Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Antonietta Di Napoli  Director, Global Operations, Equifax Canada Co.
John Russo  Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Clerk of the Committee  Mr. Hugues La Rue

4:25 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Thank you for that question, Ms. Fortier.

In terms of monitoring the dark web, we are monitoring the dark web for any suspicious traffic to ensure that your information is not being traded online. Canadians can be assured that we're looking out for those 19,000 to ensure that their credit card information, their birth date, SIN, are not being traded online so we can alert them to that fact.

The second part of your question, in terms of consumers generally getting educated about Equifax, we look forward to working with you and your constituents in your riding, be it through seminars or Equifax 101. We'd be happy to do this with any constituent riding and any MP. There are simple tips like just checking your credit file. You can do it for free in Canada. You can check your credit file every day if you want to. You can visit Toni's consumer relations and ask questions about your credit file and your credit information, and visit our website at Equifax.ca to get some of that background information. We like to do those Equifax 101 tours, as we call them, with regulators, consumers, consumer advocacy groups across the country so they're informed, so consumers have that information at their fingertips and can make better decisions when they're looking to apply for credit.

Toni works with consumers and she fields those calls pre-breach and post-incident so she can give you a flavour in terms of what consumers are asking for.

4:25 p.m.

Director, Global Operations, Equifax Canada Co.

Antonietta Di Napoli

Thank you, John.

Many of our consumers, as Mr. Russo said, are coming to us because they're denied credit, victims of fraud. Most of our conversations with consumers are really around credit education. We explain to them how credit works in Canada, how the credit score works, how to improve your credit, what affects a credit score. Our primary role, really, is consumer education. As John mentioned, Canadians can access their credit file for free, unlimited times throughout the year. There are many ways they can get it. They can visit one of our Equifax offices across the country. We have an automated telephone line that's available 24-7 to consumers. They can send their request in writing, and we'll be able to provide them a copy of their credit file.

As John also mentioned, there's an alert that can be added to their credit file. We encourage the non-impacted Canadians, if they are afraid or concerned about their credit, to take these steps in order to protect themselves.

4:25 p.m.

Liberal

Mona Fortier Liberal Ottawa—Vanier, ON

Thank you.

Again, with respect to moving forward productively with Canadians and with your former clients, how do you plan to regain their trust? One thing that has repeatedly been raised to me is the time that elapsed, and we've been talking about this, between when you discovered the data breach and when you informed your customers. My other question is, what do you do in cases where there is no valid address or phone number, or a person just doesn't check their mail? How are they informed?

4:25 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Toni, do you want to take the second part of the question first?

December 4th, 2017 / 4:25 p.m.

Director, Global Operations, Equifax Canada Co.

Antonietta Di Napoli

Absolutely.

Obviously we realized that mailing to consumers may have presented some challenges. We did do lots of scrubbing of the data and that was one factor in some of the delay that caused us to do some of our mailings. We ensured that we had the proper, most current address. We verified the data. As you can imagine, we do have some of this information accessible to us so we were able to cross-reference and do some of that scrubbing of the initial data. There has been some mail returned to us and we are addressing that case by case, verifying if the addresses were incorrect to see if there was a new address with a different source, or possibly contacting creditors of these consumers to see if they have an updated address.

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

In regard to the first part of your question, Ms. Fortier, in terms of regaining trust, we've met with most of our members, if not all, in terms of answering their questions. We met with the CBA, the Canadian Bankers Association, to ensure that their members were fully informed. We've had meetings face to face. I've been out to many of our clients to work with them, to help mitigate any loss or harm that could be caused to consumers as a result of this incident. One is too many, so we want to make sure that we have processes and procedures in place at Equifax, because security starts with me as an employee. It starts with Toni. Everybody's in security, and we pride ourselves on that here in Canada. As well, our members can take steps at the bank, at the credit card companies, to put flags or alerts on consumers' files to inform them that they were part of this breach.

4:30 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mrs. Fortier.

Next up is Mr. Kent for five minutes.

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you, Chair.

Just for the benefit of the committee, could you describe the Canadian credit data universe? Besides Equifax Canada, which are the other service companies and what are their relative sizes and comparable annual revenues?

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Sure. I can't speak to our competition's, TransUnion Canada's, revenues. There are some smaller credit bureaus, but the two major ones in Canada are Equifax Canada and TransUnion. In the U.S., Mr. Kent, as you are probably aware, there are three: Experian, TransUnion, and Equifax. In terms of the revenues, I don't know about my competition's.... They're posted on their—

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

It's a pretty profitable endeavour, I would think, given that credit agencies, credit providers go to the best source of complete information on any of the individuals they may be dealing with.

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Equifax has been around for 118 years. We fulfill a service in the community in terms of allowing people to open up small businesses or apply for their first college or university loan. We help facilitate that, and we are just one small part in that ecosystem.

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Since word of the breach became public, has the Privacy Commissioner contacted you for explanations, for details, or did you proactively contact the Privacy Commissioner?

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

As I mentioned in my opening statement, within 24 hours either Ms. Bernier, as our counsel, or I had contacted each of the various privacy commissioners across Canada. The OPC has an open investigation, and we are working diligently with them to answer any and all questions they may have. We have been very co-operative. We run our privacy department in Canada based on the three Cs, communication, co-operation, and common sense, and we pride ourselves on that. We do that with all our partners and all our regulators.

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Can you provide us with any information about the current status of the two class action lawsuits? One of them, I believe, is for $550 million. I'm not sure what the claim is on the other. I assume you will defend these actions vigorously in court.

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, and we have retained counsel to defend Equifax Canada based on the claims of the class action both here and in the United States.

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

At the moment, how long do you think it will take for the two class action suits to run their course?

4:30 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I can't even opine in terms of the.... I don't know what the backlogs or the courts are like these days. I haven't been in private practice for 10 years now. It's based on court volumes, so I wouldn't even want to fathom a guess on how long it would take to run through the courts.

4:30 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thanks, Chair.

4:30 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Kent.

Next up, for five minutes, is Mr. Baylis.

4:30 p.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Going back, I would like to understand a bit more what happened in the United States. The Department of Homeland Security in March advised Equifax that there was a potential weakness in the system and that Equifax should install a patch. Is that correct?

4:35 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, there was a notice in terms of an upgrade to the software. The personnel responsible for that at Equifax, the team responsible for that, did not put the patch. The IT system that was supposed to run and see that the patch was in place did not catch that either, so there was a combination of human error and IT error.

4:35 p.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

You were advised, but for whatever reasons it was decided or it didn't happen.

Had that patch been put in place, would that have protected this data?

4:35 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

To the best of my knowledge, I wouldn't be here before you today—yes.

4:35 p.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

The concern I have, and it has been raised by a few of the members here, is what happens on the 13th month after someone's data has been stolen. If someone has stolen a credit card, it's not a big deal. We can replace a credit card. However, I can't change my SIN or my date of birth, and I probably don't want to move just because of this. There are a few things that are hardwired and that are going to be susceptible to being taken advantage of, say, on month 13 or month 14.

If that person is defrauded on month 13 and it costs them $20,000 to get their identity back or to fight the person who has taken it, how much will Equifax reimburse that person?

4:35 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

As I mentioned, the services we're offering, in terms of our industry norms, have been used in other breaches. In terms of working with the regulators, the 12-month period is an acceptable standard that we've seen in the past as we've supported many of those breached clients. Again, there are free services, like monitoring your credit file, where you, the consumer, can look at your credit file information to ensure that nobody has stolen your identity and that nobody has changed your address.