Evidence of meeting #67 for Human Resources, Skills and Social Development and the Status of Persons with Disabilities in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
11:55 a.m.
Conservative
The Chair Conservative Ed Komarnicki
You'll come back to it? Okay.
Did you wish to make a short comment, Mr. Shugart? No. We'll come back to that.
We'll turn it over to Mr. Cuzner. Go ahead.
11:55 a.m.
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
Thanks very much, Mr. Chair, and I thank the gentlemen for being here today.
I have only seven minutes and I'm going to try the best I can to get all my questions in. You guys have been pretty direct, and I appreciate that. If you can, continue that, and if I cut you off, it's not bad manners; it's just that I'd like to get the questions in.
First, my questions are going to focus on those who have been impacted, on those who held loans. Can you guarantee that it's only those between 2000 and 2006 who have been impacted? Are you confident with that?
11:55 a.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
We've examined the data carefully. There are some former students outside of the 2000-2006 period, about 2,800 students overall. They fall mainly in 2007. There are about 2,600 students in 2007, and after—
11:55 a.m.
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
I appreciate that. We are getting them from 2007. Thank you very much.
On parental information, is there information on the parents or spouses out there, as well as about the students?
11:55 a.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
No, there is no information on the parental side.
11:55 a.m.
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
You're comfortable that there's no parental information out there, and no information on spouses. Great.
Do you have a number for how many Canadians have reported concern about loss of identity or loss of information?
11:55 a.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
We have answered 200,000 calls overall, and of that amount in total, about 65% are affected clients. Prior to the notification letters going out, it was running about 50-50 in terms of affected students versus non-affected students, and since that time, since the letters were received, the contacts have been—
11:55 a.m.
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
If I could just offer some advice, some of the calls we got from students say that the Equifax people aren't really confident with the information that they're sharing, so just as a tip to you guys, please make sure that these agents for Equifax are continually briefed or given the best information you can.
A corporate example is Sony International. A similar breach happened with them back a number of years ago. For all of the millions who were impacted, Sony picked up the tab under the categories of alert, monitor, and ensure. They provided a fraud alert, credit monitoring, and an insurance of $1 million coverage for each person. Had their identity been stolen, Sony would ensure each person for that amount.
Let's say that's over on this side of the continuum. The department's response would be anywhere from doing nothing to the Sony model. Where do you feel your response has been within that continuum?
Noon
Associate Deputy Minister, Department of Human Resources and Skills Development
We feel that the response is appropriate and that it is a strong response. It's a two-fold response through the contract with Equifax. The specialized, customized contract that we have will flag any attempt to increase credit or change credit information, and coupled with the monitoring of the social insurance registry—
Noon
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
I have a concern when we look at the Financial Consumer Agency of Canada's website and when we look on the federal Privacy Commissioner's website.
They say on the website that if an organization has collected your personal information and they notify you that a data breach means there's a risk that you will be used by identity thieves, then protect yourselves. They say to contact the fraud departments of the two major credit bureaus, request a fraud alert be placed on your files, order copies of your credit report, and repeat this step each six months.
You have used Equifax. Why have you not used TransUnion as well?
Noon
Associate Deputy Minister, Department of Human Resources and Skills Development
Mr. Chair, we are exploring the possibility of arrangements with other credit bureaus and financial institutions.
Noon
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
On the Equifax deal, those services are provided free of charge in eight out of ten provinces. I understand they are. Are you giving a special service beyond what is normally free of charge in eight out of ten provinces? Could you expand on what it is you're providing over and above that?
Noon
Allen Sutherland Assistant Deputy Minister, Learning Branch, Department of Human Resources and Skills Development
I'd be happy to, because there has been a lot of confusion on this issue.
Some people have been confusing the lost wallet service with the customized credit alert package that has been prepared by Equifax for the department. There are some important differences. For one thing, the lost wallet service is not available across the country, but more importantly, it provides a lesser standard of service. For instance, the lost wallet service is only available for three months. The service we've purchased from Equifax is the industry standard of six years.
The second thing is that the lost wallet service doesn't provide prevention or fraud mitigation for clients the way the credit alert system does. What the credit alert service does is notify the credit grantor that the person's ID has potentially been involved—
Noon
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
Perhaps I can interrupt, and I apologize, but Equifax had told us this is in fact free of charge to all consumers.
Noon
Conservative
The Chair Conservative Ed Komarnicki
Mr. Cuzner, you're at your seven minutes. Please put a quick question. Otherwise, we'll move on.
Noon
Liberal
Rodger Cuzner Liberal Cape Breton—Canso, NS
What is the total cost of the Equifax package to cover the 600,000 people?
Noon
Associate Deputy Minister, Department of Human Resources and Skills Development
The contract with Equifax and its value are commercially confidential. The reason the cost is commercially confidential is that the competition would be able to break it down to a per-unit cost. Thus, we've agreed to keep it commercially confidential.
Noon
Conservative
The Chair Conservative Ed Komarnicki
Your time is up.
We'll move to Mr. Daniel, and after that we'll take a quick break and start the second round.
12:05 p.m.
Conservative
Joe Daniel Conservative Don Valley East, ON
Thank you, Mr. Chair. Thank you, witnesses, for being here.
Again I have to say it's obviously a very difficult situation to lose data like this, and so I can sympathize with the people whose data has been lost.
One of the things that's important to understand is the root cause of all of this. The root cause will help you come up with the best solution, in my opinion.
My question is this: why was this information allowed to be copied from a server to an external device, and what was the department's policy at this time on portable devices like this?
12:05 p.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
According to policy, the data should have been encrypted before it was copied to any portable device, and clearly it was not. The policy is there. The investigation will look at why it was not encrypted and the steps to look further into what the issues were.
12:05 p.m.
Conservative
Joe Daniel Conservative Don Valley East, ON
Has this loss of data brought about any other significant policy changes on how the department handles Canadian information? If so, how will these changes prevent a similar situation from recurring?
12:05 p.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
The changes we've embarked upon are critical and key. It will be night and day in terms of the level of protection.
First, with respect to the information hardware, all of the USB keys that we—
12:05 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Mr. Chair, you so kindly reminded me during my testimony that I had to specifically speak to the three items on the motion about this particular data breach, and his question was not about this particular data breach. If you're going to implement that standard, I think you should implement it for all members of the committee.
Thank you.
12:05 p.m.
Conservative
The Chair Conservative Ed Komarnicki
Fair enough. I took the question to relate what you're doing with respect to the action you're taking following this breach. Now if we're mistaken on that, then it's another matter, but it's certainly appropriate to talk about what some of the long-term solutions are and what actions you've taken.