What the ICO action on the Equifax breach might tell us about future GDPR enforcements

The 20th of September publishing by the ICO of its Monetary Penalty against Equifax drew headlines across the UK press as well as analysis and review by the Data Protection and Data Privacy services community. Typically when we see these Data Protection Act (DPA 1998) fines we do a quick calculation to work out what the penalty might have been had the breach occurred post the introduction of the GDPR era that started on May 25th 2018. A reading of the 31 page, ignoring the blank page at the end, of the ICO’s report suggests a number of elements of the GDPR compliance strategies being implemented that we might want to review for adequate controls given the ICO findings.

Only retaining the data required for processing (GDPR 5[1]c)

In paragraph 32(1) of the ICO report they find that Equifax had previous to the breach migrated UK citizen data from a US located system, exposed in the hack, to a UK based system. However even though they no longer needed to hold the data in the US after the migration it hadn’t been deleted exposing it to the US system hack.

Review Points:

  • Do migration plans include the erasing of data from the old source system and from any temporary file or data stores used during the migration.

  • Is your data retention policy fit for purpose and are you testing the retention controls to ensure the policy is being followed.

Lawful purpose for processing personal data (GDPR 5[1]b, 6, 30[1]b)

In paragraph 32(2) of the ICO report they find that in respect to the GCS dataset held by Equifax US there wasn’t documentation or awareness of ‘the purpose for which it was being processed’. Absent of a lawful purpose the data should have been erased.

Review Points:

  • Are purposes documented for each process in your Article 30 process log.

  • Are you removing personal data that no longer has a valid lawful purpose or no lawful purpose.

Adequate risk assessments on transfers (GDPR 35, Chapter 5)

In paragraph 35(2) of the ICO report they find that Equifax UK did not undertake an adequate risk assessment of the security arrangements at Equifax US before transferring the UK Citizens data.

Review Points:

  • Is conducting Data Protection Impact Assessments (DPIA) part of the culture of your organisation.

  • Is there sufficient testing that your teams are completing DPIA’s in 100% of circumstances.

  • Is your DPIA sufficiently thorough to identify risks and are controls in place to review the DPIA on a regular basis.

Data Processing Agreements (GDPR 44)

In paragraph 35(3) of the ICO report they found that the Data Processing Agreement(DPA) between Equifax UK and Equifax US dated 23 October 2014 was inadequate as it failed to provide appropriate safeguards and failed to incorporate the required standard contractual clauses. In paragraph 35(5) the ICO finds that the DPA between Equifax UK and Equifax US dated 28 February 2017 failed to provide adequate safeguards/security requirements. In paragraph 35(6) the ICO finds Equifax UK didn’t carry out appropriate audits of Equifax US’s security. In paragraph 38(3) the ICO also finds weaknesses in the safeguards for transfers outside the EEA in the 2017 DPA.

Review Points:

  • Do you have Data Processing Agreements(DPA) in place with all your data processors be they international organisations, cloud service providers or other legal entities within your organisation.

  • Do you have controls in place to confirm 100% coverage of DPA’s with all of your data processors.

  • Do your DPA’s have the right level of safeguards.

  • Do your DPA’s incorporate the required contractual clauses.

  • Do you have controls in place to review your DPA agreements on a regular cycle.

  • Do you have controls in place to review that the security measures of your data processor meet relevant security requirements.

Data Security (GDPR 5[1]f, 30[1]g, 30[2]d, 32, 35[7]d, 35[9], 47[2]d)

In paragraph 35(7) of the ICO report they find that inadequate security measures were in place. Whilst these were security measures at the data processor Equifax US the ICO sees that Equifax UK is responsible for ensuring adequate security measures. The report identifies nine(9) security weaknesses which includes storage of passwords in plaintext, not keeping software up to date and not patching for know vulnerabilities which enable the hack.

Review Points:

  • Do you have sufficient encryption of personal data.

  • Are user passwords encrypted. The ICO rejected Equifax’s submission that user passwords were stored in plaintext for the purpose of fraud prevention and password analysis.

  • Are you addressing know IT vulnerabilities by promptly identifying and applying appropriate patches.

  • Do you keep software fully up to date.

  • Do you have regular system vulnerability scans in place with adequate scanning tools.

  • Do you have network segregation in place.

  • Do access accounts have only the permissions required for the task and are controls in place to validate this on a regular cycle.

  • Are service accounts passwords secured and are controls in place to regularly verify who has access to the passwords

  • Are SSL certificates still valid and are controls in place to renew before they expire.

Third country data transfers (GDPR 45, 46, 48, 49)

In paragraph 38(1) of the ICO report they find Equifax failed to apply DPP8 Schedule 4 derogations for transfer of data to a third country outside the European Economic Area, in this case to the US.

Review points:

  • Are processes transferring data to a third country documented in your article 30 log.

  • Do you have appropriate safeguards in place for transfers to third countries as listed in article 46.