Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Antonietta Di Napoli  Director, Global Operations, Equifax Canada Co.
John Russo  Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Clerk of the Committee  Mr. Hugues La Rue

4:05 p.m.

NDP

Erin Weir NDP Regina—Lewvan, SK

The number of Canadians affected seemed, at least for a while, like a moving target. We talked about 100,000 and 19,000. At one point in time, the number 8,000 was out there. At this point, are we pretty solid on the number of 19,000?

4:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, the investigation is complete, and the number is approximately 19,000. The reason was that the forensic investigation was ongoing at that time, so we put out that number as a preliminary estimate in order to make clear that the magnitude of the breach in Canada was limited in comparison to the U.S. Our forensic experts advised us that it was up to 100,000 that may have been impacted in Canada.

When we went and got the final numbers, there was always that credit card issue, which was that 209,000 credit cardholders were impacted. That number had certain Canadian components to it, which we later identified, so there was the 8,000 plus 11,000 credit cardholders for a total of about 19,000 Canadian residents.

4:10 p.m.

NDP

Erin Weir NDP Regina—Lewvan, SK

Do you have a sense of who hacked Equifax?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We don't have that information at this time.

4:10 p.m.

NDP

Erin Weir NDP Regina—Lewvan, SK

When you say criminals hacked Equifax, do you mean that the hacking itself was the crime?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, I mean with the FBI it's currently a criminal investigation in the U.S., because the act was a criminal act by whoever committed it.

4:10 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Weir.

Next up is Mr. Picard for seven minutes.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Thank you, Mr. Chair.

If I understand correctly, you sell your clients identity theft protection services.

Is that right?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We offered identify theft protection to consumers who were impacted.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Is it a product that Equifax offers to its clients in general, similar to a service or product like insurance, for instance?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Equifax has two types of services. There are commercial and consumer services. This is a consumer service we offer to Canadians, which we sell online for identify theft protection and identify theft insurance. It's called credit monitoring.

December 4th, 2017 / 4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

So you sell an identity theft protection service.

For example, if someone by chance takes my identity because of an error with my bank or a transaction I made in a store, will I be protected through you if I'm an Equifax client?

Does the fraudulent transaction through which my identity was stolen have to involve information from the Equifax database?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

You don't have to be a victim to use the services we offer. You could buy credit monitoring today if you're a concerned Canadian and want to put those protections in place. We have the credit monitoring service. We have our free credit report.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

That's not the question I'm asking.

If I am an Equifax client, and I pay insurance for identity theft protection and my identity is stolen following a transaction in a store or restaurant, does the Equifax identity theft protection service cover losses incurred because of the fraud?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

No. The identity theft insurance would cover you for out-of-pocket expenses. If you have to hire a notary or a lawyer, or if you have to take time off work to rehabilitate your stolen identity, that would be covered in the $50,000 insurance. The losses for the credit card company would arise if your credit card was stolen and somebody went to the restaurant and used your card to pay for a meal. That would be up to the card carriers and issuing banks to cover.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Have you assessed the financial cost of the piracy Equifax suffered?

4:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Given that our number one priority has been protecting consumers, I wouldn't have figures in terms of what that cost. What I can tell you is that the services we're offering are free to consumers who have been impacted.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

I don't want to know what happens afterwards, but what happens before.

Is there an annual amount at Equifax that generally covers your risk management expectations?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Yes, there are reserves that companies take to help protect against that, as well as insurance, cybersecurity insurance.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Is it a percentage or a set amount?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

It's a percentage. You may have heard from the U.S. testimony that about 12% of our IT budget was spent in terms of cybersecurity protection and security for the IT systems in place.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

What steps do you take to screen the candidates you recruit into your IT department?

4:15 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I don't work in HR or security, but I could get back to you on that question in writing with regard to our HR procedures and policies. I can tell you that there are background checks that all Equifax employees go through—a thorough background check.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

I would like your company to provide the committee with the recruiting procedures and security measures used for hiring and recruiting IT staff.

4:15 p.m.

Conservative

The Chair Conservative Bob Zimmer

Okay.