Equifax Inc and its Canadian unit breached Canada’s privacy law and fell far short of their obligations to the privacy of Canadian people during and after a global data breach in 2017, said a Canadian federal agency on Tuesday.
The Office of the Privacy Commissioner of Canada (OPC), responsible for the protection of privacy rights of individuals, noted that poor security measures of the credit reporting company remained failed to safeguard and even worsened the impact of the global cyber attack that leave more than 143 million people affected worldwide including 19,000 Canadians. The agency also found Equifax responsible of not disclosing the information of data breach for too long.
Finding such deficiencies in the privacy and security measures of a company which holds vast amount of personal information of highly sensitive nature was unacceptable, said Daniel Therrien, the privacy commissioner of Canada.
Equifax also lack of accountability for information of Canadians as well as provided limited protection measures to the affected individuals after the breach.
Equifax Canada came into a compliance agreement to resolve these issues by improving their security, accountability and process of data destruction. As part of agreement, Equifax will be submitting cyber-security audit report of its own and of its parent company, conducted by third-part auditors, to the OPC every two years for next six years, Therrin said.
The decision will allow the agency to continue keeping an eye on compliance with federal private sector privacy law of the country which will also help assessing the measures taken by Equifax to secure its system since the data breach, OPC said in a statement.
Equifax in its emailed statement said that though it is not in agreement with all of the findings and recommendations of the OPC, but give importance to company’s relationship with the agency and its efforts to safeguard the consumers in Canada.
