Preparing for GDPR: What can companies learn from the Equifax data breach?

Following our recent post about GDPR and the UK’s Data Protection Bill and in a continued effort to help companies prepare for the new legislation, we’ve turned our attention to a major data story from the US.

Following on from Yahoo’s one-billion record loss, and the hacking of 200m US voter records, data company Equifax has now acknowledged the loss of 143m consumer records.

The loss included data that could be very valuable to criminals who want to steal people’s identities, such as addresses, dates of birth, and social security numbers. And to add insult to injury, Equifax is a data company that offers an identity theft product as part of its portfolio.

So, other than improving and testing data security, what lessons can companies learn from the breach?

Lessons to be learned

The first point is one of basic PR. The full details are not known yet, but it appears that the breach was discovered on 29 July. Six weeks before it was announced it to the public.

Once the public was made aware, consumers were told to call a hotline number or directed to a website for information. People who tried the hotline complained that they waited a long time to get through, and were then told to visit the website. The website presented an offer of free signup to a year’s identity theft protection.

This offer could seemingly mitigate some of the risks of the data breach itself. But legal experts sounded a note of caution when it was discovered that the T&Cs of the sign-up prevent the consumer from suing Equifax. This has been seen as by some as a cynical manoeuvre to mitigate Equifax’s own losses. By Friday, Equifax stock had lost 14% if its value.

GDPR and data breaches

One of the biggest impacts of GDPR is the reporting of data breaches. We don’t know when Equifax reported this breach to US authorities. But, under GDPR, a breach that is ‘likely to result in a risk to the rights and freedoms of individuals’ – including financial loss or loss of confidentiality – must be reported to the ICO within 72 hours. If the data breach poses a ‘high risk’ to the rights of individuals, those concerned must be informed directly.

Failure to notify a breach can result in a fine of 10 million Euros, or 2% of turnover.

How to prepare

Once companies have taken steps to protect their data, what can they do to prepare for a data breach?

The first thing is to identify breaches: ensure that staff know what a breach is, and create a culture where people aren’t afraid to report something that looks like one.

Once the breach is identified, having a plan to deal with it is as imperative as any other part of a disaster recovery plan. Ideally, the procedures to be put in place should be brief, easily accessible, and include templates for statements to the media.

In summary: take all steps to prevent breaches; identify them as soon as possible if they do occur; and have a plan in place to deal with them.

Bill Lawrenson, business intelligence manager, The Lead Agency