Equifax breach disclosure would have failed Europe’s tough new rules

U.S. consumers hearing the news yesterday of a massive Equifax data breach, which the company revealed potentially affects 143 million consumers, and includes data such as names, addresses, dates of birth, social security numbers, drivers’ licenses and — for a subset of hundreds of thousands — credit card information too, not only had to contemplate the horrendous scale of the thing.

They were also left to grapple with an Equifax ’emergency response line’ that hung up on them, and an Equifax data breach ‘help’ website that appears to raise a lot more questions than it answers — not least the core consideration that it’s requiring desperately worried consumers to trust a company that has failed to protect their personal data with more of their personal data, by inputting it into a web form, just to check whether they might be affected by the breach.

And that’s before you even consider whether Equifax is trying to use the site’s terms of service to get users to waive their rights to bring a class action lawsuit against it — as appears to be the case. Which would be spectacularly unclassy, to say the least.

The cherry on this unlovely layer cake is the fact the credit checking company states it found out about the breach on “July 29 of this year” — while the unauthorized access apparently occurred “from mid-May through July 2017”.

Which means it’s given itself well over a month before deigning to tell consumers their personal data might be in the hands of identity thieves.

That might not seem so bad if you compare it to the current biggest (known) data breaches — affecting at least 500M Yahoo accounts, and more than 1BN Yahoo accounts — which took place years before the company disclosed the intrusions to the public, although it’s not clear when exactly Yahoo itself discovered the breaches.

Even so, 40 days remains an awfully long time for consumers to be kept in the dark about the fact their identities and other highly sensitive personal data might be being traded by hackers, used to compromise other services, and sold to spammers for targeted spearphishing attacks.

Equifax does not explain the length of time it took to inform the public about the breach. And yesterday said it “will” be writing directly to affected individuals, and is “in the process of” contacting state and federal regulators. So, very clearly, the company hasn’t been spending any of the past 40 days warning affected individuals or informing data watchdogs that its systems had been breached.

The US does not currently have a federal law requiring companies to inform the public about data breaches, though one was proposed in 2015 under President Obama which would have set a 30-day notification requirement, but it failed to get support.

And while the vast majority of states have enacted breach notification statutes of their own at this point, and some have stricter notification requirements than the 2015 proposal, others don’t. It’s a patchwork — and therefore a lottery for U.S. consumers.

Over the pond in the European Union the story is different. A single breach notification standard for personal data was agreed at the end of 2015 — and is set to come into force in May 2018, under the incoming GDPR (General Data Protection Regulation).

This will set a data breach notification bar across the bloc of “not later than 72 hours” after a data controller has become aware of an intrusion.

There are some caveats to this portion (Article 33) of the regulation (phrases like “without undue delay and, where feasible”, and some potential for exclusion based on the type of data being breached (“unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”).

But the expectation is clearly that data controllers must disclose a personal data breach to a national supervisor data authority, at the very least, radically sooner than the ’40 days later’ which Equifax reckons is an acceptable disclosure timeframe.

(While the type of data involved in the Equifax breach is clearly highly sensitive, so this incident would seem a very unlikely candidate for qualifying for a notification exemption under GDPR.)

Another change Europe’s incoming rules are bringing is a big stick to drive compliance for the new breach notification standard, as companies that do not comply with the new rules risk very stiff penalties for failing to do so.

In the case of non-compliance over breach notification, the GDPR gives data watchdogs the power to issue fines of up to €10M (~$12M) — or up to 2% of the total worldwide annual turnover of a company’s preceding financial year, whichever is higher.

In Equifax’s case its 2016 operating revenue was ~$3.145BN. So — under the GDPR regime — the company might have faced a fine of around $62.9M if it hadn’t reported this data breach multiple weeks sooner than it chose to. (Indeed, it’s expecting its full year 2017 revenue to be even higher, between $3.395BN and $3.425BN, so this theoretical fine inflates to as much as $68.5M.)

Which does rather give pause for thought.

If you’re a multinational corporation processing the personal data of EU citizens those sorts of figures probably send some rather large shivers down the CEO’s spine.

Equifax does indeed have a European presence, and has also said that some UK consumers are affected by the breach — writing yesterday that as part of its investigation it “also identified unauthorized access to limited personal information for certain UK and Canadian residents”, and adding: “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”

So if these events had been shifted just a few months into the future Equifax might well have been forced to handle the breach disclosure very differently — or else it would be risking a very large fine under GDPR.

The question then would be, would it have informed the UK regulatory of the breach within 72 hours whilst continuing to keep U.S. data watchdogs and U.S. consumers in the dark? That wouldn’t seem like great domestic PR.

The aim of Europe’s new rules is of course to encourage companies that collect and store consumers’ personal data not to treat the security of that data as an afterthought. And large fines for failure is certainly one way to grease the pipe of security spending among corporates.

As the UK’s DPA warns on its website in an FAQ about the new breach notification rules: “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.”

While an interesting potential side-effect of the new, tougher regime is whether it will end up forcing higher standards on non-European businesses, especially those in the U.S. — given many do handle EU citizens’ data, and will therefore need to reconfigure their processes to meet the bloc’s new standard.

(The GDPR also expands the definition of what personal data is, and brings additional requirements such as a right for consumers to see what information is held about them and have it deleted on request — so there are other big changes incoming.)

We’ve reached out to Equifax in the UK for comment and will update this post with any response.

In a statement, the deputy commissioner of the UK’s data protection watchdog, commissioner James Dipple-Johnstone, told us: “Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.”

“We will be advising Equifax to alert affected UK customers at the earliest opportunity,” he added.

I’ll leave you with this final food-for-thought: