Equifax Canada said Monday it plans to provide an update this week on the impact of its massive data breach – nearly two months after it was first discovered – but would not say how many individuals north of the border may have had their personal information compromised.
The credit data company told The Canadian Press that it is working with Canada's privacy watchdog, which announced an investigation into the cyberattack on Friday.
"We intend to share an update with Canadians this week that will include how we intend to notify any potentially impacted individuals," an Equifax Canada spokesperson said in an email. "Our investigation is ongoing and we are committed to sharing an update with Canadian consumers."
Canada's privacy commissioner said Friday that Equifax has committed to contacting Canadians whose data may be at risk, in writing, as soon as possible, and to provide them with free credit monitoring, a service that was offered to U.S. residents on Sept. 7, the day it first announced the data breach.
The company is now facing investigations in both Canada and the U.S., but lawyers say the punitive threat by regulators is stronger south of the border.
Equifax, which collects data about consumers' credit histories and provides credit checks to a variety of companies, has been tight-lipped about the security issue's impact in Canada.
Equifax Canada did not respond to questions about the number of Canadians who may have had their personal information stolen or whether the potential fallout is limited to Canadians with credit files in the U.S.
The credit monitoring company's call centre staff have told callers that only Canadians that have dealings in the U.S. were likely to be impacted by the data breach. However, the Office of the Privacy Commissioner said on Friday that, at this point, it is not clear that the affected data was limited to those Canadians.
Equifax said on Sept. 7 that it suffered a massive cyberattack in the summer that may have compromised the personal data of 143 million Americans and an undisclosed number of Canadian and U.K. residents.
The credit data company has since said that fewer than 400,000 U.K. individuals may have been affected in the hack that was discovered on July 29.
Equifax's Canadian website says that the personal information that may have been breached includes names, addresses and social insurance numbers.
The Federal Trade Commission in the U.S. can issue hefty fines if the credit monitoring company is found to have failed to do enough to protect consumers' data, but Canada's privacy watchdog does not have the power to hand down fines, said Toronto-based cybersecurity and privacy lawyer Lyndsay Wasser of McMillan LLP.
Instead, the privacy commissioner can make non-binding recommendations and sign an agreement urging them to comply, she added.
Tamir Israel, a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa, pointed to the hacking of Canadian affair-seeking website Ashley Madison, which paid $1.6-million US to settle with the FTC but was not fined in Canada.
However, Wasser said an application could also be made to a federal court – either by the privacy commissioner or by an individual – for a process in which a judge could award damages to those who have suffered as a result of a data breach.
The company could also face punitive measures via class actions. At least two proposed class actions have been filed in Canada against Equifax in connection with the data breach.
Under Canada's Personal Information Protection and Electronic Documents Act, personal information should be protected by security safeguards that are appropriate for the sensitivity of the information, Wasser added.
However, Canada's privacy laws do not specify the measures that must be taken and even when a company has been hacked, it may still pass the "reasonableness test," she said.
"That's the million dollar question: What is reasonable?... Even if they did comply with industry standards, it could still be found that further precaution should have been taken," Wasser said.
On Friday, Equifax said in a statement that the cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax "took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."
Meanwhile, changes to PIPEDA that would require companies to notify people in the event of a serious data breach are in the final stages, with the proposed text of the regulations out for public consultation until Oct. 2. But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.
Israel said federal breach notification laws are "critical."
"There is going to be a strong internal incentive to make sure you have a very complete PR strategy before you start telling people what's going on, but people need to know right away."