Data breaches by rogue employees – employers still liable: Vicarious liability applies
John Warchus | 31.01.2019
10.10.2018 John Warchus
The recent introduction into UK law of the more stringent General Data Protection Regulation rules (GDPR) has certainly raised awareness of data protection and security. The Information Commissioner’s Office (ICO) has just announced a record fine in relation to a very serious breach that took place in 2017, which meant that the fine was imposed under the Data Protection Act 1998 rules rather than the new rules enshrined in the Data Protection Act 2018.
Whilst the new rules are certainly stronger than the previous ones and fines can now be up to €20m or 4% of total annual global turnover, it is likely that the general approach and principles used by the ICO in the Equifax fine would also be relied upon in calculating fines under the new rules..
Equifax is an international company which specialises in providing credit reference services. The relevant data processing arrangements were that Equifax Inc. in the US acted as a data processor, processing personal data on behalf of its UK company, Equifax Limited. A serious data breach occurred in the US between 13 May and 30 July 2017 which was later found to have affected 150m individuals, of whom approximately 15m lived in the UK. In most cases, the personal data compromised was just name and date of birth, but for approximately 15,000 UK individuals, personal data that was compromised also included passwords and user words in plain text, partial details of credit card numbers and recent payment history – i.e. information likely to be of interest and benefit to criminals and potential fraudsters.
Equifax Inc. initially discovered the breach on 29 July 2017 and later informed the UK company on 7 September and Equifax Limited promptly informed the ICO on 8 September 2017. The IT security investigation that took place after the breach was discovered found that:
Key points of the ICO investigation and decision
As a result of its investigation, the ICO concluded that Equifax Limited had breached 5 of the 8 key data protection principles underpinning the DPA 1998 and the most important failings included:
The fine on Equifax Limited
The ICO had little problem in satisfying itself that the necessary conditions for issuing a fine under section 55A of the DPA 1998 had been met and in deciding to fine up to the maximum amount allowed, it found the following matters to be relevant:
Although the size of the fine was serious, it could have been much worse if it occurred under the new data protection rules – given Equifax’s worldwide turnover of over $3bn, it is calculated that the maximum fine of 4% of turnover would have equated to a fine of about £130m. In addition, the incident also shows that:
John Warchus | 31.01.2019
Thomas Clark | 17.10.2018
Dorothy Agnew | 16.10.2018