Examining LCBs Data Security Claims

NOTE: Since publishing this post last week, Landlord Credit Bureau has removed all references to being EI3PA compliant from its website without noting the change. So were they mistaken about being EI3PA compliant or did they deliberately mislead the public about their practices?

Here is what the FAQ section looks like now:

While reviewing a copy of the Frequently Asked Questions section of the Landlord Credit Bureau site for tenants something jumped out at me immediately when they began talking about data security.

A longtime concern of mine has been how LCB stores its data and to what extent it is compliant with existing standards for Information Technology security in general and sensitive payment data in particular. To date I’ve only seen vague claims of compliance with “regulatory bodies”.

With the discovery of the FAQ that LCB publishes on the tenant member section of its website we’ve found new claims they’ve made about data security that are extremely troubling. Let’s take a look.

Used under the Fair Use provisions of the DMCA for commentary and criticism

This is the first time I’ve seen LCB claim to be using a specific data security standard, an exciting development that I hoped would help answer some of the questions I had about their practices.

So what is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.

RSI Security explains further:

So on the surface it looks like EI3PA is a valid data security standard for the credit reporting industry, but there is a catch – the EI3PA is only for third parties doing business with Experian.

Who is Experian?

Experian is a competitor to Equifax and TransUnion. Notably they have not operated in Canada since April of 2009.

So why is Landlord Credit Bureau saying they are EI3PA compliant when this certification is only for doing business with Experian and they don’t do business with Experian? When it’s impossible for them to be doing business with Experian in Canada? Great questions. Presumably only Zac Killam knows how they are making this very specific claim of data security certification which is obviously not correct.

LCB is in business with Equifax in both its Canadian and US operations so they can’t even claim it’s for the US side of the business. It’s truly baffling.

Since we know they are doing business with Equifax, let’s just examine the data security standards that we know Equifax claims compliance with. We know a lot about the data protection standards Equifax has implemented because of an investigation into their security practices by the Privacy Commissioner of Canada following a data breach that saw the personal data of 143 million Equifax customers hacked in 2017.

The PCC report can be found here.

Here is a summary of the oversight mechanisms Equifax reported to the Privacy Commissioner:

The two main data security compliance models used by Equifax are ISO 27001, which is an Information Security Management certification and PCI DSS which is a certification system for payment card data security. No mention of EI3PA because it’s not a standard used by anyone but Experian.

What is true is that the EI3PA is basically the same program as PCI DSS, just tweaked for credit reporting and exclusive to Experian data aggregators. What is also true is that the Privacy Commissioner found that ISO 27001 compliance and PCI DSS compliance was insufficient in the case of Equifax for protecting customer data.

If we are expecting Landlord Credit Bureau to be at least as secure as Equifax – and we should considering they are handling the same kind of sensitive personal information and credit data – then at a minimum we’d expect to see ISO 27001 and PCI DSS certifications. So when LCB claims to be compliant in a security standard that is vendor-specific for a vendor that doesn’t even operate in this country I start to get very worried about the actual integrity of their data because it sounds an awful lot like they are just making it up. If they are willing to make up their data security compliance regime, what do you think their actual security practices are like?

Unfortunately the concerns don’t end here. Recall that their statement in the FAQ said that they “won’t go into detail here because we don’t want to share with hackers”. Not only is this just a really weird thing for a company tasked with storing credit information about you to say, it’s also the opposite of what open information security standards are about and not compliant with even the EI3PA program they claim to be compliant with.

Compliance regimes like ISO or PCI DSS rely on openly published standards that anyone with the time and inclination can go look up and evaluate for themselves. Obscurity is not security and thinking you are protecting yourself by not openly sharing your security standards is not an industry best practice, it’s a naive delusion.

The fact is, what security professionals the world over rely on is openly published and vetted standards and practices that are frequently presented as challenges to hackers. There are no big secrets in this world, just people who are diligent in their tradecraft and people who aren’t.

Worse in this case though is that LCB claims this EI3PA certification and part of getting this certification is having a detailed, openly published security policy.

Here is what Landlord Credit Bureau has published in public about their data security policies:

Used under the Fair Use provisions of the DMCA for commentary and criticism

None of this even mentions EI3PA or any other kind of data security certification.

Looking for more evidence of this EI3PA compliance I take note of the following from the RSI security websites breakdown of the standard:

The Landlord Credit Bureau tenant and landlord portal do not support multi-factor authentication. So once again, even if EI3PA certification was something relevant to LCB operations in Canada they would still not be compliant with the standard.

Another red flag that comes up is the EI3PA standard for avoiding vendor-supplied defaults. This is a common information security practice as many hardware and software vendors provide their wares with a bunch of default settings already enabled. Part of the discipline of information security is keeping these defaults from being exploited. This often involves disabling or otherwise altering the default setting so it cannot be easily exploited.

If you visit the following URL on the Landlord Credit Bureau website you will be taken to a login page that allows administrator access to the site (https://landlordcreditbureau.ca/wp-login.php). The LCB site is run by popular content management software called WordPress and they provide this URL as one of several defaults for admin logins.

Used under the Fair Use provisions of the DMCA for commentary and criticism

Consulting security best practices for implementing WordPress we find that one of the recommendations is securing this page:

Once again we can see that Landlord Credit Bureau is not compliant with the EI3PA certification standard. Nor would any of these issues see them in compliance with PCI DSS or ISO 27001. These observations should raise serious concerns in the minds of anyone who has their data being stored and used by Landlord Credit Bureau at this point. The Ministry of Government and Consumer Affairs needs to demand an audit into LCBs data security practices in order to restore public confidence.

Landlord Credit Bureau Has Modified its Tenancy Record 3 Times Since Being Caught With Secret Field

As reported in The Hamilton Spectator as well as this blog, Landlord Credit Bureau had set up a secret field in their tenancy records that only other landlords can see, posing some obvious questions about how tenants can even dispute reports they aren’t able to see.

Originally, the tenant record contained a field that looked like this:

Used under the Fair Use provisions of the DMCA for commentary and criticism

In response to the Hamilton Spectator piece, Zac Killam took to Outline.com, using the annotation feature to defend himself and his business.

In those annotations, Zac Killam addresses the question of the secret field, something he didn’t do when given the opportunity by the Spectator.

Used under the Fair Use provisions of the DMCA for commentary and criticism

In it he defends the practice, comparing it to a landlord phoning references. This comment was made on March 25 2021.

By March 30th however, the language on the tenancy record changed:

Used under the Fair Use provisions of the DMCA for commentary and criticism

Suddenly, the information IS shared with the tenants. Funny there’s no announcement of this big change.

Now by April 7th things have changed again and we have not one but two variant tenancy records with very different language. The first reads as follows:

Used under the Fair Use provisions of the DMCA for commentary and criticism

Now it’s kind of difficult to tell if this field is shared between all parties or not. The language is very unclear and seems to leave things up to the landlord to ask the tenant about things reported in this field to “verify” them. Which really sounds like what LCB should be doing in the first place – sharing this field with tenants so they can see it and dispute it. Putting the onus on the landlord allows them to keep collecting and hiding this data.

Confusing the matter further is the existence of another sample tenancy record with much different language once again:

Used under the Fair Use provisions of the DMCA for commentary and criticism

This version tells us that by May 3rd 2021 the field once shown only to other landlords will be visible to tenants as well. Is there a reason to delay this until May 3rd? Difficult to say without knowing more but presumably it’s to give landlords some time to verify their records and ensure what they are reporting is accurate so when tenants finally see the field there should be no disputes.

It’s interesting to note the part about tenants providing consent for future landlords to pull their record. The current mechanism for ensuring a tenant has given consent to have their record pulled constitutes a checkbox where the landlord affirms they have consent. No uploading a signed consent form, just a checkbox. Scouts honour.

Used under the Fair Use provisions of the DMCA for commentary and criticism

It should be deeply concerning that a company which is supposed to be trusted with extremely sensitive personal data that can have a huge impact on our daily lives can’t seem to settle on a major piece of corporate policy like this. It’s almost as if they’re just making it up as they go along.

LiveWell CEO Matt Christie Needs to Apologize

Below I am sharing an email I sent to LiveWell Property Management Inc. CEO Matt Christie regarding the comments he made about me and my family.

I expect a public apology and retraction from Mr. Christie.

“No conflict of interest” Zac Killams Financial Interest in My Building

In August of last year this blog started up and reported the fact that LiveWell Property Management and the Landlord Credit Bureau had an ethically dubious relationship. Zac Killam was a director of both companies.

To us this represented a serious conflict of interest – how could our landlord be expected to impartially adjudicate disputes with information reported to the Landlord Credit Bureau when he is also financially involved with the Landlord Credit Bureau? It sounded so many alarm bells in me I knew I had to get the word out.

Toronto housing lawyer Benjamin Ries had this to say of the relationship in QP Briefing:

He had this to say about it recently in the Hamilton Spectator:

Zac Killam has denied any conflict of interest in both publications.

For his part, Matt Christie has acted as if he isn’t the owner of the building in text message with us:

Killam accuses us of “creating false narratives” and “innuendos” in his lawsuit against us and in his notes on the Hamilton Spectator article. So we decided to answer the question once and for all.

94 East Avenue South was bought by 2582724 ONTARIO INC in 2017 with a mortgage out from Royal Bank for $1.35 million CAD.

2582724 ONTARIO INC is just another shell corporation set up by Blakes law firm. Zac Killam is a director along with Matt Christie, who is to be expected.

Zac Killam also gave himself the titles of President, Secretary and Treasurer. Just for good measure I suppose.

This is what Zac Killam considers “no conflict of interest”. He holds part of a $1.35 million dollar note on the building I live in. The building he has been using to harvest data from with Landlord Credit Bureau.

When Matt Christie says he’ll “send our request to the landlord”, who does he mean exactly? Who else is there but him and Zac? How many more shell corporations will we have to turn over?

Zac talked about his “interest in a small number of rental units” but I guess didn’t think it was important to tell people that one of those “small number of rental units” happened to be the one my family lives in.

How can the Ministry of Government and Consumer Services continue to licence Mr. Killam as a credit reporting agency given all we know now about what he considers “no conflict of interest”?

Landlord Credit Bureau CEO Claps Back on Spec Report

Controversial Landlord Credit Bureau CEO Zac Killam is firing back against recent reporting in the Hamilton Spectator in a series of ever-changing annotations he has been writing since the story was published online last week. His most recent edits are from just 11 hours before the publication of this post.

Despite being asked for comment and invited to tell his side of the story to The Spectator, Killam has opted to reserve most of his critique to a site which allows you to mark up an online article with your own annotations.

It’s difficult to characterize a lot of the notes because Killam keeps coming back to edit them but he claims the quotes used by The Spectator were taken out of context, accuses legal experts quoted by the paper of just wanting to generate “exposure” for themselves, accuses the former Privacy Commissioner of Ontario of not understanding the real context under which the LCB operates, accuses the reporter of deliberately misrepresenting the facts and accuses us of being malicious liars.

He calls the secret field that tenants cannot see but landlords can “a common practice” and does not attempt to address the legality of such a field or the implications for tenants who might want to dispute information contained therein.

Currently there is a running total of 33 annotations totalling 1198 words that Killam has been writing and editing for 4 days straight now. The Spectator article is only 2100 words long.

When Zac Killam was faced with powerless poor people using the internet to expose concerns about his business practices and reveal his unethical relationship with LiveWell Properties he hired one of the juggernauts of Canadian corporate law to suppress the criticism.

Now when faced with the newspaper of record for the 4th largest city in Canada exposing the same concerns and the same unethical relationships he’s not calling in the lawyers. What he’s doing is sitting up for hours a night writing and rewriting his own critiques on what amounts to his own little blog.

Where is the lawsuit against The Hamilton Spectator? Why not sue the reporter you claim is misrepresenting you and misquoting you? Why not demand a correction or retraction from the paper?

Faced with reality, Zac Killam seems bent on a retreat into fantasy.

Secret Field in Tenant Record a Smoking Gun for Landlord Credit Bureau

In documents obtained by Landlord Credit Bureau Facts and first published by The Hamilton Spectator it has been revealed that the Landlord Credit Bureau is using a secret field that can only be seen by other landlords to blacklist tenants.

After obtaining a copy of a sample Tenant Record posted by Landlord Credit Bureau in the Landlord members section of their website we noted a particularly interesting field – Landlords Experience Regarding This Tenancy.

The record clearly states the fact that this information is not shared with tenants but is shared with other landlords. It even places emphasis on it.

6 questions are put to the landlord in the field and only yes or no responses are permitted.

Toronto housing lawyer Benjamin Ries had this to say in the Spectator about the issue:

This idea of a secret list where tenants don’t know if they’re on it, don’t know what was said about them or by who, that’s what most people think about when they think about a blacklist”

The problem with this secret field are obvious. If a tenant isn’t even aware the field exists and is unable to see what is documented in it how can they dispute any mistakes or misrepresentation? The Landlord Credit Bureau claims it has systems in place for tenants to be able to dispute and correct their record, but how is that possible when part of that record is invisible to them?

In fact, it’s entirely possible for a tenant to have a spotless tenant record with LCB according to everything they can see on their end. They would never know why they were getting denied for rental applications because to them their record appears positive. It’s a cruel deception that leaves tenants unable to even know what they are accused of.

This document proves that what we feared all along is exactly what is happening. This is what the real business model of the Landlord Credit Bureau is – a veneer of respectability concealing a cruel blacklist the tenant isn’t even aware of.

This kind of predatory business model is not only against the law, it’s against the very principles of this country. It’s time for Zac Killam to stop abusing tenants in this country and end this practice immediately.

The full sample tenancy record can be seen here:

The Hamilton Spectator Covers Landlord Credit Bureau, LiveWell

It’s not the Rolling Stone, but it’s a cover!

Sebastian Bron of the Hamilton Spectator has published some excellent reporting on our struggle with the Landlord Credit Bureau and we were shocked to see it on the front page of the paper. This has put the LCB and LiveWell issue in front of over 100,000 households in the Hamilton region as they sipped their Saturday morning coffee.

We think Mr. Bron did an outstanding job presenting the issue and gave plenty of opportunity for Zac Killam and Matt Christie to respond. The quality of their responses I leave to readers to judge.

If you missed it in print, it’s published on the Hamilton Spectator website but is paywalled:

‘Free benefit’ or blacklisted? Hamilton tenants and landlords clash over private information

  • Sebastian Bron reporting for The Hamilton Spectator

QP Briefing Covers Landlord Credit Bureau Story

Jack Hauen at QP Briefing has written an extensively reported piece on Landlord Credit Bureau, LiveWell Property Management and the situation with this blog. It raises many of the same concerns this blog has been investigating for nearly a year now and brings some real expert perspective to the fore. It also features comment from Zac Killam himself which I find very instructive.

Read it and judge for yourself.

Our guide to Landlord Credit Bureau for Landlords

To date we have only explored the Landlord Credit Bureau from a tenant perspective. What we recognized as a missing component was outreach to landlords who may be considering using the service or have already signed up. They too deserve to hear about LCB from people who aren’t trying to sell them LCB.

Landlords using the LCB need to understand the possible risks and liabilities associated with the services and advice they are being offered. To that end we first want to state very clearly that landlords looking to do business with the Landlord Credit Bureau should seek professional legal advice before proceeding to ensure they will be compliant with both Provincial and Federal laws. Engaging a service like this is not without potential risks and you want to make sure you as the landlord are protected.

Here are some examples you might want to bring up with your lawyer when you meet to to talk about how the LCB can be integrated into your business:

The LCB advises landlords that they do not have to get consent from their tenants to use the service.

If you were thinking there was a “but” coming, you’d be correct. Because how you can use LCB for a given tenant can change depending on whether they consent or not according to the LCBs own legal framework page. If consent was not an issue and not necessary, why is it that the next section breaks down into categories for consenting tenants and non-consenting tenants? Shouldn’t there be no effective difference if consent is not an issue? Does it already sound like things are more complicated than they appear in the summary?

This is fairly uncontroversial. If both a Landlord and Tenant want to agree to this kind of reporting and understand exactly what the Landlord Credit Bureau is and what their rights are then this seems to be the ideal situation – everybody agrees and is properly informed.

The situation presented here by LCB is not without its possible complications though. The claim that including the LCB Application and Lease Clauses will put you in the clear isn’t so clear – in Ontario, for example, the Province has created a standard lease agreement that can only be altered under certain circumstances. You can’t just alter the language of it as you see fit, there are rules governing how you can go about modifying the agreement and what parts you can and cannot modify.

If a landlord changed the language in the standard Ontario lease and did not negotiate this change with the tenant they could find themselves at risk. This is one example in one Province.

Make sure you are getting your lease agreements checked out by a lawyer to ensure you are compliant with Provincial housing laws.

A second point of contention is in the assumption that a tenant logging in to the tenant portal gives consent by accepting the terms and conditions presented to them. This is also a more complicated issue than the LCB is making it out to be here.

Anyone can set up Terms and Conditions for using their services and put whatever they’d like in there. People can agree to those terms (often without reading them). This does not actually mean those terms and conditions are enforceable or even legal to begin with and the only way to actually find out is to test them in court. So despite your tenant signing in to the portal and agreeing to the Terms and Conditions it is something that can still be challenged in court or in other tribunals and in the end may not be lawful or enforceable. Who is at risk now in this situation? You are.

Also worth mentioning is the fact that if tenants have to sign in to the portal to find out what the service is all about and see what is on file about them, doesn’t burying consent to enable the LCB to do all of this stuff in the Terms and Conditions when you sign in seem a bit deceptive? Tenants get an email saying they’ve been signed up to some kind of credit bureau by their landlord so they click on the link to find out just what is going on and find themselves essentially tricked into consent. It’s a practice that is bound to see a legal challenge.

This is where things start to get confusing. We were told we didn’t need to get consent but now this seems to be pretty clear that if you do not have consent, LCB functions as a spreadsheet for the landlord. That’s it. You’re allowed to report payments for internal use only.

It’s arguable that putting the tenants data on the platform at all is sharing that data with a third party and could form the basis of a legal challenge. It also remains to be seen how LCB firewalls off this data from the rest of its dataset and whether their implementation is effective.

Now what is all this stuff about debt? We need to get to the next paragraph to examine this claim a little more closely.

Very important to note that this piece right here is the Secret Sauce the LCB is claiming to have that allows it to do what no other tenant screening service in the country does.

What they are presenting here is a legal theory – that these clauses in the PIPEDA enable them to act without tenant consent and these claims are simply untested. LCB brags they have had zero complaints (another claim we take issue with) as if that is a virtue when what they are really saying is that this whole legal framework has never been taken for a test drive. Nobody has given the tires a kick.

Provincial housing laws and tribunals govern how things like debt are assigned and ordered for collection. This theory they are floating about collecting debt, investigating breach of contract, fighting fraud and all that are going to come up against Provincial laws governing residential tenancies.

Generally speaking, unpaid rent and other arrears related to a residential tenancy are not considered a debt until there is a judgment from a tribunal or small claims court and an order for the tenant to pay up. Until then, it’s a dispute over terms of a private contract. Claiming a tenant owes you money and then reporting them to LCB without their consent and in turn harming their credit before you have a legal order in your hands could expose you to risk. Before taking any kind of enforcement step like this make sure you consult the tenancy laws in your area and proceed through the housing tribunals that are set up for this purpose.

What this arguably could be perceived as is an attempt by Landlord Credit Bureau to assist in circumventing your Provincial tenancy laws and the legal tribunals tasked with adjudicating them. The legal pitfalls here are numerous and landlords should tread carefully to protect themselves and get a legal opinion before proceeding.

Don’t just take our word for it though, here’s what a commenter who claims to be a landlord had to say about it under an article about the LCB in the Huffington Post:

Not that we think you should be taking legal advice from random internet commenters, or even from us. What we are doing is illustrating that things aren’t as cut and dried as LCB would have you believe and you need to seek professional legal advice before proceeding.

But wait, they claim they will provide free legal defence if someone files suit against you for using their services. Surely that means the service is safe to use, they are assuming all of the risk?

Let’s unpack some of this and see.

This is a completely new feature they are claiming. It didn’t exist on their site until sometime after November of 2020.

If you visit the Legal Defence Page what you learn is that you need to be a premium member and meet a bunch of other qualifications before they will cover you. We’re planning a deeper dive into this new feature of theirs so watch for it.

A few quick points on this section though:

  1. Again, zero complaints does not mean the service is legal. It doesn’t even mean the legal framework is strong, potentially the opposite. What they are telling you is that all the legal theory they are claiming enables and protects them (and you) is just that – theory that hasn’t been tested in court. Do you want to be their test case?
  2. This section about misuse of the platform really needs to be called out here because Landlord Credit Bureau themselves are the biggest misusers of the platform by far. Landlord Credit Bureau CEO Zachary Killam is also in the landlord business with his stake in LiveWell Property Management. This relationship is exploited to harvest data from LiveWell tenants without their consent. The ethical problems raised by this relationship are huge and potentially criminal in nature. This is a gross misuse of their platform and they are the main perpetrators.
  3. Continuing on the subject of misuse, the LCB has refused to comply with the Consumer Reporting Act and provide details of the data they have on file for tenants when asked by that tenant. I know this because they did it to me and to other neighbours of mine. They also don’t provide information about the tenants rights regarding security freezes anywhere on their public facing page despite a legal obligation to do so.

Recall that LCB is connected to LiveWell Property Management. How do they propose to impartially arbitrate disputes involving these tenants? The credit bureau is also the creditor. Do you think LiveWell tenants can expect a fair hearing when it financially benefits LCB to arbitrate against them? Is LCB really going to investigate LiveWell?

What are these mechanisms they claim tenants can use? I’ve had disputes with LCB and all I got in return was utterly rude, dismissive treatment and a refusal by them to actually comply with the law. I’ve already filed complaints, COVID has utterly derailed that process.

If the LCB are flippant about their legal obligations in this area, what makes you sure they aren’t also being flippant about their obligations elsewhere? Landlords need to ask tough, probing questions and get legal insight or else end up getting dragged into a whirlwind of risks.

Finally I want to unpack this section a little bit because it deals with Ontario and I can speak to it. They make similar arguments for other jurisdictions which I suspect suffer from similar weaknesses.

Again, right off the bat we can see that while they are saying consent isn’t needed they identify consensual scenarios and non-consensual scenarios. They say they PIPEDA enables you to report for certain purposes (which we will unpack a bit as well) but you could take the same facts and say that the PIPEDA doesn’t allow you to share data without consent, except under specific circumstances. They choose enabling language because it sounds like their consent argument still holds up this way. But does it? Aren’t they implicitly admitting they need consent to do anything without invoking special circumstances?

We’ve already talked about debt and how housing tribunals and small claims courts typically have to award an order to pay before a landlord can pursue debt collection and credit reporting. So how is this advice really helpful to the landlord? If you have an order for the tenant to pay arrears you already have legal mechanisms to pursue collection. What is the value you are getting here? Will LCB attempt to collect on behalf of the landlord? If not, how does reporting without consent assist in collecting the debt? The only utility in doing so seems to be for the purposes of blacklisting a tenant to other landlords subscribing to the service and that is an illegal practice.

How many landlords out there are “investigating a breach of agreement or contravention of the laws”? Would you consider yourself even qualified to do so? Or how about “detecting fraud or preventing fraud”? Again, these seem like clauses which are there to assist professional fraud investigators associated with the government and financial institutions, not somebody just trying to make a living as a landlord. These defences, just like the rest of them, are untested legal theory being projected by the LCB. Ask yourself if you want to pay a monthly fee to end up a test case.

This is by no means an exhaustive list, just a cross section of concerns that hopefully give you some things to consider.

We aren’t telling you whether you should or shouldn’t use the service. That’s entirely up to you as a landlord and businessperson. What we are trying to say with all of this is that this service hasn’t been legally stress tested and the risks are currently unknown. You should absolutely be getting legal advice from an accredited professional you trust, not a company trying to sell you a product or even a tenant trying to make sense of all of this. Talk to other landlords in your community and get their perspective. Do your due diligence and keep yourself protected.

Have questions? Want to share your experience as a landlord? Drop us a line: info@landlordcreditbureaufacts.com

UPDATE 01/28: We received some feedback about part of this article which was entirely fair and want to expand on.

The parts where we talked about debt and needing an order to properly enforce a debt really came off poorly and probably left people with the impression that an order is required in order to report to collections and/or a credit bureau and that’s simply not the case. Your landlord can try and enforce a debt as soon as there is an an arrears.

What we failed to communicate properly was that without an order from a court or tribunal the debt is a claim that risks a legal challenge from the accused debtor.

This doesn’t really come across in the piece so we wanted to be sure to correct things and try and be more precise. We are leaving the original text in place for historical purposes.