Bill S-4 (Historical)

The provision in Bill S-4 that has the most relevant link to Bill C-13 is a provision that expands the exceptions in PIPEDA, which I mentioned earlier.

Right now there's an exception, so that a company does not have to seek an individual's consent before disclosing their information to law enforcement or government agencies in certain circumstances. This would expand that to include other organizations that might be requesting information where there's an allegation of breach of contract, for example, copyright claims, and things of that nature.

Really, the problem is that it puts the holder of the information, a private corporation, in the seat of an arbitrator of a contractual dispute or a law enforcement issue, and those are the things that should be done with judicial oversight.

The immunity provision in Bill C-13 obviously plays a big role. In our view. If the provision in Bill S-4 passes, there is an incentive for companies to hand over more information both to law enforcement and to others requesting information. We think the incentive should be going the other way.

Thank you, Mr. Chair and members of the committee.

Good afternoon. My name is Tamir Israel, and I'm staff lawyer with the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. CIPPIC is very grateful for this opportunity to provide our input into this important study on the growing problem of identity theft and its economic impact. I'll cut my comments a bit short, given the time constraint, so that if there are questions, there will be a bit of time for them.

In many ways identity crime is the crime of the information age. The U.S. Federal Trade Commission's Consumer Sentinel Network collated and classified over two million consumer complaints in 2013, and identity theft complaints comprised the top category across all these. Identity theft is a vehicle for a range of identity crimes. The false identities built on this theft are used to procure loans, government benefits, and fake credit cards. These false identities are also used as a jumping off point for other crimes. As a result, the economic and social costs of identity crime remain difficult to measure.

In spite of these difficulties, it is safe to say that identity theft is on the rise. Identity theft 2.0 is taking hold, where identity thieves take full advantage of the rich information stores available on social media and mobile devices with increasingly savvy methods. Illegal online markets for identities have developed where e-mail account access, credit card numbers, and full identity profiles can be bought and sold en masse. The OECD estimates that lists of valid e-mail addresses can be purchased at between $1.70 U.S. to $15 U.S. per megabyte, and that access to compromised e-mail accounts ranges from $1 U.S. to $ 20 U.S.— or it did in 2009—depending on the black market fluctuations. Putting aside the economic costs, however, the most insidious impact of identity crime is on the individual who's the victim of identity crime. The time, effort, and trauma involved with recovering from identity crime cannot be easily measured in economic terms.

In the remainder of my comments I'll address three essential and necessary components of any comprehensive response to the problem of identity theft. They are prevention, research and education, and victim support. Before turning to these I wish to speak briefly about another essential component, which is investigation and enforcement.

We've done a lot in Canada to improve the ability of our various agencies, including the Office of the Privacy Commissioner of Canada, the Competition Bureau, and our various law enforcement agencies, to investigate identity crimes as well as to address many of the underlying offences that facilitate these types of offences. That being said, these initiatives include the addition of several Criminal Code provisions and the passing of S.C. 2010, c. 213, which is Canada's anti-spam and spyware legislation. These steps have been critical, but it's important to recognize that identity theft is here to stay, and an enforcement solution alone will not be enough to address the problem. With that, I turn to some of the other solutions that are necessary to supplement what we've done in Canada.

First and foremost, more needs to be done to help individuals protect their identity information so that it doesn't end up in the hands of identity thieves in the first place. The most effective way to do this is through stronger data protection frameworks, including a stronger PIPEDA and Privacy Act.

PIPEDA in particular needs to play a central role in any comprehensive response to identity crime. Today's social networks and mobile devices are a repository of information, but this information is often disclosed in unexpected ways, be it to the general public or to invisible third-party applications. PIPEDA also obligates organizations to put in place reasonable technical and other safeguards in order to prevent unauthorized access to customer data. Security breaches are not only becoming more frequent with each passing year, but the number of identities exposed with each breach is increasing dramatically. Symantec's “2014 Internet Security Threat Report” registered a 260% annual increase in the number of identities exposed by each average breach, meaning that these are essentially cyber-breaches targeting large repositories of data in one go. This makes the adoption of strong technical safeguards a very important tool in the prevention of identity theft.

Against this backdrop the need for a PIPEDA framework that is rigorously enforced and applied has never been greater; however, the current framework does not reflect this. As this committee recognized in its recent study, “Privacy and Social Media in the Age of Big Data”, quoting former Privacy Commissioner of Canada Jennifer Stoddart, with the emergence of Internet giants, the balance intended by the spirit and letter of PIPEDA is at risk, and the risk of significant breaches and of unexpected, unwanted, and even intrusive use of people's information calls for commensurate safeguards and financial consequences not currently provided for in PIPEDA.

Bill S-4, currently before the Senate, takes an incremental step towards making PIPEDA somewhat more enforceable by providing for optional consent orders. However, full enforcement powers and administrative monetary penalties for non-compliance are required, so that companies have effective incentives to comply proactively with PIPEDA's obligations. Bill S-4 will also enact far overdue breach notification obligations. These will obligate companies to report any privacy breaches that raise a real risk of substantial harm to affected individuals and to the Privacy Commissioner of Canada. A company that fails to disclose will be guilty of an offence and subject, upon summary conviction, to a fine of up to $10,000. While the breach notification obligation in Bill S-4 is a positive step forward, it is not sufficiently calibrated to deter security breaches. It focuses too closely on the risk of direct harm to an end-user resulting from a specific breach. In reality, in many instances it will be difficult to know whether a particular vulnerability was or was not exploited, meaning that much laxity in technical safeguards will remain unreported. This makes it an ineffective mechanism for encouraging and incentivizing companies to strengthen up their technical safeguards.

Recently a number of government departments have also seen high-profile breaches. These have included, for example, a breach over at HRSDC involving a hard drive that contained sensitive information for over 500,000 students who had applied for student loans. In spite of this, the Privacy Act lacks not only a breach notification obligation but also the basic obligation to adopt technical safeguards.

I'll turn now to research and education. In addition to prevention, a comprehensive response to the problem of identity theft requires education and outreach initiatives. A number of government agencies have developed some solid identity crime-specific consumer education materials. The Competition Bureau's “Little Black Book of Scams” is a good example. It's available online if anybody wants to take a look. These are supplemented by growing efforts by non-governmental bodies such as the Canadian Identity Theft Support Centre, whose Victim Toolkit is an excellent resource, as is some of their other stuff, which they've already talked about. But more can be done, particularly with respect to education on the victim recovery process.

There is also a need for coordinated and sustained research on the scope and parameters of identity crime. There has been minimal systematic research on this within Canada since about 2006. While there are some non-Canadian initiatives that provide some insight into the scope and parameters of the problem within Canada, there is a need to stimulate and coordinate more Canada-specific research on identity crime through an initiative such as the breach repository that Kevin was talking about.

Finally, I turn to victim support, and I'll make this brief, because my colleagues here did an excellent job of outlining many of the elements that are necessary for an effective victim support framework. Many of my comments overlap with theirs, so I'll just make this brief.

The recovery process for an identity crime is highly complex. Victims must deal with creditors who are reluctant to believe their debt is not theirs. Even if a victim is successful in convincing immediate creditors, bad credit ratings can follow victims of identity crime for years. A number of steps can be adopted to mitigate these problems. For example, a customer seeking to convince creditors she is a victim of identity crime will often need to undergo completely diverse and complex processes for each provider in order to prove her identity. Often these will require different documentation, and this greatly multiplies the hours it takes to recover one's identity. In this vein, the type of standardized documentation provided by entities like the Canadian Identity Theft Support Centre is really crucial. It's also crucial to make sure that it's accepted by both law enforcement and service providers as an acceptable means of providing documentation of identity theft. Other useful and necessary tools would be the availability of cost-free credit freezes and online access to credit reports, which this committee heard about earlier.

Finally, the ongoing availability of a victim support centre is essential to the overall recovery process. Having someone to talk victims through the identity recovery process and to assist them in their dealings with law enforcement and other agencies as well as with creditors is essential.

Overall, a national strategy on identity crime victim support should be adopted that will establish clear parameters for cooperation between the various entities involved in the victim support process, such as the Canadian Anti-Fraud Centre, the Canadian Identity Theft Support Centre, and the various regulatory agencies that deal with identity theft matters. It should also establish a clear road map for adopting these various identity recovery mechanisms.

Thank you.

Yes, absolutely.

I think that when Canadians are seeing the Snowden revelations and at the same time hearing--not only through this legislation but also Bill S-4--the revelations about CSEC and CSIS.... I think when people hear those stories over and over again, it does limit the discourse and free expression online, and I think that's a problem. I also think it limits our digital economy, because in our digital economy online services are based on trust, and I think Canadians are increasingly losing trust in online services. I would say that in a kind of extra-judicial underhanded way, they're finding out that their data is being handed over to a range of authorities without a warrant. That doesn't make people want to participate in the digital economy. That doesn't make people want to invest in the digital economy. The North American tech sector has been losing billions of dollars since the Snowden revelations, and I think that's an important thing for us to consider here as well.

Sure, and I certainly agree with what Mr. Turk had to say. I think it likely is that potential liability coming around to class action, but at the same time, I would suggest that if we take a look in totality around the privacy policy issues, both with this bill and with Bill S-4, those actually suggest that the government is promoting and pushing towards more voluntary warrantless disclosure. We see it with an expansion of that kind of provision within Bill S-4, and we see it here now providing immunity regarding the disclosures that do take place.

What it does is send a signal, I think, to those who collect information, telecom companies and others, that we are going to create and we are moving towards a framework that will encourage that voluntary cooperation, that voluntary disclosure, without the courts.

We've heard, I think consistently, from other members on the panel that this bill is striking the right balance. They say that consistently with the proviso that the court is involved. Let's recognize that, in these circumstances, the court is not involved when these voluntary disclosures take place.

Thank you, Mr. Chair.

Good morning. As you heard, my name is Michael Geist. I'm a law professor at the University of Ottawa. I have appeared many times before committees on digital policy issues, including privacy, but I appear today in a personal capacity, representing only my own views.

As you may know, I've been critical of the lawful access bills that have been introduced by both Liberal and Conservative governments. But I want to start by emphasizing that criticism of lawful access legislation does not mean opposition to ensuring that law enforcement agencies have the tools they need to address crime in the online environment.

As Ms. McDonald can attest, when her organization launched Project Cleanfeed Canada in 2006 I publicly supported that initiative, which targets child pornography by working to establish a system that protects children, safeguards free speech, and contains effective oversight.

In the context of Bill C-13 there is similar work to be done to ensure that we do not unduly and unnecessarily sacrifice our privacy in the name of fighting online harms. As Ms. O'Sullivan just stated, there is a balance to be struck, and as Carol Todd told this committee, we should not have to choose between our privacy and our safety.

Given the limited time, let me start by saying that I support previous witnesses' calls to split this bill so that cyberbullying can be effectively addressed in the way that we have just heard and that we can more effectively examine lawful access. Moreover, I support the calls we've heard for a comprehensive review of privacy and surveillance in Canada.

I'm happy to discuss these issues further during questions, but I want to focus my time on the privacy concerns associated with this bill. In doing so, I'll leave the cyberbullying provisions for others, such as those we've just heard, to discuss.

With respect to privacy, I want to focus on three issues: the immunity for voluntary disclosure provision; the low threshold for transmission data warrants; and the absence of reporting and disclosure requirements.

First is the creation of an immunity provision for voluntary disclosure of personal information. I believe this immunity provision must be viewed within the context of five facts. Firstly, the law already allows intermediaries to disclose personal information voluntarily as part of an investigation. That's the case for both PIPEDA and the Criminal Code.

Secondly, intermediaries disclose personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 alone, affecting at least 750,000 user accounts, provides a hint of the privacy impact of voluntary disclosures.

Thirdly, disclosures involve more than just basic subscriber information. Indeed, this committee has heard testimony directly from law enforcement, in which the RCMP noted:

Currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party....

In fact, since PIPEDA is so open-ended, content can also be disclosed voluntarily, so long as it does not involve an interception.

Fourthly, intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to some of the discussion we have heard, there is no notification requirement within the bill to address this issue.

Fifthly, this voluntary disclosure provision should also, I think, be viewed in concert with the lack of meaningful changes to Bill S-4, which would collectively expand the warrantless voluntary disclosure provisions to any organization.

Given this background, I would argue that the provision is a mistake and should be removed. It unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians are increasingly concerned about such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.

To those who argue that it merely codifies existing law, let me say that there are at least two notable changes, both of concern.

The first is that it expands the scope of “public officer” to include the likes of CSEC's and CSIS's employees and other public officials. In the post-Snowden environment, with global concerns about the lack of accountability for surveillance activities, this would run the risk of increasing those activities.

The second is that the Criminal Code currently includes a requirement of good faith and reasonableness on the part of the organization voluntarily disclosing the information. This new immunity provision does not include those requirements, potentially granting immunity even when disclosures are unreasonable.

In short, this provision isn't needed to combat cyberbullying; nor is it a provision in need of updating to combat cybercrime. In fact, I'd argue it is inconsistent with the government's claims of court oversight. I believe it should be removed from the bill.

The second issue I want to focus on is the low threshold for transmission data warrants. As you know, Bill C-13 contains a lower “reason to suspect” threshold for transmission data warrants, and as many have noted, the kind of information sought by transmission data warrants is more commonly referred to as metadata. Some have tried to argue that metadata is non-sensitive information, but that is simply not the case.

There has been some confusion at these hearings regarding how much metadata is included as transmission data. I want to state that this is far more than the question of who phoned whom for how long. It includes highly sensitive information relating to computer-to-computer links, as even law enforcement explained before this committee.

This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer-generated metadata, noting:

In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user’s interests, habits, and identity, drawing on a record that the user created unwittingly....

Security officials have also commented on the importance of metadata.

General Michael Hayden, the former director of the NSA and of the CIA, has stated, “We kill people based on metadata.”

Stewart Baker, the former NSA general counsel, has stated:

Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.

There are numerous studies that confirm Hayden's and Baker's comments. For example, some studies point to calls to religious organizations that allow for inferences about a person's religion, and calls to medical organizations that can allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world's leading computer experts notes:

Telephony metadata reveals private and sensitive information about people. It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadata—about a single person over time, about groups of people, or with other datasets—only intensifies the sensitivity of the information.

These are their comments—the comments of security experts in the area.

Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at individuals.

Indeed, even the justice minister's report, which seems to serve as the policy basis for Bill C-13, recommends the creation of new investigative tools in which “the level of safeguards increases with the level of privacy interest involved”.

Given the level of privacy interest that is involved with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the “reasonable grounds to believe” standard.

My third issue is transparency in reporting. The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures should be addressed. This combines both PIPEDA and lawful access, but it is made worse by Bill C-13. The stunning revelations we have seen about requests and disclosures of personal information—the majority without court oversight or warrant—point to an enormously troubling weakness in Canada's privacy laws.

Most Canadians have had no awareness of these disclosures and have been shocked to see how frequently they are used. The bills before Parliament seek or propose to expand their scope. In my view, this makes victims of us all, through disclosure of our personal information often without our awareness or explicit consent. When asked for greater transparency, such as we see in other countries, Canada's telecom companies have claimed that government rules prohibit it.

I hope the committee will amend the provisions that make warrantless disclosures more likely. But even if it doesn't, it should surely increase the level of transparency by mandating subscriber notifications, record-keeping of personal information requests, and regular release of transparency reports. These requirements could be added to Bill C-13 to lessen the concern associated with voluntary warrantless disclosure. Moreover, such reporting would not harm investigative activities and would hold the promise of enhancing public confidence in both law enforcement and communications providers.

Finally, I'd like to conclude, with all respect, by pointing to a personal incident involving one of the committee members, Mr. Dechert, that highlights the relevance of these issues.

Many will recall that several years ago Mr. Dechert was himself the victim of a privacy breach, with personal emails that were sent to journalists and were then widely reported in the media. This incident ties together several issues, which I have tried to highlight.

First, privacy interests arise even when you have nothing to hide and when you have done nothing wrong. The harm that arose in that case, despite no wrongdoing, demonstrates the potential victimization that can occur without proper privacy safeguards.

Second, much of that same information runs the risk of voluntary disclosure. Indeed, the expansion of the police officer definition means that in theory even political opponents could seek voluntary disclosure of such information and obtain immunity in doing so. Moreover, there is no notification in such instances.

Third and perhaps most important, the content of the emails that were disclosed was largely irrelevant. It was the metadata—who was being called or contacted, when they were being contacted, where they were being contacted, and for how long—that would itself allow for the same inferences that were mistakenly made during that incident. The privacy interest was in the metadata, which is why a low threshold is so inappropriate.

This kind of privacy harm can victimize anyone. As I've mentioned, we know that at least 750,000 Canadian user accounts are voluntarily disclosed every year—one every 27 seconds. It's why we need to ensure that the law has appropriate safeguards against the misuse of our personal information and why Bill C-13 should be amended.

For example, one pertinent point is the amendments to PIPEDA, in terms of Bill S-4, doing away with the investigative bodies. That would help both organizations in terms of working with all members of the financial industry to prevent fraud. You wouldn't be limited to those who have subscribed and been approved as investigative bodies. That would be information sharing that could be shared amongst the bureaus and the financial credit granters.

To start, Bill S-4 is a good initiative in terms of giving consumers a little more power proactively to know when their information's been compromised. So mandatory breach notification, something that many U.S. states have already.... Hopefully this bill does pass the third time around in terms of creating that notification so that when individuals have their information compromised, lost, or stolen at an organization they're aware of it. Most times institutions may bury their heads in the sand and not do anything, or if they're not subject to any fines or penalties, they're less likely to do anything. That's one key in terms of legislative changes.

Carol.

Yes. What we're looking at under PIPEDA is that with regard to the information disclosed for the purposes of law enforcement, there's no necessity to disclose to the person who you're talking about, who the information pertains to. Bill S-4 takes it a step further, of course, and says it's not just law enforcement or the government, but it's other organizations as well. We see in Bill C-31 that no longer are there strict controls over the sharing of information between Revenue Canada and other organizations.

This is a pattern, and it's a concerning pattern. To that extent, if would be very useful if this issue could be studied in depth in relation to the other issues that impact it as well.

I don't agree. I think a reading of the legislation would logically lead one to that conclusion.

The minister said that the obligation to disclose to an individual when their information has been disclosed was covered under PIPEDA. It's not. It's quite clear, when you look at PIPEDA, that subparagraph 7(1)(c)(ii) doesn't require that there be any disclosure to the individual.

When the minister says that it must comply with section 25, that's simply not accurate when you look at the text of section 25, which requires that the person disclosing “acts on reasonable grounds”. And reasonable grounds isn't just asking for the information—“I need this information for an investigation”—and then having the telco comply and give it to you. That's not reasonable grounds. If reasonable grounds is required for the protection of section 25, the case can be made to a judge.

It's not the case that this hamstrings investigations. In my experience, in the case of some of the tragic examples that this committee has heard, it's not the case that it would take 30 to 60 days to retrieve that information. That's simply not how it works.

The section that the minister was speaking of broadens the ability to ask for that information. Certainly combined with other bills, such as Bill S-4, it raises severe privacy concerns in terms of the broadening of that information. It's not consistent with section 25, which requires reasonable grounds.

In fact, the countless hundreds of thousands of example that we've heard about over the last month about this sort of voluntary disclosure is troubling, and this does nothing to address that. It does nothing to address notifications to persons affected.

What's the danger with people asking for this information? I'm sure you've all read the stories about record checks, police checks, state storage of information, disclosure of that information.That's the danger. It's not an answer to say that if you have nothing to hide, you should be willing to give this information over. What's the harm? The harm is done when the charter is breached. That's the standard. The tie doesn't go to the victim. The tie should go to the charter, which is the supreme law and should be respected.

Privacy is not about hiding. It's not about secrecy. Privacy is about a person's right and ability to control the information about them and their freedom of choice. Just as I have a privacy interest in my voice when it goes through the telephone lines at the telecommunications companies, I also should have, and citizens should have, privacy interests in other data. It's a misnomer to say that the legislation makes it clear that this just subscriber data, i.e., name. That's not what it says. It's the type, duration, date, time, size, origin, destination, and termination of your data and anyone else's data.

When that net is cast, I say there's not even close to a tie here. The police aren't hamstrung. They can take the appropriate steps and we can be protected. Police can do their job, and at the same time, we can respect not only individuals' privacies but also comply with the strict standards that we're entitled to under the charter.

We are in line with the ISO standards, and on a regular basis, audit under SSAE 16 requirements.

Our data would seem to point to the lack of awareness in industries outside the financial sector and show that there's more need for education in this area, not only in the obligations emanating from a breach but also in awareness around security protocols to prevent a breach.

Awareness by breach notification where warranted will be useful. TransUnion is supportive of the efforts of the government on the part of Bill S-4. While we do not want to inundate customers with notifications, where there is a material risk of harm, there are benefits to customers receiving notification.

Here are some stats on impacts for consumers and TransUnion. The number of potential victims has increased by 600% in the last five years. The number of confirmed fraud victims is up by 100%. Many of these consumers report these frauds to the Canadian Anti-Fraud Centre—PhoneBusters—and while there has been a 300% increase in the number of fraud alerts placed, we still have work to do.

These compromises have a short-term impact on TransUnion and Equifax, increasing call volumes to our centre and requests for alerts to consumer disclosures. We've invested in technology to make that process as effective as possible and to help contribute to that 300% increase in the number of fraud alerts placed on consumer bureaus. What we're doing is helping to reduce the numbers of frauds, and we're pleased that it's not increasing at the same rate of potential victims.

Who pays? The cost is borne entirely by the consumer unless the companies or government bodies that have caused the compromise are willing to step up and pay for the damages that are created. We believe that the burden and those costs should be borne by the companies that compromise the information of the consumer. Not all companies take on this responsibility and agree to pay for these solutions to reduce potential harm to the consumer in mitigating risk.

What should be done? First is notification to the Privacy Commissioner. TransUnion is supportive of the amendments under PIPEDA in this regard in Bill S-4. Where a loss of sensitive financial data has been confirmed, both bureaus should be informed. Where a loss of sensitive financial data has been confirmed, fraud alerts should be placed on both bureaus—at a minimum—to reduce the likelihood of ID theft. As an example, we serve our clients differently, and if a breach has occurred and somebody notifies Equifax, that fraud could still be committed if they go to a financial institution that is serviced primarily through TransUnion. In many cases, both bureaus should be notified.

With respect to synthetic identity, my colleague John Russo talked about synthetic identity and its impact on the Canadian market. In defining the issue, it really is about recreating an identity to commit fraud. In the synthetic fraud, there is no one to complain. There is no constituent to talk to. It is a cost that is borne by many indirectly. In regard to public security, CBC has reported on a few stories, and John referred to the billion dollars in losses that Canadians absorb through different fees and costs. Every consumer pays for synthetic fraud.

How do we work towards a solution? We work with police authorities to report such suspected activities. We take this information, put it into our fraud database, and report it to financial institutions.

The prevention of these crimes requires better technology to ensure that identity cards are not easily replicated and that they cannot be authenticated. If we really want to attack this issue, it also requires the sharing of information between government agencies and the financial sector. The lack of sharing creates silos, and fraudsters take advantage of that.

Today, there's no automated method whereby the private sector can get confirmation as to whether or not a particular piece of ID has been issued by the government or whether that actual ID belongs to the individual who claims it's theirs. TransUnion and Equifax can help by being the conduit to financial institutions, as we already provide, for example, identity verification for AML or KYC. Both of these have been noted in the RCMP paper, the “National Identity Crime Strategy”.

In closing, TransUnion is supportive of the initiative to crack down on identity theft by, first, reporting of breaches through Bill S-4 and notification to both bureaus where a data breach of sensitive financial information has been confirmed, and second, ensuring that companies responsible for the breaches bear the burden and the cost for data breaches, not consumers. Third, on the lack of education and awareness outside of the financial sector in the area of data security and safeguarding, TransUnion is supportive of the data breach notification where circumstances warrant as a key to raising that awareness. Fourth, we are also supportive of a focus on and attention given to synthetic identification, allowing for the sharing of information from government to financial institutions for fraud and ID theft prevention, and investing in security measures for identification cards that are relied upon by the private sector for AML purposes and fraud prevention.

Mr. Chair and committee, thank you very much for having us here today.