US based credit scoring company Equifax announced on the Sept 7th 2017 that they had experienced a security breach which exposed credit information on customers within the US as well as potential customers based in the UK. Equifax holds data on 820 million consumers and UK companies use the US based company’s services when performing standard credit checks as part of service offerings.
Although these UK companies may collect this data, Equifax is undoubtable storing and processing this data on behalf of them. Worryingly Equifax has reported that the breach occurred 40 days before they reported it, however it is unclear as to when they knew the actual breach had occurred.
As a US based company, Equifax is subject to different laws and regulations from that of UK or EU based companies, however under new GDPR legislation due to start in 2018, Equifax would be liable for any breach of personal identifiable data even as a US based company, because they are storing of processing data from that of EU citizens.
Interestingly, under GDPR, Equifax would have been obliged to have reported the security breach within 72hours of the organisation being made aware of it. This does not mean however that the breach could have occurred several days, weeks or even months prior. It raises the potential for Equifax to have been liable for a fine under GDPR if they had delayed reporting the breach with fines ranging up to €20 million Euros or 4% of global turnover.
Equifax does appear to be very aware of the new GDPR legislation and even published their own datasheet on GDPR with guidance and notes on the legislation given by their own Compliance Office.
The UK’s ICO is currently in contact with Equifax regarding the breach as reported by the BBC and it remains to be seen how many consumer credit records from UK and EU citizens have been affected.