Equifax and its Canadian division have been criticized by the federal privacy commissioner for not offering Canadians the same post-breach protections after the massive 2017 data breach that saw hackers get away with financial information on 143 million people around the world, including 19,000 Canadians.
In a report issued today commissioner Daniel Therrien found the U.S.-based company offered poor security safeguards; retained information too long; had inadequate consent procedures; suffered from a lack of accountability for Canadians’ information and provided limited protection measures offered to affected individuals after the breach.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” he said.
The office of the privacy commissioner (OPC) is also re-examining its guidance on cross-border transfers of personal data after learning a number of Equifax Canada customers were surprised their information had been transferred to the U.S. for processing. That, Therrien said, was “inconsistent” with Equifax Canada’s obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to obtain meaningful consent from individuals before disclosing their personal information to a third party.
“For consent to be valid, individuals must be provided with clear information about the disclosure, including when the third party is located in another country, and the associated risks,” he said.
However, until now the OPC has told companies data transfers for the purpose of processing information was considered a ‘use’ of personal information rather than a disclosure of personal information. As a result, companies didn’t need to get express consent. So for this breach the OPC concluded Equifax Canada should have sought express consent from customers, but because of OPC’s existing guidance it acted in good faith.
But the incident has made the OPC re-think that, taking another look at its guidance to businesses on what they have to tell customers if they transfer their personal data to a third party.
That is starting with a formal consultation with the private sector. Written submissions can be filed by June 4. The OPC will then clarify the rules on obtaining valid consent for cross-border data transfers of personal information.
“We know there are advantages to transborder data flows, but individuals ought to and do, under the law, have a say in whether their personal information will be disclosed outside Canada,” Therrien said in a statement.
Asked for more detail, a spokesperson for the OPC said, “We are now clarifying that organizations must not just obtain consent from individuals to use their personal information to deliver the service, they must also obtain consent if they are going to transfer the information to a third party, be it in Canada or outside the country.”
Since the breach, Equifax Canada and Equifax Inc. have taken steps to improve their security, accountability and data destruction programs, Therrien said. Equifax Canada has also entered into a compliance agreement.
The report adds to the wave of official criticisms of Equifax’s clumsiness in the incident. In December a U.S. Congressional committee concluded the breach was “entirely preventable.”
The most obvious error was the failure of IT staff to patch a vulnerability it had known about for two months in the Adobe Struts framework in one server, which led to the initial infection. However, that report — and an earlier U.S. Senate report — unveiled a series of security blunders made by the company that didn’t help.
The privacy commissioner’s report noted that personal information of Canadians became caught up in the breach at the parent company because they had obtained products, such as credit monitoring or fraud alerts, from Equifax Canada. These transactions were processed in the U.S.
While Equifax Canada ultimately agreed to offer free credit monitoring to breach victims for a minimum of four years, the company did not go so far as its parent company in regard to other post breach protections, the report adds, particularly a credit freeze. That allows people to restrict access to their credit files, thus reducing the chance of fraudulent or unauthorized credit checks.
“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians” Therrien said in a statement.
In a statement in a response to the report Equifax Canada said U.S. consumers have had the ability to freeze their credit files for several years, so Equifax was able to convert the existing functionality into a mobile lock-and-unlock service in the U.S. “Because the ability to lock a credit file is not currently available in the Canadian market, Equifax Canada has been working closely with our customers, government, industry groups and consumer advocacy organizations to ensure we understand their needs and concerns and adequately test before we would launch a similar service.”
“Although Equifax does not agree with all of the OPC’s findings and recommendations, we value our relationship with the OPC and the work that it does to protect Canadian consumers. As the OPC acknowledges in its report, since September 2017, Equifax has successfully implemented a broad range of measures to strengthen its security program. In addition, Equifax is in the process of implementing an enhanced global privacy and data governance program.”