Man hit by Capital One data breach calls for stricter privacy laws
‘I voluntarily cancelled my credit cards ... so I don't know why they would need to keep that information’
A former customer of credit card company Capital One who hasn't had an account with the company for seven years is calling for stricter privacy laws after he learned his personal information was compromised in a massive data breach affecting about six million Canadians and 100 million Americans.
Eric Loughead lives in Bridgewater, N.S., and discovered in September that he was caught up in the data breach announced in July. Loughead wouldn't have known his data was compromised, except a person living at his old address brought him a letter from Capital One.
"I think there should be some compensation built in to kind of get companies to pay more attention to people's data and put security in place to protect the data," he said.
Loughead said he was angry to find out Capital One had exposed information that included his name, old address, postal code, phone number, date of birth and income.
Some Capital One customers had their social insurance numbers, credit scores and limits, and some transaction data revealed.
The Canadian accounts that were compromised affected mostly people who applied for a credit card between 2005 and early 2019.
Having cancelled his account about seven years ago, Loughead was surprised he was caught up in the breach.
"I voluntarily cancelled my credit cards because I just didn't need them anymore, so I don't know why they would need to keep that information," said Loughead, who works in information technology.
In Canada, the applicable law is the Personal Information Protection and Electronic Documents Act (PIPEDA). It doesn't lay out specific time limits for retaining information, but says personal information can only be kept as long as required to serve the purpose for which the information was collected.
Halifax privacy lawyer David Fraser said Canada Revenue Agency rules also require financial records be kept for seven years. However, he said after that a business must consider why it would retain the information.
"There's no magic rule, so every organization really has to come up with documents and information retention policies and they all have to root back to, what was the purpose for which this information was collected or compiled in the first place?" he said.
Fraser said a bank that keeps information longer than seven years could follow an industry best practice of moving the information into a secure offline archive.
Fraser said he thinks Canada's privacy law is currently "pretty good," and his view is some flexibility is necessary because privacy standards and technologies are constantly evolving.
However, Fraser said PIPEDA also gives Canadians the right to ask companies what account information they have and to ask for it to be purged from a company's system.
"You have the right to know what information they have and how they're using it. And you do have the ability to revoke that consent," he said.
What Capital One is saying
As of Sept. 23, Capital One had finished sending notifications to Canadians by mail or email. It wasn't notifying people by phone or text message.
A spokesperson for the company provided a link to a statement to customers on its website, and said the company could not provide any further information.
"We are working closely with relevant Canadian and American authorities, including the Office of the Privacy Commissioner of Canada, to protect affected individuals," the statement read.
"We'll make free credit monitoring and identity theft insurance available to everyone affected."
Ted Charney is the lead counsel for a proposed national class-action lawsuit that was filed in Vancouver this summer. He said his team is waiting to find out more about the extent to which people's personal information was circulated on the internet.
He said many people are spending hours to days worth of time trying to deal with the implications of the breach.
So far, he said about 3,000 to 4,000 people have come forward to join the suit, and more are joining every day.
Based on the people who have come forward to his firm so far, Charney estimates about 10 per cent — or 600,000 of the people who lost personal information — were former customers.
"The ones who have cancelled their credit card assume that whatever information was in the possession of Capital One would have been deleted from the user database and the opposite is true," he said.
"The registration information we have tends to suggest that Capital One has kept every piece of information that they've ever recovered and collected from credit card holders going back to 2005, for whatever reason, and they just have not set up a program to delete outdated information or client information where the customers cancelled their card."