Information & Ethics Committee on May 1st, 2014

Well, in Quebec we have an opt-out system, so nobody is jumping on the wagon per se, but yes, you're right. There are lawyers who are making a living by filing privacy class actions, sometimes copycat files from the United States that they import here. In some cases we defend these cases; we act for the defence.

If you look at the data put out by the RCMP or people who report fraud to the various organizations—and a year ago I think it was around $17 million in combined value—and you compare that to the combined value that the banks and the credit cards are reporting, which is around $440 million, then you can see the difference between what people are self-reporting and what the banks are feeling. Again, we don't know why there's that discrepancy, what the reasons are, and what caused all that fraud, if you will, beyond the $17 million, and where that comes from.

The RCMP are sort of saying that they think people just don't report it. If you ask them, they'll say that people just don't report it, that they are embarrassed, they're this, they're that, that it's not worth it, etc.

Well, it's a little grey, right? There's a contract. The contract is usually worded in very broad language saying that they need to protect the information in accordance with applicable laws.

They just want the business. They want the contract. They'll sign it. At the end of the day, what kind of encryption are they using? Where is the information going to be stored? All these facts are not necessarily taken into account, so I like this section from the Quebec law, which creates an additional obligation on the part of the transferor.

It should not be anything lower than what we have under CASL, right? Spam is an issue. Privacy and identify theft is also an issue, so in my view, why should it be any lower? If she had the power to issue fines for up to millions of dollars or hundreds of thousands of dollars, it would create, I believe, the incentive for businesses to take this law seriously.

Add in D and O liability and employer liability, and I think you have the full package.

Yes. Sometimes it's not shredded. It's stored. Also, it's not digital shredding of electronics that are not.... The information is not erased. It's provided to another employee, another customer.... You've had the Staples case.

I had a case recently where the information got lost in transit. It was financial information. Who's responsible? Is it the courier company? At the end of the day, it's a little bit of everybody.... The company is responsible for the information that it provided the courier, but it's the courier that lost it. Why did it get lost? The waybill fell off.

You have a lot of different stories and different types of breaches. In many cases, as I said, it's human error. A laptop is left on top of a car or is forgotten at an airport. It's a lot of human error. There are all kinds and types of breaches, I would say.

It's a good question. As for what they usually do, the first thing they look at is whether the organization had proper policies in place, and then, if they had these policies, whether the employees were aware of these policies. Had they received proper privacy training? Usually, if these two things have been addressed, if technical measures and policies were in place, and if employees were aware, you clearly limit the risk. It's not a perfect system where it's 100% bulletproof, but you clearly limit the risk.

I don't want to be glib, but I have absolutely no idea. They refuse to share anything about their practices or their policies with academics. I would be speculating if I were to tell you that they're doing okay in terms of the algorithms they are running, in terms of the credit cards of legitimate people who went overseas and forgot to tell them and they stopped them. I can't say whether that was good or bad. We don't have information of how much fraud is occurring and why that fraud is occurring, due to all the other reasons.

We have a bottom line number. We said, for 2012, it was $440 million total combined that the banks and the credit cards had reported. We have absolutely no breakdown as to what the causes were and all the things they went through.

I am sorry, but I can't give you an informed opinion on how well they're doing.

I think they do have the ability. I don't think it has to just rest on the credit bureaus. I think they have the ability, because they are running those algorithms. Your credit card is declined if you forget to tell them. If they have what we call the false positives of stopping people, then they should have the ability of flagging the real fraud as it occurs and being a lot more responsive.

Everybody who has been through this with their bank knows that the banks are incredibly cagey with you. You often want to know where you went, what you did, what happened, what store it was. You will never get that information from your bank. They say that for security concerns, they don't want to—

Yes.

Institute is a word that we use at the university to help a group of academics come together and conduct research on a variety of projects. Our mandate is in the two areas of privacy and cybercrime.

From time to time we have projects that have more to do with privacy, the protection of personal information. We have projects with respect to cybercrime. It depends on the individual faculty members who are affiliated with us and what they want to do. We have done projects in the past about privacy in the workplace, about privacy online and in social media, about online advertising, various issues faculty members are interested in researching. Our role is to support them administratively.

That's right. We've tried to launch research projects to investigate these questions exactly, and in order to do that we wanted to get access to the information from the banks. We were willing to sign whatever they required in terms of anonymity and confidentiality and all of those things.

Generally, as academics—as I said, we're not journalists and we're not on a fishing expedition—we share our reports with people who participate, so they will see that their perspective is fully and accurately reflected. We don't want to point fingers and blame. We give everybody the opportunity to comment if we're putting a draft report out. They may not like our conclusions, but they certainly have the opportunity to see that it's accurately reflected. However, we have been unable to get the banks to cooperate with us, or the financial aggregators that I mentioned earlier.