The Office of the Privacy Commissioner of Canada will monitor American credit agency Equifax Inc. for the next six years after an investigation into a massive data breach of personal information at the firm in 2017.
On Tuesday, the federal overseer of Canada’s privacy laws released the results of its investigation, finding as many as 19,000 Canadians were ultimately affected. Equifax offers credit monitoring services, it also conducts credit checks on behalf of lenders, or other organizations. For example, consumers wanting to buy a car would have their personal information run through a company like Equifax to determine whether they would qualify for a loan.
While the personal information of Canadians was found in the data that was obtained by hackers, including credit reports and payment card details, American consumers were hit worse. More than 209,000 consumers’ credit card credentials were taken in the attack, millions more saw personal information like social insurance numbers, driver’s licence numbers or banking information stolen.
A total of 143 million people worldwide saw personal information exposed as a result of the breach of Equifax’s systems.
The privacy commissioner launched its investigation after 19 Canadians filed complaints with his office after the breach was made public.
In its findings, the Office of the Privacy Commissioner found poor security safeguards, the retention of information for too long after it was used to verify a person’s credit history, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected Canadians.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” said Daniel Therrien, privacy commissioner of Canada in a release. “In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority.”
During its investigation, the Office of the Privacy Commissioner found that the information of Canadians affected was exposed because those individuals had obtained products, such as credit monitoring or fraud alerts, from the company’s Canadian subsidiary Equifax Canada. Transactions for those products were ultimately processed by Equifax’s parent company in the U.S.
Once Canadians’ information was in Equifax’s systems south of the border, critical gaps in the company’s security protocols left the Canadian information inadequately protected, as the American systems had been compromised by hackers.
The revelation that the personal financial information of thousands of Canadians had been transmitted to the U.S. also drew the ire of the privacy commissioner, who has now launched a national consultation on “transborder data flows”, which includes personal information that is being sent to U.S. servers for processing. The commissioner underlined that a company must obtain consent from any Canadian it collects information from when it knows that information will be sent to servers abroad.
“Individuals must be given the opportunity to exercise their legal right to consent to disclosures across borders, regardless of whether these are transfers for processing or other types of disclosures,” reads a statement from the Office of the Privacy Commissioner. “It is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country. Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.”
The commissioner plans to release an updated policy about how corporations should handle data before it crosses a border. However, it plans to collect feedback from industry until June 4, before it releases its updated position.
The commissioner has also released a “compliance agreement” with the company that cracks down on Equifax demanding it develop better data retention policies, delete or anonymize all Canadian personal information, increase privacy and security measures when it comes to handling or storing data. The privacy commissioner has requested regular reports from bother Equifax Canada and it’s U.S. parent company for the next six years (until 2025) detailing how it is meeting the requirements. The commissioner also specified that it may ask for additional information or visit Equifax’s offices, either in Canada or anywhere around the world where Canadian personal information is being processed.
The commissioner warned that failure to meet the requirements in the compliance agreement could see an application for intervention by the Federal Court of Canada.
Equifax has acknowledged the results of the commissioner’s findings, however the company has not admitted fault. The company has voluntarily entered into the compliance agreement with the commissioner’s office.
Equifax Canada submitted the first of its reports to the Privacy Commissioner’s Office on March 31. A report from Equifax in the U.S. is expected by December 31.
Equifax first notified the public of the security breach on Sept. 7 2017, although it said the unauthorized access of its systems is thought to have happened between May 13 to July 30 that year. Equifax said its security team caught the hack on July 29.
The company has said that it believes that hackers accessed Equifax Canada’s systems through a consumer website application intended for use by U.S. consumers.
Copyright Postmedia Network Inc., 2019
