The DPOInsider covers the latest news and developments in data compliance and privacy every Friday. The DPO's favourite weekly read ☕️

Equifax Faces £11.2m Fine by FCA Over Cybersecurity Lapse

The Financial Conduct Authority (FCA) has imposed a hefty fine of £11.2m on Equifax for its failure to adequately oversee and secure UK consumer data that was outsourced to its US-based parent company. This oversight led to a significant breach, allowing cyber attackers to access the personal data of millions, thereby exposing UK consumers to potential financial crimes.

Back in 2017, Equifax's parent company experienced one of the most significant cybersecurity breaches in history. This breach compromised the personal data of roughly 13.8 million UK consumers. The exposed data included names, birth dates, phone numbers, login details, partial credit card information, and residential addresses. The root cause? Equifax had outsourced data processing to Equifax Inc's servers in the US.

The FCA pointed out that Equifax did not exercise sufficient oversight regarding the management and protection of the data it was transferring. Known vulnerabilities existed in Equifax Inc's data security systems, and despite being aware, Equifax did not take the necessary measures to safeguard UK customer data.

Therese Chambers, the joint executive director of enforcement and market oversight at the FCA, emphasized the responsibility financial firms have in safeguarding customer data. She stated, "Financial firms hold data on customers that is highly attractive to criminals. They have a duty to keep it safe and Equifax failed to do so."

In response, Patricio Remon, president for Europe at Equifax, highlighted the company's cooperation with the FCA throughout the investigation. He mentioned that post the cyberattack, Equifax has invested over $1.5 billion in security and technology transformation, aiming to ensure the utmost protection of consumer information.

A Decade of Data Breaches: Key Takeaways

In the rapidly evolving world of cybersecurity, the past decade has been a rollercoaster. A recent article on Security Intelligence provides a comprehensive review of the cost of data breaches over the last ten years. Here are the key takeaways:

1. Rising Costs: In 2014, the average cost of a data breach stood at $3.5 million. Fast forward to today, and this figure has jumped by nearly 30% to $4.45 million per breach. For companies in the U.S., the average cost is even steeper at $9.48 million per breach.

2. Geographical Disparities: The U.S. has consistently topped the charts with the highest average data breach cost for 13 consecutive years. In 2023, the average cost of a breach in the U.S. reached $9.48 million, marking a 75.5% increase from 2013. The Middle East and Canada followed, with costs per breach of $8.07 million and $5.13 million, respectively.

3. Industry-wise Impact: The healthcare sector has been the most affected, with the highest data breach costs for the past 13 years. In 2023, healthcare organizations faced an average cost of $10.93 million per breach.

4. Shift in Mitigating Factors: While encryption was once a top mitigating factor for data breach costs, its importance has diminished over the years. In contrast, the role of AI platforms in reducing breach costs has surged. In 2022, AI emerged as the leading factor impacting the average total cost of a data breach.

5. Pandemic's Influence: The Covid-19 pandemic had a profound impact on cybersecurity. Breaches where remote work was a factor saw an average cost increase of $1.07 million. Organizations with a majority of remote employees took 58 days longer to identify and contain breaches.

6. Supply Chain Vulnerabilities: Following the Solar Winds incident, there's been a heightened focus on supply chain security. In 2022, one-fifth of breaches were attributed to supply chain compromises, with an average total cost of $4.46 million.

The landscape of cybersecurity is ever-changing, and as we reflect on the past decade, it's evident that organizations must remain vigilant and adaptive. With advancements in AI and quantum computing on the horizon, the future of cybersecurity remains both exciting and unpredictable.

Other data privacy news

Worried about the 23andMe hack? Here’s what you can do.

A bad actor offered to sell information on 23andMe’s users, calling out Jewish people specifically.

Data and Insights from the 2023 Nasdaq Global Compliance Survey

Compliance roles and functions have become broader and more complex over time. Developments in data management, processing and analytics have broken down silos, allowing compliance to obtain a more overarching view across risk typologies. The compliance culture has evolved, new challenges and technology solutions have emerged, and budgets have fluctuated.

Varied Data Privacy Laws Across States Raise Compliance Stakes

Companies are navigating an increasingly complex set of laws for how they collect and use personal information as states diverge in their approaches to boosting data privacy standards.

Marketers: You’re missing this crucial privacy step — and it’s putting more than your brand at risk

Marketers looking to succeed in a privacy-first world can no longer afford to overlook the role that data protection officers (DPOs) and legal advisors have to play.