The massive US crediting company Equifax has recently announced a breach that affects over 140 million data subjects (potentially including 400,000 UK residents), but under GDPR laws they would’ve (and should’ve) been in very deep trouble.
The breach of data occurred on September 7th 2017 with data affecting millions of people, and it’s remarkably delicate data, too. Some data includes data subjects’ addresses and dates of birth, but much more worryingly, data such as credit card details were part of the breach.
From May 2018, when such a breach occurs and affects EU and UK customers, the organisation must contact its data subjects to make them aware of data that has been breached (unless it is pseudonymised and encrypted). However, there is confusion as to whether Equifax have even done this. The news of the breach being made public can be seen as Equifax alerting their customers publicly – this type of announcement is acceptable if it is efficient for the organisation – it’s easier to notify 100 million people at once rather than individuals 100 million times.
“The massive US crediting company Equifax has recently announced a breach that affects over 140 million data subjects (potentially including 400,000 UK residents)..”
Equifax will no doubt claim then that they have informed the data subjects. But, data subjects may miss this announcement and be unaware of the breach. It is much safer for an organisation to send a group mailout, a newsletter, or equivalent, to all the data subjects affected with a list of potential data affected, too.
But even if Equifax can be excused for this, then length for which they waited before notifying everyone is inexcusable.
The breach occurred on the 7th September 2017. Under GDPR regulations, you will have to notify the appropriate authorities about a breach within 72 hours of becoming aware of the breach. However, Equifax were sitting on this for over a month with reports claiming Equifax became aware of the breach on 29th July – many weeks earlier. This is nowhere near in compliance with GDPR regulations, and this doesn’t even indicate when the breach actually took place initially.
Equifax appear to have operated in a way that they would hope no one noticed what happened – which is definitely the wrong way to approach these things. A hack, although often preventable by security procedures, is not always the fault of the victim organisation. The organisation’s reputation may be tarnished, but by following the example Equifax have set, the organisation will have more to worry about than just their reputation.
“The organisation’s reputation may be tarnished, but by following the example Equifax have set, the organisation will have more to worry about than just their reputation.”
The worst Equifax would have expected under GDPR laws would be a 4% of the organisation’s annual turnover or 20,000,000 EUR fine, whichever is higher – either way, this is a huge sum to pay for something avoidable. Taking the revenue of the company as the figure to use for the group’s turnover we can hypothetically calculate the 4% fine they could have received if GDPR laws were in place. Here’s the maths behind what Equifax’s potential fine could be.
Equifax’s turnover (2016): $3144.9 million, or $3,144,900,00 (3 billion, 144 million, and 900 thousand dollars) x 0.04 (4%) = $125,796,000 , 20,000,000 EUR.
Sources of turnover figures (http://www.hoovers.com/company-information/company-search.html?term=equifax&maxitems=100, https://en.wikipedia.org/wiki/Equifax)
Now, take this sum with a pinch of salt – the revenue figure shown may not be entirely accurate, and so the final figure won’t be either. However, this represents the huge cost a company like Equifax will be at risk of if they don’t comply with GDPR laws.
Remediation costs would also be a huge figure, especially for a large organisation like Equifax. The number of data subjects affected and the number of Equifax employees significantly increases the cost Equifax would need to pay to remedy the situation. Equifax bringing in a cyber security company to analyse how the breach happened is also another costly element to remediation. This cost added on to the potential $125 million they could pay is a huge financial consequence to not complying to GDPR.
Equifax have rightly come in for heavy criticism for how they’ve handled the situation. Their stocks fell by 13% the day after the breach was made public and three high-ranking executives, including CEO Richard Smith, have “retired” (or rather, have been quietly dismissed.)
This situation looks set to go on for a while, so we may have a string of articles to cover Equifax as this news story unfolds… because it looks like the problems here may be much deeper than what we’ve been told so far.
Read more on GDPR fines, penalties and consequences here: https://activaconsulting.co.uk/gdpr/gdpr-fines-penalties-consequences/
There are several GDPR concerns which arise from the new laws, some of which revolve around the lack of clarity. While this affects all types and levels of organisations, but insurers seem to be in a more critical situation.
Most online insurance quotes – and even most that are directly handled by a member of staff – are dependent upon certain automatic processing of data: just think of what would happen to price comparison sites and all of the insurers using them if they couldn’t do this! And yet customers will now be guaranteed an absolute right to object to automatic processing of their personal data. How, then, are insurers supposed to generate quotes for customers who refuse this?
DATA CONNECTED TO CRIMINAL RECORDS
“Data subjects will have more control and rights than ever with GDPR and they have the ability to have a company stop processing data (the right to restrict processing.)”
Data subjects will have more control and rights than ever with GDPR and they have the ability to have a company stop processing data (the right to restrict processing.) This includes data concerning any previous criminal records. Insurers must now get explicit consent from the data subject to obtain any potential criminal data from a customer.
If this type of data is withheld from an insurer, they can’t then effectively determine whether this new customer is a potential fraudster, and hence a risk to other customers data. This inability to process criminal records and convictions will drastically affect the underwriting of insurers and the safety of data they currently hold.
Potentially, this could be something taken out of the data subject’s hands. If it is in the best interest of 99.9% of customers to obtain this information about a new customer, regardless of consent, it surely must be obtained. But currently, it seems the data subject holds the cards here.
Now, this is currently just a risk of being a part of the new regulations – but if it is, it could spell huge trouble for insurers in how they securely handle the personal data of their customers.
Insurers can currently extend cover to third parties without the consent of said third party. With GDPR coming in, that third party will now have to provide their consent for this to continue to happen. However, there is a lack of clarity regarding: the extent to which insurers need to obtain consent, and the extent to which how much this affects the third party if consent is given.
It will likely be that third parties must express consent, but not necessarily explicit consent. Though, without knowing for sure, this will make producing a Fair Privacy Notice difficult for insurers.
Certain new rules are also coming into place for “profiling”, which could affect insurers’ ability to underwrite efficiently. The profiling of an individual is done to assess the level of risk posed by an individual before both parties enter into a contract.
It is currently unclear what data will remain allowable for underwriting, whether it will require consent (and if explicit consent will be required for marketing purposes), whether that data provided to anti-fraud databases have permission to process this data, and if there is any affect on automatic renewal policies that came to fruition before these new regulations come in. Without assurances and clarity on these, insurers won’t be able to effectively continue to underwrite, which can heighten the risk of loss to society and their customers.
RIGHT OF PORTABILITY
“Under the GDPR regulations, the data subject has the right to transfer data from one location to another (once satisfactory proof is provided.)”
This lack of clarity continues with regards to “the Right of Portability”. Under the GDPR regulations, the data subject has the right to transfer data from one location to another (once satisfactory proof is provided.)
Data must all be in machine readable formats, but it is unclear what this means. Paper is technically machine readable – it can be scanned to a computer – but it’s not clear whether this counts or not, or whether “machine readable” refers only to files and documents created by a machine. Then which data will be needed to be transported (and assessed) via a machine-readable format? Would paper be a secure format, arguably a machine-readable format, to do this? Probably not. But it is also unclear by what methods insurers can provide data to customers and other companies.
Once again, there is uncertainty regarding third parties and how they are effects by the main customer requesting their data be moved. Will the third party need to be reinsured, for example?
FAIR PROCESSING NOTICES
Fair Processing Notices (FPN) are important to relay the way an organisation handles data to their customers. However, common feedback has been that customers would prefer to have this sort of information given out in chunks rather than in one big, complicated, and daunting document.
The best example of this is probably the terms and conditions you have to agree to – the Apple T&Cs are perhaps the most infamous of them all. Quite simply, no one has the time or patience to sit through and read those before inevitably agreeing. This can even be detrimental to the customer if they agree to something they later don’t agree with.
A more engaging format for customers to absorb the information given in FPNs will be beneficial for both organisations and customers. The ICO are proposing a “layered” FPN to accommodate the preferences of customers’ preferences in an attempt to share vital information with customers in a concise but engaging way.
There are still uncertainties with the regulations concerning FPNs. For example, will these new regulations affect those who signed a contract prior to 2018, or only new contracts? It will likely affect all data subjects in this regard, but it can become complex when dealing with life insurance and pensions, the long-term contracts.
LACK OF CLARITY
“The recurring theme for these new regulations and insurers is there is generally a lack of clarity.”
The recurring theme for these new regulations and insurers is there is generally a lack of clarity. Whether it’s regarding whether new laws affect old data subjects, whether they’re allowed to process one thing or another, but a lot comes down to general terms and phrases that have been introduced and skewed by the new regulations.
There are several terms being used to determine the amount of interest, risk, and effect that are not particularly different. For example, there is public, significant, legitimate, and important interest. Which of these is most vital? When is something legitimate and not significant? Is all data not important?
This highlights the need for a glossary of terms from the governing body handling GDPR to ease the transition of all organisations. We’ve started with our own glossary, but the nuances with these particular adjectives are so minor and easily misunderstood.
There are also terms as simple as “risk” and “high risk”. It’s unclear when something becomes “high risk”. A simple 1-10 ratings or gradings system would put this issue to bed. It would show when something is low-risk and high-risk and it will have little leeway for misinterpretation – which could be costly.
GDPR CONCERNS FOR INSURERS
Insurers are significantly affected by GDPR because of the amount of crucial data they store for their customers. It will be a difficult task to get GDPR-ready with third-parties, long-term insurance contracts, and even the basic rights of the data subject potentially causing problems.
Fortunately, many of these issues can be resolved with common sense, logical thinking, and problem-solving. Insurers could offer different deals to those who don’t give consent to share their previous criminal records, or we can be safe when dealing with third-parties – get their consent, whether you need it or not. And this is something Activa’s GDPR and 27001 Specialists and Consultants can help with. Contact us now to get our advice on how to adapt to these complex new laws.
Read more on insurers concerns to these issues in this document by ABI: https://www.abi.org.uk/globalassets/sitecore/files/documents/newsletters/gdpr-key-implementations.pdf