On September 7th, it emerged Equifax, a US-based credit monitoring company, suffered a data breach which put the personal information of 143 million Americans at risk. Exposing the sensitive data of hundreds of millions of customers quite obviously spells bad news for any business whatever happens next, but reputation can be redeemed through the way a business reacts to a cyber-attack of any scale. Unfortunately, in Equifax’s case, redemption is going to be a huge challenge, with their reaction already being widely criticised. Equifax first discovered the cyber-attack had occurred on 29th July, yet took five weeks to announce it publicly. It wasn’t until September 7th that the company published a link to an info website and a hotline number for concerned customers to call to check if their personal data had been affected.
When customers did attempt to call, many reported being putting on hold for extended periods or getting disconnected numerous times. And if they were ‘lucky’ enough to get through, they were greeted by a contractor who had no access to their account and simply directed them back to the website for more info. Not exactly the response you want when you’ve been put at risk of identity fraud.
What’s clear from the still-emerging details of this story is that despite all the advice and solutions on offer to businesses of all types and sizes, business are still reacting to cyber-attacks with a ‘let’s hope no one notices and maybe this will all go away’ type of attitude.
It’s safe to say that’s never the solution, and with the GDPR incoming in 2018, businesses who fail to respond appropriately after suffering a cyber-attack, will face severe consequences. The GDPR will affect all businesses who hold the data of EU individuals, so whilst Equifax is US-based, it stands a chance they would still come under fire under GDPR rules.
Let’s imagine the GDPR is current legislation. The UK is technically still in the EU and it emerges Equifax have the data of around 44 million Britons on their books. How should Equifax have responded in order to achieve GDPR compliance?
- Report the breach to the ICO within 72 hours – Article 33 of the GDPR states the nature of the breach and its likely consequences, as well as the contact details of the data protection officer, need to be communicated to the ICO within 72 hours. If organisations fail to comply with their reporting obligations, the fine associated with their breach may be increased by the ICO from the standard 4% of global turnover or €20 million.
- Inform data subjects quickly – Article 34 of the GDPR states ‘When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay’. Five weeks is a pretty substantial delay, so Equifax would have failed miserably.
- Avoid the breach in the first place! – Whatever Equifax’s response, a breach like this shouldn’t have occurred at all if correct procedures had been in place. It remains to be seen what their punishment will be, but under the GDPR, they would be hit with fines of 4% of global turnover or €20 million, whichever figure is the biggest.
Businesses can’t afford to be sitting on data breaches. It’s costly both financially and for reputation, and this incident may prove irrecoverable for Equifax, as lawsuits against the business begin to stack up. No matter how brilliant your cyber security systems, breaches do occur, but they can be stopped before any damage is done. Falanx created MidGARD in order to help businesses like Equifax manage, detect and respond to cyber threats before they become serious incidences. If you want to find out more about how you can prevent hefty fines and a loss of reputation, read our MD’s blog about MidGARD and get in touch.