Last week, Canada’s federal Privacy Commissioner issued its decision in the Equifax data breach, citing several concerns with security safeguards and governance processes against Equifax Canada and its US parent company, Equifax Inc. This decision is relevant to US companies with Canadian affiliates, since the Privacy Commissioner has signalled a change in policy about cross-border data transfers.
The Commissioner’s investigation into the Equifax breach suggests some important features of a strong cyber-preparedness and incident response plan for every company.
The General Facts
On May 13, 2017, hackers breached Equifax Inc.’s software platform and accessed sensitive personal information of 143 million+ Equifax customers in the United States and Canada. The breach was not discovered until four months after initial entry by hackers, only an expired security certificate was updated. The hackers accessed personal information held in several hundred database tables, across a number of Equifax Inc. databases. Although Equifax Canada’s servers are separate from Equifax Inc.’s systems, Equifax Canada’s security policies and oversight were (and are) generally managed by Equifax Inc.
The Privacy Commissioner’s Report
The Privacy Commissioner issued a Report of Findings about its investigations into this breach. The Report addressed various aspects of the breach, particularly related to the security safeguards put in place by Equifax Canada, including its oversight mechanisms, vulnerability management and the implementation of information security practices.
The Report highlights several lessons for cyber breach planning for any company.
The Commissioner undertook a detailed investigation into the various data security safeguards to determine whether the security safeguards were strong enough given the sensitivity of the personal information being held by Equifax.
Equifax Inc. held various types of personal information of Canadians, including payment card information, account information (including usernames, passwords and Social Insurance Numbers), and copies of full credit reports and credit alerts. The Commissioner found that, collectively, this information is sensitive and could result in identity theft and/or reputational harm. The Commissioner held that, in order to comply with federal privacy law, such sensitive information required higher security safeguards by Equifax Inc.
Equifax Inc. detected the attack because it updated an expired security certificate. This update allowed the suspicious traffic of the hackers to finally be noticed (note that Equifax contained the attack the next day). The Commissioner found that all security features needed to be kept up to date to ensure better vulnerability management, among others things.
The Commissioner also commented on the need to meaningfully segregate networks to ensure limited flow of information between different parts of a computer network. In this case, safer methods were required to ensure the detection of fraud, allowing more meaningful network segregation.
Data Governance Practices
Data governance generally means the rules that govern data access and use. In this case, the Commissioner commented on the “poor implementation of basic methods of protection”. ‘
Some lessons on good governance practices from the Commissioner’s perspective include:
- knowing who is saving and modifying files when they involve personal information;
- securely storing staff and customers’ usernames and passwords;
- keeping production data separate from test data;
- training staff on appropriate handling of personal information;
- keeping security certificates updated; and,
- having the required certification standards met.
The Commissioner noted that “the existence of a clear disconnect between policies and practices in a range of security domains demonstrates that Equifax Inc.’s security program had critical gaps, and that therefore the oversight mechanisms were inadequate”. This implies that a thorough and comprehensive accountability framework is required, particularly when housing sensitive personal information.
The Commissioner also highlighted the need for adequate monitoring practices when a third party is handling personal information for an organization. The organization needs to periodically assure itself that the third party is fulfilling its obligations to protect the personal information. Documenting these practices is key to a cyber-preparedness audit.
Retention of Records
Although Equifax Inc. had a record retention policy in place, it confirmed that it did not have a procedure to delete Canadian personal information. No personal information of Canadians had been deleted since 2010. This was considered to a significant deficiency because it meant that Equifax was storing outdated and duplicate information when such information should have been deleted. Deleting personal information that is no longer needed in order to deliver the product or service for which the information was collected is required in several jurisdictions, including the EU and Canada.
In fact, the company noted that it intended to develop destruction practices that would be better aligned with Europe’s General Data Protection Regulation 2016/679, but that these efforts were to be limited to personal information of European residents.
The Report also highlighted the lack of adequate knowledge and awareness by staff related to the retention policy and the monitoring of its compliance. This was problematic from the Commissioner’s perspective. A key lesson is to ensure that staff are trained on all data security policies, that such training is documented and that the policies are updated and applied with some consistency across the company.
Data Sharing Agreements
The Commissioner commented on the lack of a formal written arrangement with some third parties on how to handle personal information. These arrangements should be updated periodically, as well as when there are any important changes to the relationships.
According to the Commissioner, the arrangements should discuss:
- personal information that is being handled by the third party;
- rules, regulations and standards that need to be complied with while handling personal information;
- obligations related to information security and retention/destructions;
- acceptable use of the personal information; and,
- reporting and oversight obligations.
Disclosure vs. Use
The Equifax breach has caused the Commissioner to signal a significant change in policy. The Report concluded that personal information that is transferred from an organization to an affiliate or third-party vendor for processing is considered a disclosure to the third-party organization and not a use.
Now there may be a new expectation that the transfer of data between affiliated organizations (e.g. Equifax Inc. and Equifax Canada) should be considered third party disclosures. This would mean that affiliate organizations could no longer rely on using personal information based on their own internal policies, but would need to show, among other things, a robust accountability framework, formalized written contracts and adequate data governance practices as between them. Is this really practical given the fluidity of data, especially between affiliated entities?
Finally, the Commissioner found that the transfer of personal information from Equifax Canada to Equifax Inc. required meaningful consent, including information related to the third party being located in a different country and the related risks:
In summary, Equifax Canada was not adequately clear about: (i) the collection of sensitive personal information by Equifax Inc., in the US, (ii) its subsequent disclosures of sensitive personal information to Equifax Inc., and (iii) the options available to individuals who do not wish to have their information disclosed in this way.
The Commissioner commented that the sensitivity of the information and the reasonable expectations of the individual gave rise to an obligation to obtain meaningful consent.
The Lessons Learned
The Report is specific to the Equifax breach but provides some clear indications of how regulators assess good practices in cyber preparedness. According to this case, various steps can be taken to promote good cybersecurity planning, including adequate training with evidence of having completed the training, designing comprehensive accountability frameworks, monitoring of third-party compliance, formalizing data sharing agreements, and implementing accessible and express consent models for the transfer of data.