Equifax Canada and U.S.-based parent Equifax Inc. failed to “implement appropriate security safeguards given the volume and sensitivity of the personal information held by Equifax Inc.,” according to the Office of the Privacy Commissioner of Canada (OPC).
In May 2017, Equifax suffered a security breach affecting an estimated 19,000 Canadians, who had their social insurance numbers and other identifying information stolen. This attack was not publicly disclosed until September 2017, nor were Canadian consumers immediately notified of the breach, despite their data being stored on servers in the U.S. In addition, remedies offered by Equifax to U.S. users of Equifax, such as a credit freeze, were not offered to Canadians.
In the investigation report published today, the OPC found that Equifax’s safeguards failed to include “basic information security practices,” and were “indicative of long-term systemic issues.” Crucially, Equifax Canada relied on the policies and practices of parent company Equifax Inc. to satisfy Canadian law. However, numerous aspects of the arrangement fell short, including consumer consent; data collection, retention, and transfer; and third-party access. Furthermore, Equifax failed to take appropriate steps to protect Canadian consumers following the breach.
Though Equifax has improved its security practices following the breach, the OPC is recommending Equifax audit and submit a report on its data retention and monitoring programs, including a third-party assessment, every two years for the next six years.
Daniel Therrien, Office of the Privacy Commissioner of Canada, summarized the findings: “Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices.