BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2019-001: Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2019-001Well-founded & conditionally resolved
Flag of Canada

PIPEDA Findings #2019-001: Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information

Organization: Equifax Inc. and Equifax Canada Co.
Decision: Apr 9, 2019Published: Apr 9, 2019
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

Key Issues
  • Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
  • Equifax Inc.'s data retention and destruction practices for Canadian personal information.
  • Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
  • Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
  • Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.
Outcome

Multiple contraventions of PIPEDA found and conditionally resolved.

Reasoning

The OPC determined that Equifax Inc. and Equifax Canada failed to implement adequate security safeguards, had improper data retention practices, lacked accountability for personal information handled by third parties, and did not obtain valid consent for disclosures. Equifax Canada also failed to provide adequate post-breach protection. Equifax Canada has committed to corrective actions, leading to a conditional resolution.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

Equifax Canada has committed to implementing a range of corrective measures, including updating written arrangements with Equifax Inc., establishing robust monitoring programs, identifying and deleting unretention data, providing audit reports to the OPC, and offering extended credit monitoring to affected individuals.

Statutory provisions cited
  • PIPEDA Safeguards Principle 4.7
  • PIPEDA Principle 4.5
  • PIPEDA Principle 4.1
  • PIPEDA Principle 4.3
  • PIPEDA Section 6.1
  • PIPEDA Sections 7(3)
  • PIPEDA Principle 4.7.1

This summary is informational only and not legal advice.