Information & Ethics Committee on Dec. 4th, 2017

It is Antonietta Di Napoli.

Good afternoon, Mr. Chair and members of Parliament. On behalf of Equifax Canada, I would like to thank you for the opportunity to join your committee today. I am here to provide you with current information on the recent cybersecurity incident and to answer your questions as best I can.

My name is John Russo. I am the chief privacy officer and corporate secretary at Equifax Canada. I have proudly worked at this Canadian corporation for the past 10 years. I am based in Toronto, where I have lived my entire life. I take great pride in the services that Equifax Canada offers Canadians from coast to coast to coast, as well as the work that we have undertaken with governments across the country to help strengthen privacy laws for individual Canadians.

I am joined by my colleague, Antonietta Di Napoli, director of global operations at Equifax Canada. While her involvement with the breach activity was limited, she has extensive experience in consumer-facing roles and will be able to provide excellent insight to our consumer practices and procedures.

Today I plan to address three topics. The first one is what happened when our parent company, Equifax U.S., was hacked by criminals and sensitive consumer information was stolen from its servers. Second, I will outline the remediation steps that Equifax Canada has taken to assist impacted Canadians. Third, I will discuss what Equifax Canada is doing today to help ensure this does not happen again, as well as outline what we are doing to empower consumers with greater control over their personal credit information.

However, before I cover any of these three topics, first and foremost I want to offer my sincere apology. On behalf of Equifax Canada and the entire Equifax organization, I apologize to all Canadians whose personal information was compromised. Being a trusted steward of information has long been one of Equifax’s core principles, so we were devastated when this happened. I can assure you that in the months and years leading up to this incident, Equifax U.S. did not take data protection lightly. In fact, it has invested aggressively, particularly over the past five years, in security and network resilience. Nevertheless, the cyber-attack and breach occurred and information was stolen by criminals. We accept full responsibility and are accountable for both the incident and the impact it has had on all Canadians.

First and foremost, the question on your mind is, what happened?

We now know that criminals executed a major cyber-attack on our parent company, Equifax U.S. In addition to accessing information on millions of Americans, they were able to access information on approximately 19,000 Canadians. The information accessed included data such as names, addresses, dates of birth, and social insurance and credit card numbers. For your reference, I will provide a brief overview of what happened through a chronology of events.

On Friday, July 29, our parent company’s security department in the United States observed suspicious network traffic associated with a U.S. consumer-facing website. In response, the Equifax U.S. security department blocked the suspicious traffic that was identified. The department continued to monitor network traffic and observed additional suspicious activity on Saturday, July 30. In response, they took the web application completely off-line that day.

The criminal hack was over, but the work to determine the nature, scope, and more importantly the impact of it was just beginning. It was not known at that time that personal information had been stolen. On August 2, Equifax U.S. engaged an independent cybersecurity firm to investigate the suspicious activity and contacted the FBI.

Over the next several weeks, Equifax U.S. and the cybersecurity firm worked around the clock seeking to identify what had happened.

On September 7, Equifax U.S. issued a news release announcing the cybersecurity incident and referencing that it had identified unauthorized access to limited personal information for certain Canadian consumers. At that time, there were no additional details on the number of impacted Canadians or the specific data that was compromised.

On how we communicated with Canadians, as the chief privacy officer of Equifax Canada, I first found out about the cybersecurity incident and its potential Canadian impact moments before the news release on September 7. I immediately took steps to notify both federal and provincial regulators, and by September 8, I had communicated with the appropriate privacy commissioners, including the Office of the Privacy Commissioner of Canada and consumer reporting regulators across the country.

Equifax Canada also retained Ms. Chantal Bernier, former interim privacy commissioner of Canada, now counsel in the global privacy and cybersecurity group at Dentons. We wanted to meet the highest level of compliance in breach response and transparency with Canadians and regulators alike. While the independent cybersecurity firm worked to complete its investigation and provide Equifax Canada with details of impacted Canadians, we started to implement our plan to notify and assist all impacted Canadians.

We also updated our Canadian consumer website, Equifax.ca, to make it clear to all Canadians where they could go for answers. Additionally, we hired more personnel to staff our Canadian call centre, increased our call centre hours, and established a dedicated breach email address.

Then on September 19, Equifax Canada issued a news release to share the preliminary details we had received about the nature of the impact to Canadians as well as what the investigation had uncovered to date.

On October 2, Equifax U.S. issued a news release with updates, including the fact that approximately 8,000 Canadian consumers were impacted by the breach as well as an additional undetermined number of Canadians whose credit cards were compromised. Later that week, Equifax Canada received the data file containing information on the 8,000 individuals from Equifax U.S., and we reviewed it in order to construct a breach notification mailing list. We started to mail consumer notification letters in both official languages to impacted Canadians on October 13.

The notification letters informed consumers of three key facts: first, that their data had been compromised; second, which specific personal information elements were compromised; and third, it outlined the details on how to activate their free 12-month subscription to Equifax Canada credit monitoring and identity theft protection.

On November 10, Equifax determined that the number of Canadians with compromised credit cards in addition to other personal information was approximately 11,000, bringing the total number of impacted consumers in Canada to approximately 19,000. The additional 11,000 consumers have been notified by mail. Throughout this process, we continued to keep our regulators apprised and updated our Canadian consumer website regularly to include new information.

What are we doing to protect impacted Canadians? Like our parent company in the U.S., Equifax Canada is extending a full range of protection to impacted Canadians free of charge for 12 months. This protection includes daily credit monitoring with alerts informing consumers of key changes to their Equifax credit report. Second, we’re offering daily access to their Equifax credit report and score. Third is Internet scanning with alerts, so if we find their SIN or credit card numbers being used on suspicious websites, we can also alert consumers. Fourth, we're offering up to $50,000 of identity theft insurance to assist affected consumers with out-of-pocket expenses.

Impacted consumers received an activation code in their notification letters, which they can use to activate the services online. Alternatively, they can call into our Canadian call centre to receive personal one-on-one assistance.

Here's what we're doing to help ensure this doesn’t happen again. As I mentioned earlier, as soon as the intrusion was discovered, our parent company, Equifax Inc, started a forensic investigation regarding the attacker activity. That investigation is now complete, and we understand what occurred and the extent of the intrusion. Equifax Inc. took steps to fix vulnerabilities, and has undertaken multiple other short-term and long-term initiatives to protect the consumer data that has been entrusted to it.

It has undertaken a revisit of its entire IT and data security practice. It is further hardening networks, changing procedures to require confirmation when software patches are applied, rolling out new vulnerability detection tools, and strengthening accountability mechanisms. It has also engaged industry experts PwC and Mandiant to assist with the global security program, including strategic remediation and transformation initiatives that will help to identify and implement solutions to strengthen our long-term data protection and cybersecurity defences.

Finally, we have committed to working proactively with the entire industry to develop solutions to the growing cybersecurity and data protection challenges we all face. We see this breach as a turning point not just for Equifax but for everyone interested in protecting personal information.

You may have heard Equifax Inc.'s interim CEO share plans to launch a new consumer service that will enable consumers to lock and unlock their credit file at will, free of charge, and for life, through a mobile interface. That product is scheduled to launch in the U.S. in January. We are working to bring similar functionality to Canadians as soon as possible in the new year to ensure that Canadian consumers will have the same control over their credit information as do their American counterparts.

In closing, on behalf of the entire Equifax Canada team, I would again like to express my sincere apologies to all Canadians. While we have taken steps to protect impacted Canadians, we understand that Canadians across the country were upset by the news that Equifax Inc. suffered a cybersecurity breach, which in turn impacted Canadians’ personal information. Many Canadians, whether they were personally affected or not, expressed their concerns and fears to me personally, to my organization, to the media, and to elected officials. I share their concerns, as does my organization. We at Equifax Canada are truly committed to doing everything in our power to win back their confidence and trust.

Thank you.

Ms. Di Napoli and I welcome any questions you may have at this time.

No, those are Canadians residing in Canada.

I don't have those numbers at this time.

I'd be happy to provide them to you in writing.

Sure. The timeline in the U.S. began on March 9. Equifax disseminated the US-CERT notification, as you mentioned, internally by email, requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with our patching policy, the Equifax security department required that patching occur within a 48-hour period of time.

On March 15 our security department also ran scans, as you mentioned, that should have identified the systems that were vulnerable to the Apache Struts.

I'm here in my capacity as a chief privacy officer in Canada. I wouldn't be privy to those discussions or any of the discussions that were had in relation to that.

That's correct. It was between May 13 and July 30.

The standards we had in place in the U.S. were best-in-class standards. They were recognized industry practice. It wasn't like industry practice wasn't followed. In this case, as a result of human error and IT error, the vulnerability occurred and the hackers got in.

Sure. In Canada our information is encrypted and tokenized. We're PCI compliant and we follow the security standards.

Going back to the vulnerabilities that occurred, we're having closed-loop confirmation. In basic terms, we're not only issuing the order to patch but now we're also receiving confirmation, closing that loop that it has been patched.

For the impacted 19,000 or so, we're offering our premier credit monitoring, a product that's been used in other major breaches in Canada, Home Depot being one of them. That's offered free for 12 months for all consumers impacted. For other consumers who are worried or afraid, they can put an alert on their file. They can come to Equifax. We're offering it free of charge.

For six years.

That's for people subscribing to the credit monitoring product, which we're offering to the impacted Canadians. All other Canadians—

Yes, for the 19,000 Canadians impacted by this incident, they are made whole in terms of the premier product we're offering them. It offers them up to $50,000 in identity theft insurance.

It's over a 12-month period.

In terms of the product we're offering, they can continue their subscription to credit monitoring after that.

It's a paid service here in Canada.

The product offers 12 months of credit monitoring and it offers other indicators, such as a lost wallet: if there's information from their wallet that's stolen or lost, we'll monitor that. We'll also give them alerts. Any time anybody accesses their credit file, they'll be alerted to that fact within that 12-month period. The 12-month clock starts ticking when they subscribe to the product. It's not as of the date of the breach or their letter; it's when they subscribe to the product.

The regulators here in Canada are twofold. We have privacy regulators, such as the Office of the Privacy Commissioner, and provincial commissioners, such as in B.C., Alberta, and Quebec, as well as consumer reporting regulators. We're licensed under the consumer reporting acts in the various provinces that have consumer reporting legislation, so we have two sets of regulators.

Yes. That's why I mentioned in my opening statement that we're proactively taking steps, such as in the U.S., to reveal this lock and unlock feature, giving consumers more access to their credit information and more access to their personal information, being able to control it more than they ever have. That's a free service offered to all Canadians.

There are various patches. The global security would cover all of those for the various 24 countries we operate in.

Do you mean by Equifax Canada?

I can get back to you on that answer. I wouldn't have that information.

Just to follow up on your question, it was only on July 29 that we noticed suspicious activity. In the March, April and May timeline, there was no evidence to Equifax that a breach had occurred. There was suspicious activity on July 29 and July 30, and we shut down the U.S. portal.

Yes. The warnings were to require that the patching occur and it didn't. For that, we're feeling repercussions worldwide.

Given our global security and the fact that we operate in 24 different countries, we want to make sure those are consistent. We don't want decentralized systems. We want to make sure that they're centralized, so that we have a consistent policy across the board. You wouldn't want one country to have a belt and another one to have a belt and suspenders.

We want to make sure those efforts...anything that's low vulnerability, we're now raising to medium. Anything that's medium, we're raising to high. We want to go above and beyond the industry standard. Again, this incident was a watershed moment for us and for the industry. We want to make sure it doesn't happen again.

I can speak for Canada in terms of...when I found out and when our leadership team found out on the evening of September 7, we took immediate proactive steps to make sure that all Canadian consumers.... That was our number one priority, Mr. Kent, that Canadian consumers were protected and notified. We had to obtain that data from our U.S. parent and that took time. There were over 11,000 files that our forensic experts were combing through and then, later on in the investigation, they narrowed it down to 28 files that contained Canadian data.

The Canadian part of it only came to light late in the investigation. Before the U.S. released that people had been impacted in the U.S., about September 4 or 5, the U.K. and Canadian data portions were identified. All they knew was that there were certain elements. We didn't know the scope. We didn't know what type of data, but once we had that information, the Canadian leadership team took over and were able to lead that charge here in this country.

No. In terms of the U.S. residents, if they had a U.S. social security number, then they would be treated in that 145 million. Those numbers are very small. I don't have those numbers today, but it's not a huge amount.

In terms of—

I appreciate your frustration.

In terms of the 18,000 or 19,000 Canadians, those were any Canadians who had a business to consumer relationship with Equifax. Anybody who purchased something online with Equifax and put in payment card details, since there's some personal information, those were the majority of the 19,000 that were compromised in Canada.

In terms of the timeline, July 29 and July 30 was when our security team in the U.S. noticed suspicious activity. At that time they didn't know there was a breach; they wouldn't even know there was personal information involved. That was on a U.S. online consumer dispute resolution portal. On August 2, Equifax Inc. contacted King & Spalding, retained them as outside counsel, and King & Spalding engaged Mandiant, a forensic expert, to perform that forensic investigation. As you can appreciate, with the 145 million U.S. citizens impacted, plus a certain number of Canadian and U.K. residents, there was a lot of data to comb through. They had to go back and query everything that the criminals had. Remember that this was a criminal hack. Again, the FBI was involved as well. There were a lot of moving parts, a lot of individuals involved, people working around the clock to get information and get the answers both the American and Canadian public wanted. Given the complexity, the number of files, the data they had to comb through was unstructured so it wasn't as if you were looking into neat files, and given the enormous volume, it took time to work through it.

As I mentioned earlier to Mr. Kent, the Canadian part of it came to light 48 hours before the announcement on September 7. Because the datasets were so enormous, it took time to make sure we did a complete, thorough investigation so we could identify each individual consumer, match them with a correct address so we weren't notifying a previous address, and it took time for the crisis incident response team, given the size of the breach, to be ready to respond to those consumers' questions, fears, concerns, and frustrations.

It wasn't because of the FBI. That was one part of it. With these breaches you also see copycat attacks. We knew that if anybody had made that announcement on whatever date it was made, we had to be ready for the copycat attacks and make sure all our systems worldwide were not as vulnerable as they were in March. That took enormous effort, involved everybody from legal, privacy, security, IT, all hands on deck. Again, given the enormity of those impacted, it did take 40 days or so to do that.

We facilitate protection for consumers, fraud protection, identity theft protection, and we have products on the market that have been used worldwide in giving consumers some peace of mind and protection of their identity when they want it. Again, we have free products like an alert, where you can put on your credit file to “please contact John Russo at this number before granting credit”. You alert everybody who's accessing your file that you want to be alerted before granting credit. We facilitate consumers in life events. When you apply for a mortgage, a new car, the house of your dreams, people come to us to be able to do that in an efficient and accurate way. Without that credit information, it would slow down the whole economic system in applying for credit. As you can imagine, the banks and the financial institutions want that easily, and they want to make sure it's correct information.

You're correct. Consumer consent and permissible purpose are two key elements under the Consumer Reporting Act. Without that, the institution that is trying to access an Equifax credit file could not. You need the consumer's consent, and you have to have one of the allocated permissible purposes under legislation to do so.

The information they're providing is to better serve consumers, so that they're getting the best rates possible and getting credit that allows them to take part in those life events and engage in commercial transactions in Canada.

Yes, the investigation is complete, and the number is approximately 19,000. The reason was that the forensic investigation was ongoing at that time, so we put out that number as a preliminary estimate in order to make clear that the magnitude of the breach in Canada was limited in comparison to the U.S. Our forensic experts advised us that it was up to 100,000 that may have been impacted in Canada.

When we went and got the final numbers, there was always that credit card issue, which was that 209,000 credit cardholders were impacted. That number had certain Canadian components to it, which we later identified, so there was the 8,000 plus 11,000 credit cardholders for a total of about 19,000 Canadian residents.

We don't have that information at this time.

Yes, I mean with the FBI it's currently a criminal investigation in the U.S., because the act was a criminal act by whoever committed it.

We offered identify theft protection to consumers who were impacted.

Equifax has two types of services. There are commercial and consumer services. This is a consumer service we offer to Canadians, which we sell online for identify theft protection and identify theft insurance. It's called credit monitoring.

You don't have to be a victim to use the services we offer. You could buy credit monitoring today if you're a concerned Canadian and want to put those protections in place. We have the credit monitoring service. We have our free credit report.

No. The identity theft insurance would cover you for out-of-pocket expenses. If you have to hire a notary or a lawyer, or if you have to take time off work to rehabilitate your stolen identity, that would be covered in the $50,000 insurance. The losses for the credit card company would arise if your credit card was stolen and somebody went to the restaurant and used your card to pay for a meal. That would be up to the card carriers and issuing banks to cover.

Given that our number one priority has been protecting consumers, I wouldn't have figures in terms of what that cost. What I can tell you is that the services we're offering are free to consumers who have been impacted.

Yes, there are reserves that companies take to help protect against that, as well as insurance, cybersecurity insurance.

It's a percentage. You may have heard from the U.S. testimony that about 12% of our IT budget was spent in terms of cybersecurity protection and security for the IT systems in place.

I don't work in HR or security, but I could get back to you on that question in writing with regard to our HR procedures and policies. I can tell you that there are background checks that all Equifax employees go through—a thorough background check.

Yes, we continue our investigation with both the FBI and local law enforcement.

Do you mean an insider?

None. In our information, there is no indication that there was—

There are no facts substantiating that, Mr. Picard.

Could you repeat—

It was Mandiant.

In regard to our external forensic.... Mandiant, as well as PwC, were able to recreate the steps, the inquiries, that the criminals had exploited in terms of the hack, and they worked with our internal security department to uncover that information to get a clear picture of what had happened. In terms of remediation, we're working with Mandiant and PwC to come up with remediation steps so that this incident never happens again.

They were in a position, on the guidance of counsel, King & Spalding, to retain an independent forensic expert, outside help, to help better investigate what had transpired.

This is a correction. There are 19,000 impacted Canadians, not 8,000. Our core assets, our core consumer credit information, was not impacted nor affected, because it was not hacked. The reason the number is 18,000 to 19,000 is that these were individuals who had purchased a product online with their payment card processing with the U.S. that transaction. Our core commercial and consumer database was not affected at all. No other database outside of that U.S. consumer portal was.

We worked with the Office of the Privacy Commissioner to notify everybody in writing to make sure they were all advised. We didn't want to call or email because that's susceptible to phishing scams and people calling vulnerable people, elderly and youth. It was the best course of action to write to each Canadian. Maybe Antonietta can describe some of the consumer relations aspects to your question.

Thank you very much for your question.

As Mr. Russo said, we did notify all Canadians via written mail, that being the method of communication that we were suggested to use. Each impacted consumer received a letter. The letter informed them of the actual security breach and what information was impacted.

There were different permutations that were possible. Some consumers may have had their names and their addresses impacted. For some other consumers, it may have been credit card information. Each consumer received the information that was compromised to them in that letter. Along with that was the protection that we were offering them for 12 months, as we specified, and how to activate that service along with how to communicate with Equifax should they have any additional questions.

That's the reason we're following our U.S. counterpart in terms of the lock and unlock feature of the credit file that we're rolling out next year for all Canadians in addition to the credit monitoring, where you have alerts and triggers to notify you every time somebody has touched your file. I always say to clients and consumers that it's like a fingerprint. Any time anybody touches your file, they leave a fingerprint. That's the monitoring.

The unlock and lock ability would give the consumer control over who accesses their credit file. Nobody would have access if you turn off that feature, and then, when you go for a loan at the bank, you could turn it back on. You control your personal information as a consumer. That's why we're proactively looking to launch that in Canada in the new year. That affords consumers protections, as well as the alert, as I mentioned, that stays on your file for six years that notifies any credit granter who accesses your credit information that you've been impacted, and you want them to call you at a certain number, perhaps your mobile telephone, before granting credit. Those are all steps that a consumer can take to be vigilant to look out for identity thieves.

Thank you for that question, Ms. Fortier.

In terms of monitoring the dark web, we are monitoring the dark web for any suspicious traffic to ensure that your information is not being traded online. Canadians can be assured that we're looking out for those 19,000 to ensure that their credit card information, their birth date, SIN, are not being traded online so we can alert them to that fact.

The second part of your question, in terms of consumers generally getting educated about Equifax, we look forward to working with you and your constituents in your riding, be it through seminars or Equifax 101. We'd be happy to do this with any constituent riding and any MP. There are simple tips like just checking your credit file. You can do it for free in Canada. You can check your credit file every day if you want to. You can visit Toni's consumer relations and ask questions about your credit file and your credit information, and visit our website at Equifax.ca to get some of that background information. We like to do those Equifax 101 tours, as we call them, with regulators, consumers, consumer advocacy groups across the country so they're informed, so consumers have that information at their fingertips and can make better decisions when they're looking to apply for credit.

Toni works with consumers and she fields those calls pre-breach and post-incident so she can give you a flavour in terms of what consumers are asking for.

Thank you, John.

Many of our consumers, as Mr. Russo said, are coming to us because they're denied credit, victims of fraud. Most of our conversations with consumers are really around credit education. We explain to them how credit works in Canada, how the credit score works, how to improve your credit, what affects a credit score. Our primary role, really, is consumer education. As John mentioned, Canadians can access their credit file for free, unlimited times throughout the year. There are many ways they can get it. They can visit one of our Equifax offices across the country. We have an automated telephone line that's available 24-7 to consumers. They can send their request in writing, and we'll be able to provide them a copy of their credit file.

As John also mentioned, there's an alert that can be added to their credit file. We encourage the non-impacted Canadians, if they are afraid or concerned about their credit, to take these steps in order to protect themselves.

Toni, do you want to take the second part of the question first?

Absolutely.

Obviously we realized that mailing to consumers may have presented some challenges. We did do lots of scrubbing of the data and that was one factor in some of the delay that caused us to do some of our mailings. We ensured that we had the proper, most current address. We verified the data. As you can imagine, we do have some of this information accessible to us so we were able to cross-reference and do some of that scrubbing of the initial data. There has been some mail returned to us and we are addressing that case by case, verifying if the addresses were incorrect to see if there was a new address with a different source, or possibly contacting creditors of these consumers to see if they have an updated address.

In regard to the first part of your question, Ms. Fortier, in terms of regaining trust, we've met with most of our members, if not all, in terms of answering their questions. We met with the CBA, the Canadian Bankers Association, to ensure that their members were fully informed. We've had meetings face to face. I've been out to many of our clients to work with them, to help mitigate any loss or harm that could be caused to consumers as a result of this incident. One is too many, so we want to make sure that we have processes and procedures in place at Equifax, because security starts with me as an employee. It starts with Toni. Everybody's in security, and we pride ourselves on that here in Canada. As well, our members can take steps at the bank, at the credit card companies, to put flags or alerts on consumers' files to inform them that they were part of this breach.

Sure. I can't speak to our competition's, TransUnion Canada's, revenues. There are some smaller credit bureaus, but the two major ones in Canada are Equifax Canada and TransUnion. In the U.S., Mr. Kent, as you are probably aware, there are three: Experian, TransUnion, and Equifax. In terms of the revenues, I don't know about my competition's.... They're posted on their—

Equifax has been around for 118 years. We fulfill a service in the community in terms of allowing people to open up small businesses or apply for their first college or university loan. We help facilitate that, and we are just one small part in that ecosystem.

As I mentioned in my opening statement, within 24 hours either Ms. Bernier, as our counsel, or I had contacted each of the various privacy commissioners across Canada. The OPC has an open investigation, and we are working diligently with them to answer any and all questions they may have. We have been very co-operative. We run our privacy department in Canada based on the three Cs, communication, co-operation, and common sense, and we pride ourselves on that. We do that with all our partners and all our regulators.

Yes, and we have retained counsel to defend Equifax Canada based on the claims of the class action both here and in the United States.

I can't even opine in terms of the.... I don't know what the backlogs or the courts are like these days. I haven't been in private practice for 10 years now. It's based on court volumes, so I wouldn't even want to fathom a guess on how long it would take to run through the courts.

Yes, there was a notice in terms of an upgrade to the software. The personnel responsible for that at Equifax, the team responsible for that, did not put the patch. The IT system that was supposed to run and see that the patch was in place did not catch that either, so there was a combination of human error and IT error.

To the best of my knowledge, I wouldn't be here before you today—yes.

As I mentioned, the services we're offering, in terms of our industry norms, have been used in other breaches. In terms of working with the regulators, the 12-month period is an acceptable standard that we've seen in the past as we've supported many of those breached clients. Again, there are free services, like monitoring your credit file, where you, the consumer, can look at your credit file information to ensure that nobody has stolen your identity and that nobody has changed your address.

With regard to the cases in Canada and the standards, 12 months is a standard that has been set, yes.

It has been used in other organizations. The courts have opined on it. You saw it with regard to Home Depot in terms of the class action there. It has been an acceptable norm in the industry and in industry practice for many years.

In terms of the actions.... I can't opine in terms of the standard. Each organization's breach and situation is different. We're willing to work with all Canadian consumers who have been impacted. Given the scale of the 19,000 who have been impacted here in this country, with our consumer relations department and our incident response team, we take each individual Canadian independently and work with them to make sure they are confident that their information has not been compromised, that it has not been traded on the dark web.

For example, in the credit card space, there are additional safeguards for PCI compliance. We went through that in 2015 at Equifax Canada. That PCI remediation and enrichment process helped in Canada. It encrypted our data. We tokenized our data for credit cards.

The PCI standard policy and procedures organization.

For credit card information. Then there are other standards that we're regulated under, such as consumer reporting legislation, for example, which dictates where our information is stored, how it's accessed, and how we update it. There's consumer reporting legislation that dictates how we, as a credit bureau in Canada, operate our business.

In Canada, those standards were being met, yes.

Equifax has standards in terms of when we transfer data: the standards we have here have to be at par, or better, where that information resides. In this situation, the policies and procedures were in place, but as a result of human error and IT error, the incident occurred, and the 19,000 Canadians were impacted.

In terms of the industry, who better to serve Canadians in terms of monitoring their information than Equifax? We have every trade, every credit card that reports to us, all our members, the banks, and everybody you bank with. That information, and being able to update and alert you to the fact that somebody has put a fingerprint on your file.... We're in that spot where we have that information and access to that information to help better serve consumers.

Your question is fair. There are not many more industries that would have that amount of data to be able to best serve consumers to fight fraud, and to be able to alert them as to who has touched or accessed their information.

In terms of fraud prevention and awareness, we're well positioned in the industry.

It's in the millions for sure. I wouldn't have an estimate here. Again, the investigation is complete, but on the costs associated with it, as Mr. Kent mentioned, in terms of the litigation and dealing with the security measures we're putting in place, we want to be above and beyond any best practices and industry standard. We're working under our new interim CEO, Paulino Barros, to ensure that security comes first in our organization.

There are reserves taken in all areas in terms of litigation reserves for each country, based on litigation happening in each of our 24 properties.

That's correct, Mr. Weir. We wouldn't have those figures at this time.

I couldn't speak to our competition and the procedures and practices they have in place. Again, I'm here as chief privacy officer on behalf of Equifax Canada. I know, working with our security department and our senior leadership team here in Canada, what we're doing and what we've done in terms of going from good to better, but I couldn't opine on TransUnion or any other credit bureau here in Canada.

Again, I wouldn't be in a position to opine on what's transpired besides what I've read in the media.

In the U.S., there have been similar instances with some of our competitors over the years, with incidents of data breaches and incidents regarding their consumers and personal information.

You're welcome. Thank you for your questions.

Sure.

First, in regard to any inaccuracies or information that's lacking on the file, we welcome questions from consumers across Canada. Toni can speak to our consumer call centres. We want to make sure that information is fair and accurate. That's what our legislation says. That's how we operate our business. It's to be—

If you're one of the 19,000 Canadians impacted, we are paying for that service. We're affording all Canadians, and we've seen close to 2,000 Canadians, so far, subscribe to the service that we've offered for free to them.

Yes, it's for 12 months.

I will turn to Ms. Di Napoli to outline some of the access to information we have that consumers generally can get in terms of monitoring their credit and fighting fraud, something as simple as a free credit report.

As I have mentioned, there are free services that we have. Canadians do have unlimited access to their credit file throughout the year. Mr. Russo mentioned that we are looking at launching functionality where consumers will be able to lock and unlock their files for free. After the 12 months, impacted consumers from this breach will have the possibility to do so, therefore mitigating any fraudulent activity, or possibility of fraudulent activity, on their consumer file.

Similar to our U.S. consumer offering, as you heard from our interim CEO, Paulino Barros, by the end of January, with this service, consumers will have greater control of their information.

For example, if I have a mobile device and I want to lock my credit file, the functionality would be that until I unlock it, a bank, a car leasing company, or a landlord could not access that information. If I'm applying for credit, I can turn it back on at my fingertips, easily, in seconds, so a bank can access and adjudicate me for credit because I'm the individual who wants that credit.

That functionality would allow you in the future to be at the bank, and at your fingertips, to unlock that functionality. You know that at this one instance you're going to unlock it for the bank to adjudicate you for your car lease or your loan.

At the same time, there are features, as you've heard, in the U.S. where they have a credit freeze, where it's frozen. That's not very consumer friendly in most instances, because to unfreeze it takes time and re-authentication.

What we're building is an easy-to-use service that consumers with an iPhone or a device are able to do instantaneously, within seconds, to allow themselves to be protected. Then at the time they're at the institution seeking credit, they unlock it for that one transaction, and then turn a switch back on to lock it. They'll have that control at their fingertips.

That's an excellent question, Mr. Kent. We're looking at all alternatives with regard to how we can better do our business. Security starts with us as employees, and I can assure you, as our interim CEO said in the Senate hearings, that we will fix this, and whatever the options are in terms of working with this committee or working with others in Parliament to better serve Canadians, we're all for them.

That's at the board level, and I'm not privy to that decision. I can assure you that I've worked with Mr. Barros for the past 10 years. He has been in many capacities, as international president and as president of U.S. business, and he's a man of integrity. His background is in engineering, and when he says he'll fix it, he'll work his darndest to make sure it gets done.

Thank you very much for those two questions.

In regard to what we're doing here in Canada, as I mentioned, we've retained globally PwC and Mandiant to work with all the Equifax entities. We have 24 companies across the world, and we're working with them.

In terms of the closed-loop confirmation that I mentioned earlier, where we not only issue the order to patch, but we also receive confirmation that it was patched, that's in place. I mentioned in my opening statement that it used to take 48 hours to put such patches in place. That has been decreased to 24 hours or less, in terms of what we're doing globally.

We're also refining any existing industry best practices, procedures, and standards. We want to be above industry best practices. I didn't mention that the chief security officer now reports to our interim CEO, so the corporate governance structure has changed at Equifax in terms of accountability. We're centralizing that security rather than having a decentralized system country by country. We're working with all those individuals. We've appointed a chief transformation officer as well to get some better transparency from a security and IT perspective not only in Canada but also globally, so that this incident won't occur in the U.S., in Canada, in Argentina, or anywhere else we operate.

In regard to your second question, on the reputations of affected consumers, Toni's team works individually case by case with each individual consumer. We have call centre representatives who are able to alleviate any consumer concerns or frustrations in terms of walking them through what has transpired, if anything, with their information. We have protections in place that have been used in incidents a lot larger than ours to afford Canadians protection. Again, our number one priority is the Canadian consumer. I've heard from neighbours, friends, family. This affects everybody's reputation. We have 10,000 employees globally. It affects them as dearly as it does the Canadians who were impacted.

At the same time, we want to ensure that Canadians are afforded the best protections there are in the market, based on the regulatory situations in each country. There's a different regulatory situation in the U.S. from that in Canada. We want to make sure we apply those to each country individually to best represent those individuals.

With regard to the impacted data, our core consumer and credit database, the daily transactions we do with banks, the information we sell to the banks, was not impacted at all here in Canada. Again, the 18,000 was with regard to payment, process, and data that resided in the U.S. where there was a transaction between a consumer and our U.S. merchant.

In terms of the timeline, I just want to clarify the Canadian portion of the records that were impacted came to light on or about September 4 or 5, with all the experts and everybody working around the clock. The Canadian pieces came to light late in the game, in the investigation. When we found out my timeline on the 7th, we notified all the appropriate commissioners. We contacted our clients. We did what we could from a Canadian perspective to best serve those Canadian constituents, and at the time we didn't even know how many there were. We worked with our incident response team and our leadership team in Canada to make sure we got the correct information, that we worked with our teams south of the border to ensure we had all the tools at our fingertips. Once we had that information, we provided the consumers with the protections in place, the monitoring they could subscribe to affording them protection of their identity, and you heard the features of that product.

To ensure this doesn't happen again, just to summarize, we've enhanced our vulnerability scanning, our patch management processes and procedures. We've reduced the scope of sensitive data retained in our back-end databases. We've also increased restrictions and controls for accessing data housed within critical databases. We've deployed additional web application firewalls. The list goes on in working with internal and external experts. It wasn't that we didn't have good systems in place, but we want to be better.

Our team is working with the commissioner's office, along with our external counsel, Ms. Bernier. We've had regular meetings with them since the initial phone call within the first 24 hours when we were notified on September 7. We've worked with them. We've worked with all the privacy commissioners across Canada. The investigation is ongoing. We're, again, compiling our answers to the questions they had and working to answer them in a fulsome manner so they can complete their investigation in due course. We've been very transparent. Again, accountability and transparency drive our corporation, and we want to make sure we're doing the best for the consumers and the best for all our clients.

In terms of the Mandiant report?

It's a confidential report.

So far we have about 1,700 Canadians. Toni has an updated number as of this morning.

The initial mailing, just to set the level, was 8,000. Of those 8,000, over 1,600 people have subscribed to that. The second mailing in regard to the 11,000 went out within the last few days, so we're seeing an uptick in terms of people starting to subscribe to that. It was 22%.

We'll make our best efforts to.

To the best of my knowledge, not to my knowledge. Toni can speak to consumer relations.

I only have information based on Canadian consumers, and we have not had any complaints in regard to identity theft or fraudulent activity from the impacted Canadians who we identified.

Our former CEO, Rick Smith, was told about the suspicious activity on July 31.

I am here in my capacity as Canadian CPO.

I wouldn't have that knowledge. I wouldn't be privy to that information. Sorry.

I would not characterize that as negligence.

We're taking steps by monitoring the dark web to ensure that this information is not being traded, not being compromised. Again, we're offering the premier product to ensure Canadians have protections in place. We have the call centre available to answer any questions or concerns that Canadians may have. We're taking all the best steps and practices and working in tandem with the OPC with their guidance to make sure that we're doing the best thing for each individual Canadian consumer.

We manage the litigation process with our litigation counsel.

Actually, we've worked with the former department of industry Canada and with the Canadian Marketing Association and other associations in regard to those regulations and guidance. We've worked with the OPC in terms of better protecting consumers, giving consumers control of that information.

We're open to working with government on all new guidance and all new regulations.

You're welcome.

From a security standpoint?

Do you mean law enforcement?

We've been working with the RCMP and the FBI globally in regard to this incident, answering any questions they may have. The majority of the impacted individuals were Americans. In terms of the 19,000 Canadians, we've been answering any and all questions from the RCMP and other law enforcement.

To the best of my knowledge, I have not heard of any cases. Maybe Ms. Di Napoli has heard something in regard to her conversations with U.S. operations and consumer relations. At my office, however, as chief privacy officer for Equifax Canada, I have not had a reported case in which somebody has claimed, as a result of this incident, as a result of being impacted and mailed to in regard to the 19,000, that they've been impacted negatively and had their identity stolen.

Much like Mr. Russo, I have not heard of any instances where the impacted Americans or Canadians were impacted by any fraudulent activity or identity theft.

I think the revenues were approximately $250 million for Equifax Canada.

Thank you, Mr. Chair and committee.

Thank you.

Yes. I've reached out to her and she is available on Wednesday.