Equifax and its Canadian branch are being required to submit audit reports and ongoing monitoring after the privacy commissioner found it failed privacy obligations.
The Office of the Privacy Commissioner (OPC) said in a release following its investigation after global data breach, that it found the credit monitoring company had “poor security safeguards; retaining information too long; inadequate consent procedures; a lack of accountability for Canadians’ information and limited protection measures offered to affected individuals after the breach.”
Equifax confirmed a data breach in 2017 that affected more than 143 million people globally. In Canada, 19,000 people were affected.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices, “ Privacy Commissioner Daniel Therrien said in the release.
Equifax has agreed to a “compliance agreement” that will require the company to submit third-party audit reports on its security every two years for the next six years. It will allow the OPC to have “ongoing monitoring of compliance” with the Personal Information Protection and Electronic Documents Act.