GATINEAU, QC, April 9, 2019 – An investigation into a global data breach has found that both Equifax Canada and its US-based parent company fell far short of their privacy obligations to Canadians.
Privacy concerns included poor security safeguards; retaining information too long; inadequate consent procedures; a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.
These issues contributed to, and exacerbated the impact of the breach, which affected more than 143 million people worldwide, including 19,000 Canadians.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” says Daniel Therrien, Privacy Commissioner of Canada.
“In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority going forward.”
Since the breach, Equifax Canada and Equifax Inc. have taken steps to improve their security, accountability and data destruction programs.
Given the seriousness of the issues identified, the OPC also sought and received a commitment from Equifax Canada to submit third-party audit reports on its own security and that of Equifax Inc. to the OPC every two years for the next six years. This will allow for ongoing monitoring of compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, including assessing the steps taken by Equifax since the breach.
The breach occurred after hackers gained access to Equifax Inc.’s systems through a vulnerability the company had known about for more than two months, but had not fixed.
The personal information of Canadians became caught up in the breach at U.S.-based Equifax Inc. because they had obtained products, such as credit monitoring or fraud alerts, from Equifax Canada – transactions that were processed by its parent company. Once Canadians’ information was in Equifax Inc.’s systems in the United States, critical gaps in its security program left the Canadian information inadequately protected.
While Equifax Canada ultimately agreed to offer free credit monitoring to breach victims for a minimum of four years, the company did not go so far as its parent company in regard to other post breach protections. During its investigation, the OPC expressed concern that affected Americans were offered a credit freeze allowing them to restrict access to their credit files, thus reducing the chance of fraudulent or unauthorized credit checks.
“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians” Commissioner Therrien says.
Several complainants told the OPC they were surprised to learn their information had left Canada and was transferred to the U.S.
The OPC found the transfer to be inconsistent with the organization’s obligation under PIPEDA to obtain meaningful consent from individuals before disclosing their personal information to a third party. For consent to be valid, individuals must be provided with clear information about the disclosure, including when the third party is located in another country, and the associated risks.
Organizations must obtain express consent where individuals would not reasonably expect the transfer. This was the case here given Canadian customers interacted exclusively with Equifax Canada at the time and were not explicitly advised that their information would be processed in the U.S. Express consent is also required where the information is sensitive, as is generally the case with financial information.
The OPC recognizes this marks a departure from its previous position which has led to a re-examination of its guidance on cross-border data flows for businesses.
OPC launches consultation on cross-border transfers
As a first step, the OPC is launching a formal consultation with stakeholders with a view to soliciting feedback and updating its guidance on cross-border transfers of personal information. The OPC has issued a consultation document and is welcoming written submissions through June 4, 2019.
“We know there are advantages to transborder data flows, but individuals ought to and do, under the law, have a say in whether their personal information will be disclosed outside Canada,” Commissioner Therrien says.
“Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.”
Following the consultation, the OPC will clarify the rules so that organizations understand their obligations around obtaining valid consent and remain accountable for protecting the information in their control.
International Collaboration
It is also worth noting that the OPC benefited from collaboration with the U.S. Federal Trade Commission (FTC) and the UK Information Commissioner’s Office (ICO) over the course of its investigation.
“We would like to express our appreciation for the FTC and ICO’s assistance,” Commissioner Therrien says.
About the Privacy Commissioner of Canada
The Privacy Commissioner of Canada is mandated by Parliament to act as a guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and PIPEDA, Canada’s federal private sector privacy law.