Information & Ethics Committee on April 29th, 2014

As I think has already been alluded to, one of the ways is to make the disclosure of some data held by the financial institutions...but also the retail institutions. We're talking a lot about the financial sector. The financial sector sees a lot of this identity theft happening, but the retail institutions are also responsible for the leakage of this data. They should be held responsible. They should be much more forthcoming about these types of events.

I think the government and some kind of authority within government should have the power to request that this data be made available, not necessarily...well, yes, maybe made available on a very broad basis. Someone mentioned the naming and shaming. That's what happened with the anti-theft devices on cars in the 1970s, when the insurance sectors and governments were tired of having so many cars stolen. Someone decided one day to publish the list of the 10 most stolen cars on the market. Twelve months after that, all these cars were equipped, for free for the taxpayers, with anti-theft devices.

So the automakers, who had been saying there was nothing they could do against it, suddenly found the resources and the technology to equip their cars, just because this data was made available to all the consumers to make their decisions based on the facts.

I think it's the role and the responsibility of the government to try to extract this information, not in a punitive way but in order to make this phenomenon more transparent and to make sure that consumers and citizens have all of the information. As my colleague Ms. Lawson said, there is very little that we can do as consumers, as individuals, but there is a lot that organizations can do to protect us as consumers.

As Ms. Lawson said, the more serious type of identity theft financially is new accounts fraud. The only way you can find out if someone is opening up accounts in your name is through the credit reporting agencies.

As I said, I do a pretty good job of protecting my information as an individual. It's limited, what I can do, but I don't give out a whole lot of personal information, only what's required. I take all the advice that's given to consumers with regard to protecting my information.

One piece of advice that is often given to consumers is that you should be checking your credit report on a regular basis. I did that once about five years ago. It was such a chore to go through and collect all this information. I had to mail it off, which is very insecure. If anyone intercepts that envelope, they have everything they need to steal my identity. I sent it off to both credit reporting agencies. I got a credit report back from one. I never even received it back from the second one, which was sort of a source of concern. I ended up phoning them, and they said, “Oh, yes, we received it. Something must have happened.”

To really protect myself, I would like to go online once a quarter to get an instantaneous look at my credit report. That's something I would do to protect myself. At the moment, that costs me $24 each time I do it.

Or I can pay $16 a month and they'll send me that and some other sort of advice about how to protect myself. It really does bother me that they're making a profit out of the problem, because then where's the incentive for them to help get rid of threats? It bothers me when my bank offers to sell me identity theft insurance. Isn't that their job, to protect my information?

Yes, I would totally agree with your comments in that respect and I'm glad to hear they will be coming before you. I think you should be asking them a lot of questions, including why they're not offering credit freezes to Canadian consumers while they are in the United States.

There are a number of other things they could and should be doing. One has to do with credit monitoring and providing reports, as you just heard. It costs a lot of money and it's a huge effort for Canadians. We are entitled to one free report per year by mail, but the credit bureaus charge to get online access and they make it difficult and they don't always follow through.

In the United States, there's a requirement for one-stop shopping. There are three credit bureaus in the States. In Canada, there are two. It would be helpful if consumers—particularly for victims of identity theft—if you could go to one central source and get the reports from both agencies. That would be helpful.

I think you should be allowed to access your report online, at no fee or a very low fee, and get credit monitoring services for no or a low fee, particularly if you can show that you may have been a victim of fraud. It's interesting that in the United States there are laws under the Fair Credit Reporting Act that we don't have in Canada, other than very general principles in our data protection law. For example, in the United States credit bureaus have to block reporting of information where the consumer provides evidence of fraud. They have to notify furnishers of allegedly fraudulent information, once they've been notified by the victim that there appears to have been a fraud.

These kinds of very specific obligations on credit bureaus can really help to prevent, detect, and deal with the problems of identity theft.

I guess there are different kinds of identity theft. Some is very opportunistic and targeted, where someone has access to the information, gets the information, and then impersonates that person to commit a fraud. In that case the thief and the fraudster are the same.

When we're talking about data breaches, where hackers go in and get into databases and collect information, that information goes into black-market marketplaces and is sold. There are academic studies that have looked at the black market and what a credit card account identity is worth—what an identity, something that has your social insurance number and your mother's maiden name, is worth. So you can get data on that from these black markets, and that's the gap between the theft and the fraud. The fraudsters go and—

Yes. The problem is that, unfortunately, a lot of these identity thieves are not in Canada. They're not within our jurisdiction. It's organized crime in eastern Europe, in Indonesia, in Brazil, and they're simply outside our jurisdiction. A lot of these countries are not collaborating with law enforcement in Canada. That's why the Convention on Cybercrime that we still need to ratify is important.

I'm going to forward that question to my colleague, Benoît Dupont, who has some interesting ideas about what we could do about disrupting the black market.

A very brief answer.... I think so far the only country that has really made some investigative investments in trying to disrupt the black market is the United States with the U.S. Secret Service. There is no reason why the RCMP, which is able to leverage large sums of money to conduct large investigations on the mafia.... You know, the Colisée investigation in Quebec cost about $30 million. So there is no reason why the RCMP couldn't invest this type, or maybe smaller amounts of money, to try to disrupt black markets. It has a network of liaison attachés all across the world who try to cooperate. But so far, only the U.S. government has invested this type of money to investigate these types of crimes outside its borders.

That figure comes from Symantec, which is an anti-virus company. The 2013 report for Canada reports that figure.

I'm not an expert on how to quantify these things. Some people might say they suspect that figure comes from a party that is interested in maybe growing the size of the problem, but that's probably better answered by some of my colleagues here who actually are specialized in those numbers.

Just as an example, and it's old data, but when we did our survey of consumers in 2008, we found 1.7 million people or 6.5% of Canadian adults were the victim of some kind of identity fraud in the last year. They spent over 20 million hours and more than $150 million to resolve problems associated with those frauds. That's just the consumers' out-of-pocket costs, which is a small part of the big problem.