Accounting for Law

Organizations hiding data breaches will face stiff penalties: Bauer


MONTREAL — Canada's Privacy Commissioner has asked credit monitoring company Equifax to provide a full report on its large-scale security breach, including details on how Canadians were affected.

The agency reached out to the company Friday after it received complaints about the hack of sensitive personal information.

``Given the potential sensitivity of the information, we expect that Equifax will adopt measures to help affected individuals,'' spokeswoman Valerie Lawton wrote in an email.

Canadians are getting little information from Equifax regarding the status of their personal information after the company revealed on Thursday that it was the victim of a massive security breach during the summer.

Equifax said the private information of up to 143 million people in the United States had been compromised, along with certain Canadian and U.K. residents. The company is refusing to say how many Canadians were affected or what data had been stolen in those cases.

Equifax also said it would work with Canadian and U.K. regulators but didn't disclose which ones were involved.

In an interview with, Toronto lawyer Sharon Bauer says while it’s still unclear how many Canadians were exposed to the breach, anyone would expect a company collecting highly sensitive information — names, addresses, birthdays, social insurance numbers, credit card numbers, and licenses — to be forthright about a data breach and to advise consumers in a timely manner.

“Equifax knew about the breach at the end of July but did not reveal it to the public until last week. In doing so, Equifax lost the confidence in its consumers, other organizations, and even politicians. This loss of confidence has already contributed to a rapid decline in the value of Equifax stocks,” she says.

Bauer, a partner with Wolfe Lawyers, says Canadians still feel they don't have all the information they need, including how it happened, what measures were in place to prevent it, and what they can do to mitigate their risk of harm.

“These are all valid concerns. I would imagine in the coming weeks, we will have more information, but it will likely be through class action litigation that we glean the most salient facts, including how much time and resources Equifax put into the prevention and reporting plan of a data breach,” she says.

Currently, Bauer says, Alberta is the only province that requires organizations to report data breaches, but the Office of the Privacy Commissioner of Canada has expressed the need for organizations to be transparent about data breaches.

“It is believed that in May 2018, Canadian organizations will be mandated by law to report and notify of a data breach,” she says. “Organizations will be required to notify individuals of a breach where there is ‘a real risk of significant harm to an individual.’ That means notifying individuals affected by the breach as well as the Privacy Commissioner of Canada as soon as it is feasible so that steps can be taken to reduce potential harm.”

Businesses may also be required to notify other organizations, such as government institutions or credit bureaus, if those organizations can mitigate the potential harm, Bauer explains.

“In determining whether notification must be made, an organization would be required to consider, among other things, the sensitivity of the information breached and the probability that it will be misused. Furthermore, it should consider the type of harm the breach may cause such as bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, and identity theft. Organizations that hide a data breach could be faced with a fine of anywhere between $10,000 and $100,000,” she says.

In the United States, the theft included consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's licence numbers.

Equifax Canada said Friday it had no information to add to what its parent announced.

Equifax discovered the hack July 29, but waited until Thursday to warn consumers. It's not unusual for authorities to ask a company to delay public notice of a major hack so that investigators can pursue the perpetrators.

The Atlanta-based parent company has set up a dedicated website and call centre to help consumers determine if their information may have been affected.

The website is and the call centre is at 877-323-2598.

However, it may be prudent to wait before checking the status of your information. Social media users have flagged language on Equifax's website that appears to suggest that people who sign up for its TrustedID Premier security service waive their rights to participate in a class-action lawsuit.

Bauer says once consumers realized the fine print of the terms and conditions, Equifax released a statement confirming that the arbitration clause would not apply to the data breach.

“It is unclear, however, whether the clause would apply to TrustedID Premier should something go wrong with that service,” Bauer says. "What makes the TrustedID service even more interesting is that consumers will have to reveal personal information to use it, such as their last name and last six digits of their social insurance number. With a lack of confidence in Equifax, one would imagine that consumers would be hesitant to do this.”

New York State Attorney General Eric Schneiderman tweeted that such language was ``unacceptable and unenforceable''. ``My staff has already contacted Equifax to demand that they remove it,'' he added.

There have been cases where Canadian consumers have launched class action suits after learning their information had been involved in a cross-border cybersecurity breach.

Bob Hudyma, a cyber security expert, at Ryerson University's Ted Rogers School of Information Technology Management, said Equifax is being tight-lipped over concerns about other lawsuits.

``There's no doubt that their legal department has been very, very busy in insuring that they maintain the strongest possible position in these unfortunate circumstances,'' he said in an interview.

Shares of Equifax were down more than 14 per cent at US$122.63 in heavy trading Friday afternoon at the New York Stock Exchange.

The credit scores compiled by Equifax and similar companies, such as TransUnion and Experian, are used by lenders to decide whether to approve financing for homes, cars and credit cards.

``This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,'' Equifax CEO Richard Smith said in a statement. ``I apologize to consumers and our business customers for the concern and frustration this causes.''

Prior to the Equifax release, the biggest hack on record involving Social Security numbers involved about 80 million people during a hack at health insurer Anthem Inc.

Yahoo, which was targeted in at least two separate digital burglaries that affected more than one billion of its users' accounts throughout the world, currently holds the record for the biggest release of confidential information.

The California-based Internet company, which has since been acquired by American telecom carrier Verizon, didn't reveal a 2013 cyberattack until September 2016.

But Yahoo's breach didn't release Social Security numbers or drivers' licence information — two pieces of government-issued information that are commonly used to determine a person's identity.

Data breach is a serious issue that is here to stay and all organizations must ensure they are in compliance — or risk being sued, Bauer says.

“New regulations requiring mandatory breach reporting is a positive step forward not only to ensure organizations take data security seriously but also as a way to promote greater transparency and accountability for those businesses handling personal information.”

“Now that there is a legislative framework for data breaches in Canada, organizations should take proactive steps towards compliance otherwise risk being found negligent for not doing so. The standard the courts will consider is not one of perfection but one of reasonableness. It would also be wise of organizations to obtain cyber liability insurance coverage as there will be an increase in lawsuits arising out of data breaches in the coming years.”

To Read More Sharon Bauer Posts Click Here
Lawyer Directory
BridgePoint Financial Services (post to 5.31.19)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/18)Feldstein Family Law (post until May 31/19)Greystones Health SJO Legal Dewshi Law Practice Lee & Associates (post until Feb. 28/19)