So, everybody is pretty much aware of the incident: the world-wide renowned credit rate agency ‘Equifax’ discovered a data breach in their systems that exposed the private and economic-sensitive information (social security numbers, credit card numbers, birth dates, etc.). of approximately 143 million U.S. and 44 million UK citizens.
There will be plenty of articles analyising what that means from a UK/European data protection perspective, and we may join this analysis in the forthcoming weeks but, what would have happened if this very same incident had took place after the new General Data Protection Regulation (GDPR) came into force?
Hypothetical scenario: Equifax data breach on the 25th May 2018
Article 4 (12) GDPR defines ‘personal data breach’ as
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
According to the original source, the statement released by Equifax, unauthorised access by criminals took place from mid-May to June 2017. “The information accessed primarily includes names, Social security numbers, birth dates, addresses and, in some instances, driver’s licence numbers” in addition to “credit card numbers”. So, from the very beginning it’s clear that this security incident would fall within the definition of ‘personal data breach’ of Article 4 (12) GDPR.
The statement was released on the 7th September 2017, more than one month after the breach. It seems that Equifax acquired knowledge of the fact on the 29th July 2017. Leaving aside the fact that it seems its greedy senior executives sold part of their shares before the breach had been made public, this 44 days delay would definitely exceed the ‘undue delay’ that Article 34 GDPR establishes to communicate the data breach to the affected people for those cases in which “is likely to result in a high risk to the rights and freedoms of natural persons”. And given the nature of the data, we are likely facing an scenario of potential identity-theft.
The more-than-one-month delay would also surpass the narrow 72 hours period that (with particular exceptions) Article 33.1 GDPR establishes as limit to notify in detail the breach to the supervisory authority competent. In this case, to the UK Information Commissioner Office (ICO).
To the previous regard, by the way, the ICO has released an actual statement about this breach in its website, stating the following:
Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.
We will be advising Equifax to alert affected UK customers at the earliest opportunity.In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.
But coming back to our hypothetical scenario. what the consequences for Equifax would be in this horror-alike simulation? Well, Article 83.4 establishes that:
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Now, if you want to have some relieve and laugh, this Stephen Colbert’s piece on Equifax will at lest you make you smile:
- “Equifax hack: What’s the worst that can happen?”, by CNN.
- “Equifax hack exposes regulatory gaps, leaving consumers vulnerable”, by The New York Times.