Report and calculation of fine amount for Equifax

Murray Bryant made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Information Commissioner's Office.

Dear Information Commissioner’s Office,

I see from your recent press release that Equifax has been fined £500,000. As part of this I imagine a report was compiled of the breach, it's handling and how Equifax was/wasn't protecting information.
I also imagine criteria was considered and further reports may have suggested fine amounts. I would like to request:

1) A full copy of the report detailing the breach, it's handling and how Equifax was/wasn't protecting information.

2) Details of any criteria or reports around the fine amount issued to Equifax and reasoning as to why that amount was chosen.

Yours faithfully,

Murray Bryant-Lerner

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[3]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [4]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. https://ico.org.uk/global/privacy-notice/
3. http://www.ico.org.uk/tools_and_resource...
4. http://www.twitter.com/ICOnews

Information Commissioner's Office

25 September 2018

 

Case Reference Number IRQ0787392

 

Dear M Bryant-Lerner

Thank you for your recent request for information. We received your
request on 20 September 2018.
 
We will be considering your request under the Freedom of Information Act
2000. You can expect us to respond in full by 18 October 2018. This is 20
working days from the date we received your request. If, for any reason,
we can’t respond by this date, we will let you know and tell you when you
can expect a response.
 
If you have any questions please contact me using the IRQ case reference
number above or by replying to this email and leaving the subject field
unchanged.
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely 
 

Sarah Whelan
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6322  F. 01625 524510  [1]ico.org.uk  [2]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [3]privacy
notice

 

References

Visible links
1. http://ico.org.uk/
2. https://twitter.com/iconews
3. https://ico.org.uk/global/privacy-notice/

Information Commissioner's Office

17 October 2018

 

Case Reference Number IRQ0787392
 

Dear M Bryant-Lerner
 
Thank you for your recent request for information. We received your
request on 20 September 2018.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
‘Dear Information Commissioner’s Office, I see from your recent press
release that Equifax has been fined £500,000. As part of this I imagine a
report was compiled of the breach, it’s handling and how Equifax
was/wasn’t protecting information. I also imagine criteria was considered
and further reports may have suggested fine amounts. I would like to
request:

 1. A full copy of the report detailing the breach, it’s handling and how
Equifax was/wasn’t protecting information.
 2. Details of any criteria or reports around the fine amount issued to
Equifax and reasoning as to why that amount was chosen.’

Our response
 
The ICO has published information about the investigation and the monetary
penalty notice issued to Equifax Ltd; this can be found on our website at
the following link:
[1]https://ico.org.uk/action-weve-taken/enf...
 
We are unable to disclose the further information you have asked for as it
is exempt under Section 31(1)(g) of the FOIA. This exemption applies when
disclosure would or would be likely to prejudice our ability to carry out
our regulatory function.
 
The exemption at section 31(1)(g) of the FOIA refers to circumstances
where the disclosure of information “would, or would be likely to,
prejudice - ….the exercise by any public authority of its functions for
any of the purposes specified in subsection (2).”
 
The purposes referred to in sections 31(2)(a) and (c) are –
 
“(a) the purpose of ascertaining whether any person has failed to comply
the law” and
 
“(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise…”

This exemption is not absolute. When considering whether to apply it in
response to a request for information, there is a ‘public interest test’.
That is, we must consider whether the public interest favours withholding
or disclosing the information.
 
In this case the public interest factors in favour of disclosing the
information are as follows –  
 

* Increased transparency in the way in which we carry out our
investigations.
* The understandable interest of the public, and those data subjects
affected by this incident in the ICO’s analysis of the breach.

The public interest factors in maintaining the exemption are as follows - 
 

* We consider that the disclosure would reveal information about the
Commissioner’s investigatory techniques that could be prejudicial to
current and future investigations.
* There is public interest in us being able to maintain effective and
productive relationships with the parties we communicate with. It is
essential that organisations continue to engage with us in a
constructive and collaborative way without fear that the information
they provide to us will be made public, if it is inappropriate to do
so.
* We consider that disclosure of this information would be likely to
compromise our ability to investigate and therefore affect the
discharge of our regulatory function in vital areas, including our
ability to influence the behaviour of data controllers and to take
formal action.

Having considered the arguments both for and against disclosure we do not
find that there is sufficient weight in the arguments that favour
disclosure. The release of case investigation reports / additional
information would be prejudicial to the ICO’s regulatory function and
ability to investigate as it would reveal investigate techniques and
considerations. Further the matter is still subject to investigation by
regulators both domestically and in other jurisdictions, and release of
the information could also adversely impact upon their investigations.
 
In the interests of transparency we have published information on our
website and made a public statement about the Equifax security breach.
                                
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [2]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator. I have included information
about how to do this separately.
 
Yours sincerely,
 
 

Sarah Whelan
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 414 6322  F. 01625 524510  [3]ico.org.uk  [4]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [5]privacy
notice

 
 
 
 
 

References

Visible links
1. https://ico.org.uk/action-weve-taken/enf...
2. https://ico.org.uk/media/about-the-ico/p...
3. http://ico.org.uk/
4. https://twitter.com/iconews
5. https://ico.org.uk/global/privacy-notice/