Equifax: what if it had been September 2018?

On September 7, 2017 Equifax announced a “cybersecurity incident potentially impacting approximately 143 million U.S. consumers”, which it attributed to criminal exploitation of a U.S. website application vulnerability over a period of some two months ending in July of 2017.


There are many interesting things about the Equifax announcement, but perhaps the most interesting was that Equifax discovered the unauthorised access on July 29, but did not notify the breach, or make an announcement in respect of it, until over a month later[1]. For many, the time between discovery and announcement may seem unjustifiable and unacceptable.


In Europe, the approach to notification presently differs from country to country. For instance, in the UK, there are presently limited circumstances in which a data security breach must be reported to the data protection authority. Conversely, in Ireland the Personal Data Security Breach Code of Practice requires notification to the Data Protection Commissioner of any situation where personal data has been put at risk of unauthorised disclosure, loss, destruction, or alteration.


In the US, security breach notification is a requirement that has been around for some time, albeit it differs from state to state. The State of Georgia (the home of Equifax), requires an information broker to notify consumers of an unauthorised acquisition in the:


most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the system.

So, how might the advent of GDPR impacted Equifax’s response if the breach had occurred after May 2018?


Article 3: Territorial scope

As paragraphs 23 and 24 of the preamble to GDPR explain, GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing activities are related to:

  • the offering of goods or services to such data subjects in the European Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the European Union.

When dealing with a data breach affecting 143 million users, it may be very difficult for Equifax, as a global organisation, to reach a conclusion the breach did not in any way affect the personal data of data subjects in the European Union. Consequently, they might prudently decide GDPR applies to the data they have been processing and affected by the breach. Indeed, the statement issued by the UK’s Information Commissioner that “[r]eports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern[2], suggested that conclusion had already been reached by at least the ICO[3]


Articles 33 and 34: Notification and communication of a personal data breach

Where there is a personal data breach, the controller must “without undue delay” notify the supervisory authority of the breach. This has to be within 72 hours after having become aware of it, if feasible.


Where the breach is likely to result in a high risk to the rights and freedoms of the data subjects (e.g. because the data breach might give rise to a theft of funds), then the breach must be communicated to the data subjects without undue delay.


In both cases Equifax would have to describe the likely consequences of the data breach, as well as the measures being taken to address it and mitigate its adverse effects.


This means Equifax would likely have been advised to make notifications (at least to the European authorities), and communicate the issue by the end of July – unless it just wasn’t feasible to do so.


Articles32: Security of processing

GDPR imposes obligations on data controllers and processors to implement technical and organisational measures to ensure the security of personal data being processed. This requirement, if properly addressed may have prevented the breach in the first place.


However, it will set the standard Equifax will need to adopt in its response to the breach, both in the immediate and long-term.


Article 82: Right to compensation and liability

Any person who has suffered material or non-material damage as a result of an infringement of GDPR has the right to receive compensation from the controller or processor for the damage suffered.


This right to compensation is critical as it provides an additional impetus to ensure losses that may be suffered by data subjects because of the security breach are mitigated very quickly. In this case, it might have encouraged a rapid lock-down of the data lost through immediate communication to data subjects and regulatory authorities – in any event much quicker than a month.


Article 83: Administrative fines

As most observers are now aware, GDPR provides scope for the imposition of significant fines on data controllers and processors who get it wrong. Those fines, in a case such as this[4], could be up to €20m or 4% of the total worldwide annual turnover of the undertaking. The speed and nature of Equifax’s response would undoubtedly have been driven by this potential consequence.


The reason and background to Equifax’s apparent delay in communicating its Cybersecurity Incident may not be immediately apparent to us right now, but if it had taken place twelve months later, the impact of GDPR may have given rise to a different, and perhaps quicker response, as well as a different outcome for Equifax.




[1] The September 7 release states that Equifax will send direct mail notices to consumers and is in the process of contacting U.S. state and federal regulators

[2] ICO’s statement of 8 September 2017, Deputy-Commissioner Dipple-Johnstone

[3] As at the time of writing, no reference to the breach had been made by the Data Protection Commissioner in Ireland

[4] Where there may have been a breach of the obligation to process data in a manner that ensures appropriate security of personal data