Canada: The Many Lessons Of The Equifax Data Breach

Last Updated: May 1 2019
Article by Lisa R. Lifshitz

In a sweeping and detailed report of findings in the Equifax decision released on April 9, 2019, the Office of the Privacy Commissioner of Canada, severely critiqued the privacy and security practices of Equifax Inc. and Equifax Canada Co. in effect at the time of the 2017 data breach that compromised the personal information of 143 million people, including 19,000 Canadians.

Hackers had initially gained entry to Equifax's systems on May 13, 2017 by exploiting a known vulnerability in the Apache strut software platform supporting an online dispute resolution portal (not available Canadian consumers), ultimately accessing the personal information of Canadians (including names, addresses, dates of birth, social insurance numbers). While Canadian credit files were stored by Equifax Canada on servers located in Canada and segregated from Equifax's systems, Equifax Canada transferred information from its credit files to Equifax in the U.S. in order to deliver direct-to-consumer products to Canadian customers that were only available through Equifax Consumer Solutions, a US-based subsidiary of Equifax. Equifax Canada's security policies, direction and oversight were largely managed by its parent company, Equifax. While Equifax was notified of the vulnerability in their portal and the related patch to correct it on March 8, 2017, it chose not to implement the fix and the breach was only detected on July 29, 2017 when an expired SLL security certificate was belatedly updated.

The Equifax decision and related compliance agreement between the OPC and Equifax Canada that sets out detailed timelines for various corrective measures to be put in place by Equifax Canada regarding consent, safeguards and accountability in addition to six years of third party audits, offers a treasure trove of practical lessons for organizations looking to comply with the Personal Information Protection and Electronic Documents Act (as well as some surprises).

What is reasonable security for sensitive data? 

PIPEDA requires that personal information must be protected by security safeguards appropriate to the sensitivity of the information, including physical measures, organizational measures and technological measures. However, past OPC decisions were frustratingly light on the specifics of what was actually required to achieve minimum security compliance. The Equifax decision devotes several pages to a detailed analysis of Equifax's and Equifax Canada's deficiencies in their existing security programs, including inadequate vulnerability management, inadequate network segregation and parties' failure to implement even basic information security practices. Plainly put, organizations like Equifax who handle sensitive data are expected to have robust security programs that accurately assess the security risks faced, protect against these risks and ensure that the security programs are actually implemented in practice. Both Equifax and Equifax Canada failed miserably on all of these grounds, with extensive examples provided in the decision. 

Data retention/destruction requirements are more than just paper 

PIPEDA also requires that once personal information is no longer required by an organization to fulfill identified purposes, it should be destroyed, erased or made anonymous and all organizations must develop guidelines (and implement actual procedures) to govern the destruction of personal information. Practically, this is where companies often go wrong as they consistently hang onto old data indefinitely. Even worse is when organizations have enacted retention policies but these fail to be followed.

According to Equifax's own Global Retention Policy, the personal information of 8,000 Canadians held in Equifax's GCS should have been deleted either after five years (for account registration information), two years (for other account information), or after one year (for credit reports and alerts contained in the GCS) respectively. The record owner was supposedly responsible for implementation of the retention policy for a particular record, and compliance with the policy was supposedly being monitored. In reality, there was no process in place to delete Canadian personal information in compliance with this policy and no Canadian personal information had been deleted since at least 2010.

Moreover, in one of the more Keystone-Cop moments, the OPC found that no one at Equifax seemed able to identify who the record owner was for personal information held in the GCS databases or even the name of the person at Equifax responsible for the compliance functions described in the retention policy. Ouch. This reiterates the importance of data retention and destruction practices at the corporate level (the less data held, the less will be exposed in the event of a breach), as well emphasizing the need for proper employee training and verified compliance monitoring for policies of this nature.

Accountability must be real (or, the language in the terms of use/privacy policy counts)

Under PIPEDA's accountability principle, an organization remains responsible for personal information under its control (including information that has been transferred to a third party for processing) and therefore organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by the third party. The OPC spent considerable time analyzing the relationship between Equifax and Equifax Canada and ultimately concluded that Equifax was a third party with respect to Equifax Canada for the purpose of information handling, regardless of corporate structure. 

Practically, the lines were blurry, however. Equifax handled payments made by Canadians who purchased fraud alert services on their Equifax Canada credit card file and Canadians interested in obtaining direct-to-consumer products were directed to apply to the GCS system, hosted in the U.S. Both companies tried to argue that Canadian consumers knew that they were contracting separately with ECS, rather than Equifax Canada. However, the application process took place on the Equifax.ca webpages and Equifax Canada's terms of use asserted that the products and product features available via its website were provided by Equifax Canada. Moreover, from February 2011 to September 2015 the Equifax Canada privacy policy made no mention of Equifax, ECS or to any potential transfers of personal information to any organization for the delivery of products. The Equifax Canada Chief Privacy Officer was publicly designated and assigned responsibility for ensuring Equifax Canada's compliance with PIPEDA. The privacy policy also stressed that to the extent Equifax Canada had to transfer personal information to a third party in Canada or across borders for processing, Equifax Canada contractually required such a third party to protect customer personal information in a manner "consistent with our privacy safeguarding measures, subject to the law of the third-party jurisdiction." 

In highlighting the importance of the role of the chief privacy officer to ensure that data being processed by a third party enjoys the same level of protection comparable to PIPEDA, the OPC also reminds us that the CPO must actually have adequate tools and structures in place to enable them to truly be accountable for the handling of personal information.

At the time of the breach, the Equifax Canada CPO did not have such controls in place (including any formal written arrangement with Equifax or ECS that spelled out the specific rules, regulations and standards that need to be complied with in the handling of personal information, information security obligations, acceptable uses of the information, retention and destruction obligations, or reporting and oversight arrangements) nor were there any basic accountability controls. Instead, the OPC found general confusion on the part of Equifax Canada regarding the scope of Canadian personal information collected and retained by Equifax and roles and responsibilities with respect to the handling of Canadian personal data by Equifax.

The OPC used European-style privacy language to identify that "as Equifax Canada is the controller for this personal information," Equifax Canada's designed privacy officer is accountable for the personal information, wherever it is held or processed. This also meant that Equifax Canada could not blindly rely on third party audits, like the annual ISO 270001 compliance certificates regarding Equifax's information security compliance, if Equifax Canada had reason to doubt (and was privy to other information) that raised concerns regarding Equifax's actual PIPEDA and related security compliance. This suggests that the OPC expects organizations to take further measures to assess the security of Canadian personal information held by third parties and ensure any necessary corrective measures are undertaken in a timely way.

Mitigation efforts are critical 

It's a truism that while data breaches are almost inevitable, it's how they are handled that also counts in order to reduce the risks to individuals affected by the breach. PIPEDA also requires organizations to undertake appropriate mitigation measures to protect against future unauthorized use of personal information. Equifax/Equifax Canada scored badly on this measurement as well – for example, the Equifax Canada CPO was not notified by Equifax of the breach until hours before Equifax itself went public on September 7, 2017, despite the involvement of Canadian data. Oops.

Even worse, the companies did not coordinate in the initial breach notification to affected Canadians, with the first letter to them inviting them access credit monitoring through a portal that did not actually allow access and was set up for Equifax customers only. Oops again. 

The OPC was also unimpressed that initially Canadians were only offered one year of free credit monitoring versus their U.S. counterparts (this was eventually changed to four years in total). Canadian customers never did receive access to the 'Lock & Alert' credit freeze service provided to U.S. consumers that would have allowed them to lock and unlock their credit file on demand.

The changing nature of consent for cross-border data

Perhaps the most controversial aspect of the Equifax decision stems from its assertion that Equifax Canada should have obtained valid express consent of Canadians before disclosing personal information across the border to Equifax (given the sensitive nature of the financial data involved and that individuals would not have reasonably expected their data to be transferred to a third party outside of Canada).

This is problematic in several respects as this analysis flies in the face of years of guidance from the OPC and reiterated repeatedly, including in the 2012 Privacy and Outsourcing for Businesses guidance document) that a transfer for processing is a "use" of the information, not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities. 

While it is entirely true that Equifax Canada did less than a stellar job meeting the transparency requirements in its terms of use or its privacy policy regarding the transfer of personal information outside of Canada (and further clarity was definitely warranted so that consumers could better understand that their information was being disclosed by Equifax Canada to Equifax/ECS in order to receive certain services), the OPC's reinterpretation represents a significant departure from what was expected by Equifax Canada, or frankly from anyone who follows the OPC's guidance in this area (the OPC itself acknowledged that Equifax Canada was acting in good faith in not seeking express consent for these disclosures based on previous OPC guidance). However, Equifax Canada agreed, in the compliance agreement with the OPC, to seek additional express consent (for example, positive action by individuals to affirm consent) from any current customers of Equifax or its affiliates that are receiving Canadian direct-to-consumer products by December 31, 2019. Equifax Canada was also chided in the Equifax decision for not explaining other options to Canadian customers that did not involve Equifax obtaining Canadian personal information, including obtaining access to their Equifax Canada credit report though use of the free credit report service provided by snail mail rather than through the U.S.-only online access.

The OPC's implement-first-ask-permission-later approach to changing the consent requirements for cross-border data transfers is troublesome at best and judging from initial reactions, sits uneasily with many (me included).  

Likely knowing this, at the same time it released the Equifax decision the privacy commissioner also announced a "Consultation on transborder dataflows" under PIPEDA, not only for cross-border transfers between controllers and processors but for other cross border disclosures of personal information between organizations. The GDPR-style language used in this document is no accident and our regulator is seemingly trying to ensure the continued adequacy designation of PIPEDA (and continued data transfers from the EU to Canada) by adopting policy reinterpretations (and new policies) pending any actual legal reform of our law. Meanwhile, the OPC's sudden new declaration that express consent is required if personal information will cross borders (and the related requirement that individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders) introduces a whole new level of confusion and complexity regarding the advice that practitioners are supposed to be giving their clients pending the results of the consultations review, not to mention the potential negative business impacts (for consumers/vendors of cloud/managed services and mobile/ecommerce services, just to name a few examples) that may arise as a consequence. Comments have been requested by June 4, 2019.

This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Online

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions