Conclusions go beyond safeguards implicated in data breach and lead to significant re-thinking of transfers of personal information

On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) released its report of findings related to the Equifax data breach. On September 7, 2017 Equifax Inc. publicly announced that an attacker had accessed the personal information of more than 143 million individuals and later reported that the breach affected around 19,000 Canadians. The OPC commenced an investigation and concluded that the breach affected some Canadians whose information was collected by US-based Equifax Inc. (also referred to as “Equifax US”) and some Canadians who had purchased or received products, such as fraud alerts from Canada-based Equifax Canada Co. (“Equifax Canada”). The nature of the information and how it was acquired by either Equifax entity is described by the OPC in its report of findings:

The affected personal information was collected by Equifax Inc. from certain Canadian consumers who had direct-to-consumer products or fraud alerts. The direct-to-consumer products included paid online access by individuals to their Canadian credit report, credit monitoring, and alert services (in relation to their Canada credit files). The information was collected by Equifax Inc. as it plays an integral role in delivering these direct-to-consumer products and processing certain fraud alert transactions.

Attackers gained access to Equifax Inc.’s systems on May 13, 2017 by exploiting a known vulnerability in the software platform supporting an online dispute resolution portal that is part of Equifax Inc.’s Automated Consumer Information System (“ACIS”). They then operated undetected within Equifax Inc.’s systems for a period of time and ultimately gained access to Canadian personal information unrelated to the functions of the compromised portal.

Information in Canadians’ credit files is stored by Equifax Canada on servers located in Canada and segregated from Equifax Inc.’s systems. However, during the process of delivering direct-to-consumer products to Canadians, information from credit files needed to fulfil these products is transferred to Equifax Inc. in the US. For instance, a static copy of a full credit file is transferred by Equifax Canada to Equifax Inc. if a credit report is purchased by a consumer. While Equifax Canada’s servers are segregated from Equifax Inc.’s systems, Equifax Canada’s security policies, direction and oversight were, and are, largely managed by Equifax Inc.

The OPC concluded that both Equifax Canada and the US parent fell short of their privacy obligations to Canadians, focusing on five different areas of compliance:

(1) Safeguards of Equifax US and Equifax Canada: Directly stemming from the data breach, the OPC found that neither Equifax US nor Equifax Canada implemented safeguards that were adequate as required under PIPEDA. Overall, the OPC concluded that vulnerability management, network segregation, implementation of basic information security practices, and oversight were deficient at Equifax US. Equifax Canada was found to lack adequate safeguards in terms of oversight, vulnerability management and the implementation of basic information security practices.

(2) Conformity with Retention / Destruction Requirements: The OPC investigated whether personal information was being retained longer than was reasonably necessary It concluded that there was no process in place to delete Canadian personal information in compliance with the Equifax US data retention policy. The policy was not being followed, monitored or complied with. 

(3) Accountability of Equifax Canada for protecting personal information: The OPC found that in the aftermath of the breach, there were a number of significant communications failures with the public and directed at Canadian consumers. The scope of Canadian data involved was unclear and was communicated in an unclear manner. Some of the information provided by the companies to the OPC were contradicted by information provided by consumers. The companies did not have a sufficient handle on what information they had, where it was from and who was responsible for it. 

(4) Adequate consent by Canadians for collection and disclosure of information: This may be the most interesting and consequential finding from the Equifax case. Though the OPC has historically seen transfers of personal information from one entity to another for processing as not requiring consent, the OPC has changed its position:

109. Providing adequate information about available choices when an individual is consenting to the collection, use or disclosure of their information is a key component of valid consent. In this case, it appears reasonable to require consent to the collection of information by, and disclosure of information to, Equifax Inc. as a condition of the online Canadian direct-to-consumer products, as Equifax Canada does not offer these products in-house. However, an individual would still have choices. In addition to the simple option of “not signing-up” for Equifax Canada credit file monitoring or other products, individuals interested in obtaining access to their Equifax Canada credit report could choose to use Equifax Canada’s free credit report service, provided by postal mail and avoiding any information disclosure to Equifax Inc. Equifax Canada does not currently communicate the difference in disclosures to consumers in the course of delivering online or postal access, i.e., that the former involves collection of information by Equifax Inc. and transfers of information to Equifax Inc. in the US, whereas the latter does not.

110. In summary, Equifax Canada was not adequately clear about: (i) the collection of sensitive personal information by Equifax Inc., in the US, (ii) its subsequent disclosures of sensitive personal information to Equifax Inc., and (iii) the options available to individuals who do not wish to have their information disclosed in this way. Consequently, with respect to Equifax Canada’s practices to obtain consent for collection of personal information by Equifax Inc., and disclosure of personal information to Equifax Inc., the matter is well-founded.

111. However, as noted in para. 101 above, we acknowledge that in previous guidance our Office has characterized transfers for processing as a ‘use’ of personal information rather than a disclosure of personal information. Our guidance has also previously indicated that such transfers did not, in and of themselves, require consent. In this context, we determined that Equifax Canada was acting in good faith in not seeking express consent for these disclosures.

(5) Adequate Mitigation Measures: In the aftermath of the breach, the OPC concluded that offering a brief period of credit monitoring was inadequate relative to the scope of service Equifax could provide to Canadians in the circumstances, especially where better products (e.g. lifetime credit freezes) were offered to Americans affected by the same breach.

In the end the OPC made a number of recommendations, most of which are binding on Equifax as a result of entering into a compliance agreement between Equifax Canada the OPC: 

161. The following recommendations relate to contraventions found in Sections 1, 2, and 3 of this report, i.e. Safeguards and Retention by Equifax Inc. and Accountability of Equifax Canada. We recommended that Equifax Canada:

1. Implement a procedure to keep the written arrangement with Equifax Inc., covering all Canadian personal information under Equifax Canada’s control collected by Equifax Inc. and disclosed to Equifax Inc., up-to-date.
2. Institute a robust monitoring program by Equifax Canada against the requirements in the arrangement, and a structured framework for addressing any issues arising under it.
3. Identify Canadians’ personal information that should no longer be retained by Equifax Inc. according to its retention schedule and delete it.
4. Every two years, for a six-year term, provide to our Office:
   1. a report from Equifax Canada detailing its monitoring for compliance with the arrangement described in b. above;
   2. an audit report and certification, covering all Canadians’ personal information processed by Equifax Inc., against an acceptable security standard, conducted by an appropriate external auditor; and
   3. a third party assessment, covering all Canadians’ personal information processed by Equifax Inc., of Equifax Inc.’s retention practices.

162. The following recommendations relate to contraventions found in Section 5 of this report, ie. Safeguards of Equifax Canada. We recommended that Equifax Canada:

1. Provide our office with a detailed security audit report and certification, covering all Canadian personal information it is responsible for, against an acceptable security standard, conducted by an appropriate external auditor every two years for a six-year term.

The re-thinking of consent and outsourcing in this finding has led to the OPC’s consultation on transborder dataflows, which is seeking input on this radical change in position by the OPC, discussed in the April 17 edition of the CanTech newsletter.