When Equifax recently announced cybersecurity breaches over the summer (occurring between mid-May through July 2017), we learned that up to 143 million Americans were affected…and “a limited number of residents in Canada and the UK”, according to one of the initial news releases. Criminals exploited a U.S. website application vulnerability to gain access to files, as was discovered end of July, and Equifax USA promptly engaged a leading, independent cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. The sensitive information compromised includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers.
Consumers in Canada are frustrated – and rightfully so…
What’s troubling is that we still don’t know the degree to which the Equifax breach has affected Canadian consumers, but it is clear that it could be significant, and include those who have lived, worked or applied for credit south of the border.
Equifax Canada’s customer service agents are telling callers that only Canadians who have had ‘dealings in the United States’ are likely to be affected by the massive hack announced last week. Canadian and American credit files are kept separate, however, American companies can pull Canadians’ files with consumers’ permission, such as when applying for a loan in the U.S., and this would generate a U.S. credit file on the consumer, the very target of the breach.
Equifax has set up a dedicated website and call centre to help consumers determine if their information has been compromised. However, the Office of the Privacy Commissioner of Canada (OPCC) says the website won’t help Canadians because consumers must enter the last six digits of their U.S. social security number in order to check the potential impact of the breach on their records. Instead, in an announcement published on September 12th, the Canadian privacy watchdog suggests that Canadians call Equifax directly.
If PIPEDA’s regulations on breach notification and reporting were currently in force, I am certain that Equifax Canada would be in even more serious trouble due to the lack of a proactive response to this data breach.
Mounting Reputational Costs for Equifax Canada
At the time of a significant data breach, transparency, accountability and clear communication are critical. We are only starting to learn about the greater impact of this massive breach on Canadians. For example, a managing director at CAA has recently announced that sensitive information of CAA members who signed up for anidentity protection program was stored with Equifax USA. The auto organization’s program required members to register their personal information such as credit cards, banking information and email address, with the option of providing a social insurance number. CAA has been trying, since the first reports of the Equifax breach became public, to determine from Equifax Canada if the breach affects the approximately 10,000 members who signed up for the program.
At least two proposed class action lawsuits have been started by the Merchant Law Group on behalf of Canadians who may have been affected by the hack.
In a short video on the breach, Equifax Chairman and CEO, Rick Smith, states “Equifax will not be defined by this incident, but rather by how we respond”. Ironically, the lack of a response for Canadians is clearly resulting in significant reputational costs north of the border.
For assistance with ensuring you have a robust and compliant Canadian breach response plan in place, contact PRIVATECH.