Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.
A video is available from Parliament.
4:35 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Is that the norm: this happens other places, and the norm is that we protect you for 12 months, and after that you're on your own?
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
With regard to the cases in Canada and the standards, 12 months is a standard that has been set, yes.
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
It has been used in other organizations. The courts have opined on it. You saw it with regard to Home Depot in terms of the class action there. It has been an acceptable norm in the industry and in industry practice for many years.
4:35 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Is that an accepted norm if there is no fault? Let's say Home Depot did everything right, and through no fault of its own someone managed to break in and take its data. However, in this case, it seems to be that there is blame to be put on the shoulders of Equifax. It was informed to do something and chose not to do it, so there is a fault there.
Is that the norm whether there's fault or no fault?
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
In terms of the actions.... I can't opine in terms of the standard. Each organization's breach and situation is different. We're willing to work with all Canadian consumers who have been impacted. Given the scale of the 19,000 who have been impacted here in this country, with our consumer relations department and our incident response team, we take each individual Canadian independently and work with them to make sure they are confident that their information has not been compromised, that it has not been traded on the dark web.
4:35 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
I have a different type of question. Is there a standard set for security that should be used? We have standards for a number of different things, like electrical outlets. Is there a standard that companies with personal data have to adhere to?
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
For example, in the credit card space, there are additional safeguards for PCI compliance. We went through that in 2015 at Equifax Canada. That PCI remediation and enrichment process helped in Canada. It encrypted our data. We tokenized our data for credit cards.
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
The PCI standard policy and procedures organization.
4:35 p.m.
Liberal
4:35 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
For credit card information. Then there are other standards that we're regulated under, such as consumer reporting legislation, for example, which dictates where our information is stored, how it's accessed, and how we update it. There's consumer reporting legislation that dictates how we, as a credit bureau in Canada, operate our business.
4:40 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Were those standards being met when this breach happened or not?
4:40 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
In Canada, those standards were being met, yes.
4:40 p.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
But the breach happened in the United States, right? Do the Americans have equivalent standards, and were they being met?
4:40 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Equifax has standards in terms of when we transfer data: the standards we have here have to be at par, or better, where that information resides. In this situation, the policies and procedures were in place, but as a result of human error and IT error, the incident occurred, and the 19,000 Canadians were impacted.
4:40 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
I'm struck by the fact that the credit monitoring industry does not seem to be very competitive. You mentioned three major companies in the United States and only two major companies in Canada. I suppose it stands to reason. There is a big cost to setting up a credit monitoring network, and once that infrastructure is in place, it doesn't cost too much more to cover additional individuals or businesses. Perhaps it's a bit of a natural monopoly.
Would you accept that lack of competition as a rationale for greater regulation of credit monitoring than other sectors?
4:40 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
In terms of the industry, who better to serve Canadians in terms of monitoring their information than Equifax? We have every trade, every credit card that reports to us, all our members, the banks, and everybody you bank with. That information, and being able to update and alert you to the fact that somebody has put a fingerprint on your file.... We're in that spot where we have that information and access to that information to help better serve consumers.
Your question is fair. There are not many more industries that would have that amount of data to be able to best serve consumers to fight fraud, and to be able to alert them as to who has touched or accessed their information.
In terms of fraud prevention and awareness, we're well positioned in the industry.
4:40 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
I suppose the pitfall of having all that data agglomerated in one place is that it's then potentially vulnerable to being stolen, which is what happened in this case. I wonder if you or your parent company have any estimates of the cost of this breach in terms of what it cost Equifax and what it might cost consumers.
4:40 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
It's in the millions for sure. I wouldn't have an estimate here. Again, the investigation is complete, but on the costs associated with it, as Mr. Kent mentioned, in terms of the litigation and dealing with the security measures we're putting in place, we want to be above and beyond any best practices and industry standard. We're working under our new interim CEO, Paulino Barros, to ensure that security comes first in our organization.
4:40 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
Has Equifax set aside a certain amount of money to compensate people whose security was breached?
4:40 p.m.
Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
There are reserves taken in all areas in terms of litigation reserves for each country, based on litigation happening in each of our 24 properties.
4:40 p.m.
NDP
Erin Weir NDP Regina—Lewvan, SK
Okay, but at this point it's pretty difficult to put any sort of overall number on the cost of this episode, either to the company or to its customers.
