Information & Ethics Committee on Dec. 4th, 2017

That's an excellent question, Mr. Kent. We're looking at all alternatives with regard to how we can better do our business. Security starts with us as employees, and I can assure you, as our interim CEO said in the Senate hearings, that we will fix this, and whatever the options are in terms of working with this committee or working with others in Parliament to better serve Canadians, we're all for them.

That's at the board level, and I'm not privy to that decision. I can assure you that I've worked with Mr. Barros for the past 10 years. He has been in many capacities, as international president and as president of U.S. business, and he's a man of integrity. His background is in engineering, and when he says he'll fix it, he'll work his darndest to make sure it gets done.

Thank you very much for those two questions.

In regard to what we're doing here in Canada, as I mentioned, we've retained globally PwC and Mandiant to work with all the Equifax entities. We have 24 companies across the world, and we're working with them.

In terms of the closed-loop confirmation that I mentioned earlier, where we not only issue the order to patch, but we also receive confirmation that it was patched, that's in place. I mentioned in my opening statement that it used to take 48 hours to put such patches in place. That has been decreased to 24 hours or less, in terms of what we're doing globally.

We're also refining any existing industry best practices, procedures, and standards. We want to be above industry best practices. I didn't mention that the chief security officer now reports to our interim CEO, so the corporate governance structure has changed at Equifax in terms of accountability. We're centralizing that security rather than having a decentralized system country by country. We're working with all those individuals. We've appointed a chief transformation officer as well to get some better transparency from a security and IT perspective not only in Canada but also globally, so that this incident won't occur in the U.S., in Canada, in Argentina, or anywhere else we operate.

In regard to your second question, on the reputations of affected consumers, Toni's team works individually case by case with each individual consumer. We have call centre representatives who are able to alleviate any consumer concerns or frustrations in terms of walking them through what has transpired, if anything, with their information. We have protections in place that have been used in incidents a lot larger than ours to afford Canadians protection. Again, our number one priority is the Canadian consumer. I've heard from neighbours, friends, family. This affects everybody's reputation. We have 10,000 employees globally. It affects them as dearly as it does the Canadians who were impacted.

At the same time, we want to ensure that Canadians are afforded the best protections there are in the market, based on the regulatory situations in each country. There's a different regulatory situation in the U.S. from that in Canada. We want to make sure we apply those to each country individually to best represent those individuals.

With regard to the impacted data, our core consumer and credit database, the daily transactions we do with banks, the information we sell to the banks, was not impacted at all here in Canada. Again, the 18,000 was with regard to payment, process, and data that resided in the U.S. where there was a transaction between a consumer and our U.S. merchant.

In terms of the timeline, I just want to clarify the Canadian portion of the records that were impacted came to light on or about September 4 or 5, with all the experts and everybody working around the clock. The Canadian pieces came to light late in the game, in the investigation. When we found out my timeline on the 7th, we notified all the appropriate commissioners. We contacted our clients. We did what we could from a Canadian perspective to best serve those Canadian constituents, and at the time we didn't even know how many there were. We worked with our incident response team and our leadership team in Canada to make sure we got the correct information, that we worked with our teams south of the border to ensure we had all the tools at our fingertips. Once we had that information, we provided the consumers with the protections in place, the monitoring they could subscribe to affording them protection of their identity, and you heard the features of that product.

To ensure this doesn't happen again, just to summarize, we've enhanced our vulnerability scanning, our patch management processes and procedures. We've reduced the scope of sensitive data retained in our back-end databases. We've also increased restrictions and controls for accessing data housed within critical databases. We've deployed additional web application firewalls. The list goes on in working with internal and external experts. It wasn't that we didn't have good systems in place, but we want to be better.

Our team is working with the commissioner's office, along with our external counsel, Ms. Bernier. We've had regular meetings with them since the initial phone call within the first 24 hours when we were notified on September 7. We've worked with them. We've worked with all the privacy commissioners across Canada. The investigation is ongoing. We're, again, compiling our answers to the questions they had and working to answer them in a fulsome manner so they can complete their investigation in due course. We've been very transparent. Again, accountability and transparency drive our corporation, and we want to make sure we're doing the best for the consumers and the best for all our clients.

In terms of the Mandiant report?

It's a confidential report.