The UK Information Commissioner’s Office (ICO) announced that the credit reference agency Equifax has received the highest fine yet for failing to protect the personal information of up to 15 million UK citizens after an investigation of the 2017 cyber attack.
The GBP 500,000 fine is the maximum provided for under the Data Protection Act 1998. This applies because the incident happened before the Data Protection Act 2018, which updates UK law to include the EU General Data Protection Legislation (GDPR), came into effect.
Elizabeth Denham, Information Commissioner said:
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.
“This is compounded when the company is a global firm whose business relies on personal data.
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
Steve Eckersley, Director of Investigations at the ICO, gave the following warning on a BBC news broadcast later in the morning as the story was picked up by the news organizations:
‘’The new legislation that came into effect on the 25th of May this year gives us new powers to issue fines up to seventeen million pounds or four percent of global turnover, and if that doesn’t make executive teams and CEOs sit up and take note of this potential for fines, and obviously comply with the regulations, and step up to their responsibilities, I guess nothing will.’’
Because investigations are launched after complaints and must be carefully carried out there have not yet been any major enforcement actions taken under the new legislation. As reported here by the International Association of Privacy Professionals on August 20th, there is likely to be sometime before the first GDPR investigation comes to a determination and enforcement action.
What is clear, however, is that the pervasiveness of data-driven services is receiving close attention from regulators. It is the focus of the 40th International Conference of Data Protection and Privacy Commissioners taking place this fall in Brussels, Belgium from 22nd to 26th October 2018.