Regulator says Equifax Canada fell short of its privacy obligations

Following an investigation into the 2017 Equifax data breach incident, the federal government has called out the credit monitoring agency – and its Canadian counterpart – for falling short of its privacy obligations.

According to a release from the Office of the Privacy Commissioner of Canada, the investigation uncovered a number of privacy concerns that Equifax had failed to address, such as “poor security safeguards; retaining information too long; inadequate consent procedures; a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.”

The federal agency added that these issues not only led to the data breach, but also made its impact even worse. The breach affected over 143 million worldwide – including 19,000 Canadians.

“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” privacy commissioner Daniel Therrien said in a statement.

Equifax has agreed to enter into a compliance agreement to address its security concerns. As part of the agreement, the company and its Canadian subsidiary will submit third-party audit reports on their own security detail to the privacy commissioner every two years, for the next six years.

While Equifax Canada agreed to offer freed credit monitoring to victims of the breach for a minimum of four years, the subsidiary did not adopt other post-breach protections as its US parent company had done, the privacy commissioner stated. The federal agency even noted that Equifax US had offered its customers a credit freeze, while Equifax Canada had not.

“Canadians affected by the breach face the same risks, and it is unfortunate that Equifax Canada refused to offer a credit freeze option to affected Canadians,” Therrien commented.

Some complainants even told the privacy commissioner’s office that they were surprised to learn that their information had been transferred from Canada to the US – an action the federal agency has found to be inconsistent with Equifax’s obligation under the Personal Information Protection and Electronic Documents Act to obtain consent from individuals before disclosing their personal information to third parties.