Evidence of meeting #81 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equifax.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Antonietta Di Napoli  Director, Global Operations, Equifax Canada Co.
John Russo  Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.
Clerk of the Committee  Mr. Hugues La Rue

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I see, so even though 145 million Americans and 19,000 Canadians have their data made more public, the investigation of that internally is not going to be made public.

Of the 19,000 Canadians, how many people have opted into the 12-month free subscription?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

So far we have about 1,700 Canadians. Toni has an updated number as of this morning.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Is that the number of Canadians affected who've opted in to the program so far?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

The initial mailing, just to set the level, was 8,000. Of those 8,000, over 1,600 people have subscribed to that. The second mailing in regard to the 11,000 went out within the last few days, so we're seeing an uptick in terms of people starting to subscribe to that. It was 22%.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

You've undertaken to provide this committee with the number of Canadians affected in the United States, as well. Will you also provide this committee with information about the number of affected Canadians in the United States who have opted in to this additional protection program as well?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We'll make our best efforts to.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks.

Are there any reports of identity theft? Has there been any identity theft reported to Equifax either in the United States or in Canada?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

To the best of my knowledge, not to my knowledge. Toni can speak to consumer relations.

5:05 p.m.

Director, Global Operations, Equifax Canada Co.

Antonietta Di Napoli

I only have information based on Canadian consumers, and we have not had any complaints in regard to identity theft or fraudulent activity from the impacted Canadians who we identified.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

To follow up on a previous question of mine, on March 8 or March 9, DHS notified Equifax in the United States of a data vulnerability, and there was an internal audit run in some fashion by internal security officials. They found nothing, to your knowledge, and you're going to get us information if there has been. There was no follow-up with DHS.

Was there any follow-up from senior officials at Equifax or senior management as to their own security team to say, “So you just did one sweep, didn't find anything, but DHS just said it was a problem,” or was there just radio silence between March 15 and the end of July?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Our former CEO, Rick Smith, was told about the suspicious activity on July 31.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Right, but if you're in a senior management position, and DHS has told you there was a problem.... You're going to get us information as to whether you followed up with DHS, but was there any internal follow-up after that March 15 sweep, or was that sufficient to satisfy concerns of senior management?

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I am here in my capacity as Canadian CPO.

5:05 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Fair enough.

5:05 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I wouldn't have that knowledge. I wouldn't be privy to that information. Sorry.

5:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

It occurs to me, DHS notifies Equifax of a security vulnerability, there is one sweep done, and then.... I should also add that I have information here that says, “Equifax did not take advantage of DHS' Automated Indicator Sharing program that enables the exchange of cyber threat indicators between the private sector and government” and a patch was not adequately installed as it ought to have been.

When you add up all these factors, would you characterize that as negligence on behalf of your parent company?

5:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

I would not characterize that as negligence.

5:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Well, allow me to characterize it as negligence. You have that negligence and where there are damages that might flow to Canadian consumers, ought not Equifax make these Canadians whole and ensure that no Canadian experiences any damages, any loss at their own expense as a result of the negligence of Equifax?

5:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We're taking steps by monitoring the dark web to ensure that this information is not being traded, not being compromised. Again, we're offering the premier product to ensure Canadians have protections in place. We have the call centre available to answer any questions or concerns that Canadians may have. We're taking all the best steps and practices and working in tandem with the OPC with their guidance to make sure that we're doing the best thing for each individual Canadian consumer.

December 4th, 2017 / 5:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Can you provide this committee with—in writing, I expect you don't have it today—the detailed steps Equifax is taking to monitor the dark web? I'm not entirely sure what that means.

You mentioned Home Depot as an example, and in response to Mr. Baylis's questions, you said that the 12-month offer of additional services is sort of a standard in relation to these breaches, and you pointed to Home Depot.

You may also be aware, though, of course, that Home Depot settled a class action suit against them in relation to that privacy breach, so you would fully expect, I would assume, to set aside some funds for a class action suit and to make sure Canadians are made whole through that process.

5:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We manage the litigation process with our litigation counsel.

5:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

I ask only because you had said that Home Depot is a good example. Home Depot paid hundreds of thousands of dollars to Canadian consumers as a result of that data breach, and there had been no identity theft there either.

This committee is considering recommending giving the Privacy Commissioner new powers, including the power to levy fines where companies have failed to protect privacy adequately.

What do you think of that potential recommendation?

5:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

Actually, we've worked with the former department of industry Canada and with the Canadian Marketing Association and other associations in regard to those regulations and guidance. We've worked with the OPC in terms of better protecting consumers, giving consumers control of that information.

5:10 p.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

In relation to that ability to levy fines, we're considering new powers for the Privacy Commissioner. The U.K. information commissioner, as an example, has the ability to levy fines, and has done so in a case against Sony.

In this case, with Equifax having not acted appropriately and adequately, I would say, in protecting Canadians' privacy, there would be the potential, presumably, to levy fines if the OPC had such powers.

Would you support the OPC having such powers to levy fines?

5:10 p.m.

Chief Privacy Officer and Corporate Secretary, Equifax Canada Co.

John Russo

We're open to working with government on all new guidance and all new regulations.