Equifax Cyberbreach: Wasser tells Canadian Press Canada's privacy watchdog does not have the power to hand down fines 

news & knowledge 

September 22, 2017

Press releases

Equifax Canada said Monday it plans to provide an update this week on the impact of its massive data breach but would not say how many individuals north of the border may have had their personal information compromised.


The credit data company told The Canadian Press that it is working with Canada's privacy watchdog, which announced an investigation into the cyberattack on Friday.


The company is now facing investigations in both Canada and the U.S., but lawyers say the punitive threat by regulators is stronger south of the border.


The Federal Trade Commission in the U.S. can issue hefty fines if the credit monitoring company is found to have failed to do enough to protect consumers' data, but Canada's privacy watchdog does not have the power to hand down fines, said McMillan’s cybersecurity and privacy lawyer Lyndsay Wasser.


Wasser said an application could also be made to a federal court — either by the privacy commissioner or by an individual — for a process in which a judge could award damages to those who have suffered as a result of a data breach.


Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), personal information should be protected by security safeguards that are appropriate for the sensitivity of the information, Wasser told Canadian Press.


However, Canada's privacy laws do not specify the measures that must be taken and even when a company has been hacked, it may still pass the "reasonableness test," she said.


"That's the million dollar question: What is reasonable?... Even if they did comply with industry standards, it could still be found that further precaution should have been taken.”