, by

Privacy tips for businesses following the Equifax breach

(Photo credit: iStock.com)

Credit reporting agency Equifax has been hit with numerous lawsuits after it acknowledged hackers breached sensitive data of about 143 million Americans and 100,000 Canadians.

How strong was the company’s security? Equifax staff in Argentina reportedly could log into an employee tool with the username “Admin” and the password “Admin.”

As we wait to see how this Equifax breach plays out, here are some tips for businesses to consider when thinking about privacy.

1. You can be taken to court if you don’t comply with privacy laws

The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal Canadian legislation with numerous requirements of how businesses use private information. For example, businesses must disclose how they use private data. So it’s a good idea to have a lawyer draft any customer agreement ensuring proper disclosure. 

If a company doesn’t comply with the act, a court can award damages for any humiliation the complainant has suffered as a result. If your business model includes gathering “humiliating information” you need to protect that information and also make sure you’re not in the business of criminal “blackmail.”

2. You can be sued if you invade someone’s privacy

A 2012 Ontario Court of Appeal's decision affirmed a right of an individual to sue anyone who intentionally invades the privacy of another individual, if the invasion is “highly offensive.” The court reached that decision after a bank employee snooped into the bank account of her boyfriend’s ex-wife 174 times. The employee was ordered to pay damages of $10,000.

If you ever get such a fine, don’t make things worse by searching for bank statements in your neighbour’s trash to see if they can lend you $10,000 for the fine.

3. Terms of service: You can be taken to court even if your lawyers put language in an agreement to avoid going to court

The Supreme Court of Canada held that Facebook can be sued in British Columbia for violating users’ privacy by putting their image in sponsored story ads. Facebook’s terms of service require any legal action be taken in California, but the majority of the court found that clause to be unenforceable in Canada. Specifically, in a 177-paragraph decision, the court held that there was an inequality of bargaining power between Facebook and its users.

So if your terms of service have more paragraphs than a Supreme Court decision, don’t assume every word will be enforceable.

4. Anticipate what could go wrong and plan accordingly

The Canadian maker of a vibrator app was sued by a customer. Allegedly, without customers’ knowledge, the app transmitted information to a server including: when the vibrator was used, the vibrator’s settings, and the user’s email address.

We weren’t present at the business meeting where any of this seemed like a good business idea. Had we been there, however, we would have pointed out that this would have killed as a plotline in a romantic comedy, wherein all of the information gets inadvertently transmitted to the user’s mom.

5. Take protecting your customers’ privacy seriously, especially if your company is in the business of helping people have extramarital affairs

Canadian “dating” site, Ashley Madison, was sued in a class action in 2015 after hackers released user information including personal names, emails, home addresses and message history.

If your business might be viewed as immoral, you may want to reevaluate your business model based on potential public relations issues. Especially if it’s viewed as immoral by hackers who may have no moral issue selling your credit card details for a recent going rate of $22.39.