The Equifax data breach might have gone down as one of the biggest in history but, apart from a £500,000 fine from the UK privacy regulator, the firm appears to have escaped relatively unscathed, that is until now, after the Canadian authorities revealed they will monitor the firm for the next six years.
The Office of the Privacy Commissioner report found that as many as 19,000 Canadians were ultimately affected by the Equifax breach, which hit a total of 147 million people worldwide.
The privacy commissioner launched its investigation after 19 Canadians filed complaints with his office after the breach was made public.
In its findings, the Office of the Privacy Commissioner found poor security safeguards, the retention of information for too long after it was used to verify a person’s credit history, inadequate consent procedures, a lack of accountability for Canadians’ information and limited protection measures offered to affected Canadians.
Canada privacy commissioner Daniel Therrien said: “Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices.
“In the end, the company did agree to enter into a compliance agreement, which demonstrates its commitment to addressing many of our concerns, and making privacy a priority.”
The commissioner has also released a “compliance agreement” with the company that cracks down on Equifax, demanding it develop better data retention policies, delete or anonymise all Canadian personal information, increase privacy and security measures when it comes to handling or storing data.
The privacy commissioner has requested regular reports from both Equifax Canada and its US parent for the next six years detailing how it is meeting the requirements. The commissioner also specified that it may ask for additional information or visit Equifax’s offices, either in Canada or anywhere around the world where Canadian personal information is being processed.
The commissioner warned that failure to meet the requirements in the compliance agreement could see an application for intervention by the Federal Court of Canada.
Equifax first to be hit with maximum £500k data fine
Equifax tries to kill off ‘far fetched’ data breach claims
Equifax hires new chief exec from private equity giant
Equifax could face final bill of $600m for data breach
Former Equifax tech chief charged with insider trading