Important factors causing the large fine were the prolonged nature of the breach due to systemic inadequacies, failure to identify appropriate security measures and inadequate contractual arrangements between Equifax UK and US
• Interestingly, the ICO fined Equifax £500,000 in 2018 in relation to the same breach. That was the maximum fine allowable at the time 
• Equifax also failed to carry out quality assurance checks on complaints received and this meant that complaints were mishandled
• Equifax should have treated the risks around outsourcing to their parent company at the same level of seriousness as if the outsourcing had been to a third party
• Additionally, personal data should have been deleted when no longer required. The breach impact would have been less if the millions of records stored on US servers had been deleted once no longer required.

Why it matters

• It is unusual that this fine was imposed by the FCA and not the ICO. It is a significant breach involving personal data and one of the largest in history
• Equifax did not manage its outsourcing arrangements with its US counterpart properly and it did not tell individuals what was happening to their data
• Equifax did not retain accurate records of the data it had released to Equifax Inc so even when it became aware of the breach, it had difficulty in identifying and notifying relevant customers
• Organisations must make sure that even when personal data is outsourced within the same group of companies, risks must be identified, managed, monitored and mitigated
• This incident shows that regulated firms are at risk of fines from both the FCA and the ICO when a data breach occurs

Further information

Further details of the fine can be found at

Financial watchdog fines Equifax Ltd £11 million for role in one of the largest cyber security breaches in history | FCA

What happened

• In September 2023 the ICO and National Cyber Security Centre signed a joint Memorandum of Understanding (MoU)
• This sets out how both organisations will collaborate and cooperate more in relation to cybersecurity
• The main areas of collaboration will relate to cybersecurity standards and guidance, but there will also be improvements in the cybersecurity of regulated organisations
• The MoU also covers the sharing of information, cooperation between the two parties in terms of incident management and how the NCSC will support the ICO’s cybersecurity measures
• There are 6 areas of collaboration;

(i)  The development of cyber-security standards by each party

(ii)  Assessing and influencing improvements in cybersecurity of regulated organisations

(iii) Information sharing

(iv) The NCSC supporting the ICO’s own cybersecurity

(v)  Cooperation between the NCSC and the ICO in relation to incident management

(vi) Public communications and press releases will be agreed upon to support consistency

Why it matters

• Collaboration between the ICO and the NCSC is a positive step in monitoring and improving cybersecurity in the UK  
• There is a clear link between data protection law and what the NCSC does in the wider cyber landscape
• The government’s Cybersecurity Breaches Survey 2023 confirmed that cybersecurity breaches remain a common threat with 32% of businesses and 24% of charities reporting breaches or attacks in the year surveyed, so cybersecurity is a priority moving forward

Further information

The government’s survey can be found at

Cyber security breaches survey 2023 – GOV.UK (www.gov.uk)

What happened

• Data protection laws (in the UK and elsewhere) currently provide individuals with personal data portability rights
• This means individuals can move, copy or transfer personal data easily from one IT environment to another and it means that they can take advantage of applications and services that can use this data to find them a better deal
• However, data portability rights have not always led to the benefits that were expected when the laws were made. This is because technical issues have restricted what organisations can do, so individuals have often found it difficult to move their data from one organisation to another
• A number of government-backed draft laws are now being considered to create new data portability rights and obligations
• In the UK, this means the equivalent of the EU’s Digital Markets Act; the draft Digital Markets, Competition and Consumers Bill
• The new bill is expected to create new powers for the UK competition authority, which might include requiring larger businesses with ‘strategic market status’ to allow greater personal data access
• In addition, the UK’s draft Data Protection and Digital Information (No. 2) Bill will allow the UK government to introduce ‘smart data schemes’ across the UK, hoping to replicate the UK’s existing ‘open banking’ scheme

Why it matters

• It is important that individuals can obtain and reuse their personal data across different services
• In particular, companies that provide core platform services (e.g. online search engines, online marketplaces and social networking services) must be capable of enabling individuals to move their personal data easily
• The proposed new smart data schemes will enable the secure sharing of data with authorised third party providers upon the individual’s request. This will allow individuals to access and use services from different providers across various sectors, e.g. banking, energy and communications
• Individuals will be able to have more control over their data, access more personalised and tailored services and products, compare and switch providers more easily and benefit from lower prices and better choices
• Going forward, it will be important for organisations to assess what changes are needed to their processes to make sure they can adequately provide the right of data portability

The ICO has provided guidance on the right to data portability at Right to data portability | ICO