The Equifax decision and related compliance agreement between the OPC and Equifax Canada that that sets out detailed timelines for various corrective measures to be put in place by Equifax Canada regarding consent, safeguards and accountability in addition to six years of third party audits, offers a treasure trove of practical lessons for organizations looking to comply with the Personal Information Protection and Electronic Documents Act (as well as some surprises).
In a sweeping and detailed report of findings in the Equifax decision released on April 9, 2019, the Office of the Privacy Commissioner of Canada, severely critiqued the privacy and security practices of Equifax Inc. and Equifax Canada Co. in effect at the time of the 2017 data breach that compromised the personal information of 143 million people, including 19,000 Canadians.
Hackers had initially gained entry to Equifax’s systems on May 13, 2017 by exploiting a known vulnerability in the Apache strut software platform supporting an online dispute resolution portal (not available Canadian consumers), ultimately accessing the personal information of Canadians (including names, addresses, dates of birth, social insurance numbers). While Canadian credit files were stored by Equifax Canada on servers located in Canada and segregated from Equifax’s systems, Equifax Canada transferred information from its credit files to Equifax in the U.S. in order to deliver direct-to-consumer products to Canadian customers that were only available through Equifax Consumer Solutions, a US-based subsidiary of Equifax. Equifax Canada’s security policies, direction and oversight were largely managed by its parent company, Equifax. While Equifax was notified of the vulnerability in their portal and the related patch to correct it on March 8, 2017, it chose not to implement the fix and the breach was only detected on July 29, 2017 when an expired SLL security certificate was belatedly updated.
The Equifax decision and related compliance agreement between the OPC and Equifax Canada that sets out detailed timelines for various corrective measures to be put in place by Equifax Canada regarding consent, safeguards and accountability in addition to six years of third party audits, offers a treasure trove of practical lessons for organizations looking to comply with the Personal Information Protection and Electronic Documents Act (as well as some surprises).
What is reasonable security for sensitive data?
PIPEDA requires that personal information must be protected by security safeguards appropriate to the sensitivity of the information, including physical measures, organizational measures and technological measures. However, past OPC decisions were frustratingly light on the specifics of what was actually required to achieve minimum security compliance. The Equifax decision devotes several pages to a detailed analysis of Equifax’s and Equifax Canada’s deficiencies in their existing security programs, including inadequate vulnerability management, inadequate network segregation and parties’ failure to implement even basic information security practices. Plainly put, organizations like Equifax who handle sensitive data are expected to have robust security programs that accurately assess the security risks faced, protect against these risks and ensure that the security programs are actually implemented in practice. Both Equifax and Equifax Canada failed miserably on all of these grounds, with extensive examples provided in the decision.
Data retention/destruction requirements are more than just paper
PIPEDA also requires that once personal information is no longer required by an organization to fulfill identified purposes, it should be destroyed, erased or made anonymous and all organizations must develop guidelines (and implement actual procedures) to govern the destruction of personal information. Practically, this is where companies often go wrong as they consistently hang onto old data indefinitely. Even worse is when organizations have enacted retention policies but these fail to be followed.
According to Equifax’s own Global Retention Policy, the personal information of 8,000 Canadians held in Equifax’s GCS should have been deleted either after five years (for account registration information), two years (for other account information), or after one year (for credit reports and alerts contained in the GCS) respectively. The record owner was supposedly responsible for implementation of the retention policy for a particular record, and compliance with the policy was supposedly being monitored. In reality, there was no process in place to delete Canadian personal information in compliance with this policy and no Canadian personal information had been deleted since at least 2010.
Moreover, in one of the more Keystone-Cop moments, the OPC found that no one at Equifax seemed able to identify who the record owner was for personal information held in the GCS databases or even the name of the person at Equifax responsible for the compliance functions described in the retention policy. Ouch. This reiterates the importance of data retention and destruction practices at the corporate level (the less data held, the less will be exposed in the event of a breach), as well emphasizing the need for proper employee training and verified compliance monitoring for policies of this nature.
Accountability must be real (or, the language in the terms of use/privacy policy counts)
Under PIPEDA’s accountability principle, an organization remains responsible for personal information under its control (including information that has been transferred to a third party for processing) and therefore organizations must use contractual or other means to provide a comparable level of protection while the information is being processed by the third party. The OPC spent considerable time analyzing the relationship between Equifax and Equifax Canada and ultimately concluded that Equifax was a third party with respect to Equifax Canada for the purpose of information handling, regardless of corporate structure.
Practically, the lines were blurry, however. Equifax handled payments made by Canadians who purchased fraud alert services on their Equifax Canada credit card file and Canadians interested in obtaining direct-to-consumer products were directed to apply to the GCS system, hosted in the U.S. Both companies tried to argue that Canadian consumers knew that they were contracting separately with ECS, rather than Equifax Canada. However, the application process took place on the Equifax.ca webpages and Equifax Canada’s terms of use asserted that the products and product features available via its website were provided by Equifax Canada. Moreover, from February 2011 to September 2015 the Equifax Canada privacy policy made no mention of Equifax, ECS or to any potential transfers of personal information to any organization for the delivery of products. The Equifax Canada Chief Privacy Officer was publicly designated and assigned responsibility for ensuring Equifax Canada’s compliance with PIPEDA. The privacy policy also stressed that to the extent Equifax Canada had to transfer personal information to a third party in Canada or across borders for processing, Equifax Canada contractually required such a third party to protect customer personal information in a manner “consistent with our privacy safeguarding measures, subject to the law of the third-party jurisdiction.”
In highlighting the importance of the role of the chief privacy officer to ensure that data being processed by a third party enjoys the same level of protection comparable to PIPEDA, the OPC also reminds us that the CPO must actually have adequate tools and structures in place to enable them to truly be accountable for the handling of personal information.
At the time of the breach, the Equifax Canada CPO did not have such controls in place (including any formal written arrangement with Equifax or ECS that spelled out the specific rules, regulations and standards that need to be complied with in the handling of personal information, information security obligations, acceptable uses of the information, retention and destruction obligations, or reporting and oversight arrangements) nor were there any basic accountability controls. Instead, the OPC found general confusion on the part of Equifax Canada regarding the scope of Canadian personal information collected and retained by Equifax and roles and responsibilities with respect to the handling of Canadian personal data by Equifax.
The OPC used European-style privacy language to identify that “as Equifax Canada is the controller for this personal information,” Equifax Canada’s designated privacy officer is accountable for the personal information, wherever it is held or processed. This also meant that Equifax Canada could not blindly rely on third party audits, like the annual ISO 270001 compliance certificates regarding Equifax’s information security compliance, if Equifax Canada had reason to doubt (and was privy to other information) that raised concerns regarding Equifax’s actual PIPEDA and related security compliance. This suggests that the OPC expects organizations to take further measures to assess the security of Canadian personal information held by third parties and ensure any necessary corrective measures are undertaken in a timely way.
Mitigation efforts are critical
It’s a truism that while data breaches are almost inevitable, it’s how they are handled that also counts in order to reduce the risks to individuals affected by the breach. PIPEDA also requires organizations to undertake appropriate mitigation measures to protect against future unauthorized use of personal information. Equifax/Equifax Canada scored badly on this measurement as well – for example, the Equifax Canada CPO was not notified by Equifax of the breach until hours before Equifax itself went public on September 7, 2017, despite the involvement of Canadian data. Oops.
Even worse, the companies did not coordinate in the initial breach notification to affected Canadians, with the first letter to them inviting them access credit monitoring through a portal that did not actually allow access and was set up for Equifax customers only. Oops again.
The OPC was also unimpressed that initially Canadians were only offered one year of free credit monitoring versus their U.S. counterparts (this was eventually changed to four years in total). Canadian customers never did receive access to the ‘Lock & Alert’ credit freeze service provided to U.S. consumers that would have allowed them to lock and unlock their credit file on demand.
The changing nature of consent for cross-border data
Perhaps the most controversial aspect of the Equifax decision stems from its assertion that Equifax Canada should have obtained valid express consent of Canadians before disclosing personal information across the border to Equifax (given the sensitive nature of the financial data involved and that individuals would not have reasonably expected their data to be transferred to a third party outside of Canada).
This is problematic in several respects as this analysis flies in the face of years of guidance from the OPC and reiterated repeatedly, including in the 2012 Privacy and Outsourcing for Businesses guidance document) that a transfer for processing is a "use" of the information, not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
While it is entirely true that Equifax Canada did less than a stellar job meeting the transparency requirements in its terms of use or its privacy policy regarding the transfer of personal information outside of Canada (and further clarity was definitely warranted so that consumers could better understand that their information was being disclosed by Equifax Canada to Equifax/ECS in order to receive certain services), the OPC’s reinterpretation represents a significant departure from what was expected by Equifax Canada, or frankly from anyone who follows the OPC’s guidance in this area (the OPC itself acknowledged that Equifax Canada was acting in good faith in not seeking express consent for these disclosures based on previous OPC guidance). However, Equifax Canada agreed, in the compliance agreement with the OPC, to seek additional express consent (for example, positive action by individuals to affirm consent) from any current customers of Equifax or its affiliates that are receiving Canadian direct-to-consumer products by December 31, 2019. Equifax Canada was also chided in the Equifax decision for not explaining other options to Canadian customers that did not involve Equifax obtaining Canadian personal information, including obtaining access to their Equifax Canada credit report though use of the free credit report service provided by snail mail rather than through the U.S.-only online access.
The OPC’s implement-first-ask-permission-later approach to changing the consent requirements for cross-border data transfers is troublesome at best and judging from initial reactions, sits uneasily with many (me included).
Likely knowing this, at the same time it released the Equifax decision the privacy commissioner also announced a “Consultation on transborder dataflows” under PIPEDA, not only for cross-border transfers between controllers and processors but for other cross border disclosures of personal information between organizations. The GDPR-style language used in this document is no accident and our regulator is seemingly trying to ensure the continued adequacy designation of PIPEDA (and continued data transfers from the EU to Canada) by adopting policy reinterpretations (and new policies) pending any actual legal reform of our law. Meanwhile, the OPC’s sudden new declaration that express consent is required if personal information will cross borders (and the related requirement that individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders) introduces a whole new level of confusion and complexity regarding the advice that practitioners are supposed to be giving their clients pending the results of the consultations review, not to mention the potential negative business impacts (for consumers/vendors of cloud/managed services and mobile/ecommerce services, just to name a few examples) that may arise as a consequence. Comments have been requested by June 4, 2019.