Co-authored by Peter Davis and Brendan Nixon.

As a consumer credit reporting agency, Equifax collects the personal data of millions of individuals, mainly Americans, often without the knowledge or explicit consent of those “data subjects”. The Equifax hack is understood to have compromised the personal data of over 140 million individuals. Although recent hacks of other businesses have affected more individuals, the personal data held by Equifax is significantly more sensitive than the data compromised in other hacks and includes Social Security numbers, birth dates, current and previous addresses and driver licence details.

The chief executive officer, chief information officer and chief security officer that held office during the hack have all “retired”, but it is unclear if any financial penalties (such as salary or bonus reductions) will be imposed by Equifax or if criminal proceedings will be commenced against these former officeholders. Of more interest is how companies with vast amounts of personal data can be encouraged to secure that data and prevent similar large scale breaches.

Hackers will continue to search for security vulnerabilities in systems that contain large amounts of personal data and it is not possible to completely mitigate the risk of a significant data breach such as the one experienced by Equifax. However, the Equifax hack raises many questions as to whether the US’ data protection regime gives data controllers sufficient incentive to protect personal data and what it will take persuade US lawmakers to update US data protection laws. Security is a ‘cost’ on any company’s balance sheet, and profit-seeking companies naturally aim to reduce this side of the balance sheet as much as possible. Comprehensive legislation may be the only means to compel companies to establish a baseline acceptable level of security, especially when handling personal data.

Comprehensive and Unified Data Protection Law

The US lacks a single comprehensive data protection regime, meaning that nation-wide breaches are cumbersome for affected people and regulatory agencies to respond to legally. Though the Federal Trade Commission (FTC) wields the power to impose substantial penalties for privacy violations in certain contexts, the FTC has conceded that current rules lack sufficient deterrents or clear standards for data controllers to heed.

The EU’s data protection system is comparatively robust and relatively unified across Member States. This will be further consolidated when the General Data Protection Regulation (GDPR) becomes enforceable on 25 May 2018. Though the EU regime is not perfect, when compared to the current piecemeal federal approach and considerable state-level divergence in the US, a more unified regime that imposes clear and comprehensive data protection standards may have placed a greater imperative on Equifax to have better technical safeguards in place.

One advantage of the US system is the “powerful” tool of class action lawsuits that can be brought at state and federal level. There were “at least 23 proposed class-action lawsuits” on foot just four days after the breach was announced. Collective redress in Europe, on the other hand, is less ingrained both socially and legally. The GDPR takes some positive steps by allowing data subjects to seek collective redress for an infringement of GDPR rights (Art 80), but compensation can only be sought if Member State rules allow it (Art 80 & Rec 142). Whereas class action lawsuits are (or should be) a primary concern of data controllers in the US, they are peripheral compared to formal regulation in the EU.

Individual Control Over Personal Data

The ability of Equifax to collect large amounts of data on individuals without the knowledge or consent of those individuals further highlights issues with the control of personal data in the US. Equifax is understood to have collected details such as Social Security numbers, driver license numbers, current and former addresses and bank account details for millions of Americans (approximately 143 million). This is exactly the kind of information that could be utilised to fraudulently access bank accounts and insurance policies.

In comparison, European legislation empowers individuals with respect to their personal data collected by others. Unlike the US, the ‘default position’ is that personal data should not be processed, unless there is a lawful basis for doing so (commonly through consent or a ‘legitimate interests’ test). Where the collection of personal data requires the data subject’s consent, EU law mandates that consent can be revoked. Data controllers must notify individuals of certain data collected about them and people have a right to access that data. There are also temporal limits and limits as to the purpose that the data can be used for. Data subjects have a (non-absolute) ‘right to be forgotten’ if the information is “inaccurate, inadequate, irrelevant or excessive.”

Conversely, according to a former Equifax employee and consumer credit expert, “[t]here’s nothing in any statute or anything else that allows you to ask Equifax to remove your data or have all your data disappear if you say you no longer trust it.”

If any positives are to come out of this large scale security breach, they may include increased public awareness of the value of personal data and pressure for further regulation. Within several weeks of the hack being announced, two US Senators introduced legislation seeking to give control of credit information back to consumers. However, even if legislation can bypass aggressive lobbying by tech companies, restrictions on data processing can be at odds with First Amendment rights.

Legal Requirement to Secure Personal Data

As details of the hack continue to emerge, it appears Equifax had a relaxed approach to data security, utilised old technology and lacked any appreciable incentive (legal or commercial), despite recent data leaks and lawsuits related to data leaks, to adopt a serious approach to securing personal data. A patch that is likely to have addressed the vulnerability that was exploited by the hackers was available in March 2017, well before the hack occurred in May 2017. The relaxed approach was further demonstrated by the fact that the website established by Equifax in response to the hack was vulnerable to further hacking. The website requested further personal data for identification purposes, even though Equifax had demonstrated an inability to protect personal data in the first place.

Under current EU data protection laws (Art 17 of the Data Protection Directive) and the incoming GDPR (Art 32), controllers of personal data are required to “implement appropriate technical and organisational measures” to “ensure a level of security appropriate to the risk” associated with the processing of the data and the nature of the data held. The GDPR imposes “a qualified duty… to put in place [those] technical and organisational measures… effectively and to integrate necessary safeguards into the processing of personal data” through Art 25, a provision headed ‘Data protection by design and by default’. Art 32(1) of the GDPR provides details of what these technical and organisational measures could include and refers to pseudonymisation and encryption of personal data together with a process for regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures put in place. The data accessed in the Equifax hack was not encrypted, which would have provided a basic level of protection and at least delayed the hackers in accessing the personal data.

Breach Notification

A timeline of the hack suggests that Equifax became aware of the hack on 29 July 2017 and did not alert affected data subjects or authorities until 7 September 2017. Due to the absence of a comprehensive federal data protection law in the US, there is no common rule regarding the timeframe in which an entity must inform its customers, or affected persons, in circumstances where the security of personal data held by an entity is compromised. Some states have disclosure requirements for data breaches and only a limited number of states stipulate a timeframe for disclosing a data breach, understood to range from 15-90 days after discovering the breach. Contrast this with the GDPR, which will generally require a controller of personal data to notify authorities of a personal data breach within 72 hours of becoming aware of the breach (see Art 33 GDPR), and to notify affected persons of “high risk” breaches “without undue delay” (Art 34 GDPR).

The long delay between Equifax becoming aware of the hack and informing interested authorities and affected data subjects is not surprising in the absence of legislation mandating a fixed timeframe for breach notification. One can envisage circumstances where it may be best practice for an entity to advise the authorities of a security breach prior to informing the general public. Most important though, is that the the breach of security of personal data is notified to authorities as soon as possible in order to allow a cohesive and organised response by both the public and private sectors.

Without a comprehensive response from law enforcement agencies and legislators, Equifax and the two other major credit reporting agencies in the US will slowly slip off the radar, free to make the same mistakes and jeopardise the security of the personal data of millions of people. If a hack of this scale is not a catalyst for significant change regarding data protection in the US, it is unclear exactly how catastrophic a data breach needs be in order to force a comprehensive change of US data protection laws.

Peter and Brendan work as Research Assistants for the SIGNAL Project funded by the Norwegian Research Council and UNINETT Norid AS, with support from the University of Oslo.