In September 2017 Equifax suffered a data breach exposing the personal data of over 147 million people. Hackers utilised a website application vulnerability to access the personal data of customers.
In response, Equifax launched a website aimed to inform customers whose data was at risk. The United States Government Accountability Office published a report in August 2018 examining the nature of the breach and follow-up work. The Office published the following infographic explaining the nature of the breach:
In a bid to collectively settle lawsuits on the behalf of customers the Federal Trade Commission considered a proposed class action settlement in 22 July 2019. In the UK similar efforts are now being undertaken given the 15 million customers affected and are the focus of this article.
Equifax Class Action in the UK
In September 2018 the UK Information Commissioners Office fined Equifax £500,000 for regulatory failings, the highest fine available under legislation at the time. The findings concluded that the UK branch of Equifax processed data on the behalf of the American entity and had failed to do so in keeping with five of the eight data protection principles. Issues were found with data retention, IT system patching and audit procedures.
As is typical with liability in the event of data breach regulatory sanctions were just the start of the liability Equifax was exposed to. In many instances individuals have recourse under their domestic laws for the mishandling and mismanagement of their personal data resulting in loss and harm. With liability being estimated at £100 million the Equifax UK class action is one of the most significant of its time. Hayes Connor Solicitors have sought to bring a class action on behalf of customers impacted by the breach in the UK, numbering 15 million. The firm estimates awards in the sum of £1,000-£2,500 per claimant, potentially more depending upon the loss of sensitive financial information.
These sums come following significant efforts by Equifax to mitigate risk of loss to customers, including providing free Identity Restoration Services and credit checks.
These multiple layers of liability entrench the importance of the adequate protection of personal data. Under the GDPR data breach oriented sanctions can amount to 4% of global turnover. Therefore, the vast extent of liability becomes clear, whether from regulatory sanctions, customer restitution or reputational damage. These multiple points of risk magnify the liability of data handlers significantly. Best practice risk assessments, data minimisation and data management become paramount in an ecosystem with strict breach notification rules supported by sanctions with teeth. In the midst of this trigger response regulation Equifax serves as a significant case study now that assessment of liability has reached the granular customer stage.
Data breach liability in the future
More recent precedent can be taken from the Lloyd v Google class action, which was brought under CPR 19.6, referencing a class of individuals. The precedent from these cases broadens the incidents where liability can be imposed. In this case Google, without customer consent, harvested personal information which was used and commoditised for targeted marketing.
In seeking to harness the value of such data Google contravened the laws protecting against the unauthorised use of such data. In applying for damages on the behalf of those who had their data unlawfully harvested the potential liability of Google was estimated to be in excess of £3 billion. Though decided under the Data Protection Act 1998, these provisions are only more onerous under the newer Data Protection Act 2018 and General Data Protection Regulation.
Liability for breaches of data protection legislation can, in many ways be seen to be punitive and certainly operate in a deterrent manner. Both the Equifax and Google cases are cautionary tales representing the consequences of the ineffectual protection of data. Unsurprisingly, the consequential damage caused by breaches and the mishandling of data is far-ranging and reflected in the broad range of liability.
The Privacy Perspective 