Credit bureau’s safeguards were “unacceptable” says Privacy Commissioner
The Privacy Commissioner of Canada has issued a rebuke to Equifax Canada and its US parent firm following a global data breach in 2017 which impacted 19,000 Canadians.
The credit bureau’s safeguarding of the personal data of Canadian consumers did not meet acceptable standards, the Commissioner said following an investigation.
The data breach occurred two months after Equifax Inc. became aware of a vulnerability, but which it had not fixed.
The Canadian customers impacted had purchased products such as credit reports, with transactions processed by the US parent. However, Canadian customers were not offered a credit freeze option, something that was offered to US customers.
Canadian customers were also not aware of the transfer of their data to the US.
"We know there are advantages to transborder data flows, but individuals ought to and do, under the law, have a say in whether their personal information will be disclosed outside Canada," said Daniel Therrien, Privacy Commissioner of Canada. "Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual."
The company has fallen short of adequate safeguarding of Canadians’ privacy on several counts including retaining information too long; inadequate consent procedures; a lack of accountability for Canadians' information and limited protection measures offered to affected individuals after the breach.
"Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company's privacy and security practices," added Commissioner Therrien.
Ironically, Equifax Canada recently reported that Canadians are risking their own personal information from their online behaviour.
Policy changes, monitoring
https://ca.res.keymedia.com/files/image/iStock-laptopp-business-clientt-insurr-brokerr-agenttid853704540(1).jpgEquifax Canada and Equifax Inc. have since made changes to policies to ensure they meet acceptable standards and entered into a compliance agreement.
Equifax Canada is also to submit third-party audit reports on its own security and that of Equifax Inc. to the Office of the Privacy Commissioner Canada every two years for the next six years.
This will allow for ongoing monitoring of compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law, including assessing the steps taken by Equifax since the breach.