If a bank, an insurer or a gas company wrongs customers, it's generally not long before a government regulator or consumer-protection agency shows up at the door with pointed questions.
Yet Equifax Canada, Inc., which may have exposed the personal data of as many as 100,000 Canadians as part of a colossal privacy breach at its U.S.-based parent, remains mostly unburdened by strict oversight.
No government has thought to subject the company to the kind of regime that governs, for example, financial institutions. The latest events suggest that needs to change. Credit-monitoring companies hold the most intimate details of our financial lives, and at least one of them had lamentably weak data-protection practices.
Equifax was alerted to serious cyber-vulnerabilities last spring and clearly didn't address them adequately.
When millions scrambled to check if their records had been breached – it was a couple of months before the full extent of the hack was revealed – an American software developer decided to illustrate the company's ineptitude. He set up an obviously fake phishing site and, remarkably, Equifax directed customers to it.
In Canada, the federal privacy watchdog has launched an investigation but the agency has little binding authority over companies like Equifax. Privacy Commissioner Daniel Therrien recently told Parliament his office could use more legal bite. He's right.
Canada's credit bureaus – basically a duopoly of two private companies – are also largely outside the hodge-podge of provincial consumer-protection legislation. If you've tried to have a mistake corrected, you may have learned this. As with Google and Facebook, individuals to whom information belongs are the product, not the client.
It should be much easier for people to seek redress when credit agencies screw up; government regulation can help make that happen. In countries such as Germany, France and Spain, consumer-credit records are held by publicly run non-profits; often they are satellites of the central bank.
That's probably not necessary here. But like Canada's private banks, for the protection of consumers and the market, companies like Equifax need oversight and regulation.