Information & Ethics committee  John referred to this, too. The PhoneBusters data suggests that is the case. I do not consider that data reliable. PhoneBusters is a partnership project by the RCMP, OPP, and the Competition Bureau. I suggest that you have someone from PhoneBusters come and testify about the stats.

Information & Ethics committee  We think an agency should be appointed to be responsible for that. It should be done, first of all, by requiring organizations that encounter ID theft in their operations—and I know this would be an added burden on business—to keep track of identity theft incidents that their customers have actually suffered, or they have suffered, or that they've avoided and they know about, and to report those annually.

Information & Ethics committee  Well, someone needs to be responsible for it. As John pointed out, we have a problem. There is no consumer protection agency at the federal level. Industry Canada, with the Consumer Measures Committee, has some activity in this area, in particular with coordinating provincial approaches.

Information & Ethics committee  I think it's a complicated problem. It would probably benefit from a task force, something like the task force on spam a couple of years ago. I was part of that. I was involved in a couple of working groups. I think it was a really beneficial, worthwhile process. It brought the various stakeholders together, hammered out some tough issues, and came out with a really good set of recommendations, which unfortunately have not yet been acted on.

Information & Ethics committee  Yes, there are many. We published a report on the techniques of identity theft. It's posted on our website and it lists the many ways in which identity thieves gather personal information. I can go through more of them now if you wish, but as I said earlier, there's the whole gamut.

Information & Ethics committee  I will just add that the problem of authentication is a big part of this issue. It's being addressed by industry and the marketplace and government. I'm part of a working group that Industry Canada is chairing on principles for electronic authentication. It's a huge challenge. One accepted principle is single-factor authentication, that is, like a simple password is insufficient.

Information & Ethics committee  Information theft is often done by— insiders being bribed, so employees of organizations selling the information are handing it over to the thieves. A number of incidents have been traced to insider theft.

Information & Ethics committee  As I said earlier, there are only two sources of information in Canada on that. One is PhoneBusters, based on the relatively few complaints they get, and the second is some public opinion surveys. Some colleagues of mine, Dr. Norm Archer and Dr. Susan Sproule, who are part of the ORNEC-funded project I spoke about at McMaster University, are focusing on this statistics issue.

Information & Ethics committee  I believe the banks are probably the best source of information on the extent of the problem, and that's why we're recommending they be required to report on it.

Information & Ethics committee  The problem has many facets. We're saying that in many, perhaps most, cases, there's nothing the individual consumer could have done. In some cases, there was. In some cases, the problem occurred because the consumer fell victim to a phishing e-mail or a social engineering scheme.

Information & Ethics committee  Could I make a quick comment on that? The Privacy Commissioner has decisively found that collecting social insurance numbers, except where required by banks and employers and so forth, violates PIPEDA. It's a violation of the law. So we come back to the problem I was talking about before.

Information & Ethics committee  Sure. I can't explain why. I couldn't disagree with her more on this point.

Information & Ethics committee  Yes, I think the Consumer Measures Committee is doing great work on this, but it's not enough. It's not pulling in the law enforcement side of things. The police have a lot of information. There's a lot more that they can be doing, particularly once someone has been victimized. Victims are a great source of information about the nature of the problem, as well as the extent of it.

Information & Ethics committee  We have a number of class actions. Quebec is actually the jurisdiction in Canada that is the furthest ahead with class actions. A number of consumers have achieved remedies through that. Class actions are in fact specifically designed to empower consumers to make it easier for consumers to stop bad practices and get redress, first of all, by allowing them to obtain legal representation without cost and to be represented automatically as part of the class, even if they make no effort to initially obtain it.

Information & Ethics committee  I think it's usually large businesses that are implicated, or at least the cases we hear about. It's usually large databases, larger business, credit-granting institutions that run into trouble, so I'm not sure we're talking about a huge burden on small business. Again, what we're talking about when we're looking at data protection law enforcement is doing what's common sense anyway, what's good for the business and what's good for your customers.