Bill S-4 (Historical)

I will start. Thank you for the invitation.

I'll give the first part of my presentation in French and the second, in English.

I'd like to start by discussing the legal framework governing privacy protection and the response of business. Despite the legislation that exists, the Personal Information Protection and Electronic Documents Act, or PIPEDA, companies and organizations have no real incentive to comply with the act and implement appropriate security measures. What's the worst that could happen from a company's perspective? What are the risks if they don't comply with the act? Not much. The worst case scenario is that their reputation might be tarnished. For example, if a complaint is made, and at the end of the investigation, the commissioner decides to release the company's name, then obviously, the company's reputation might be sullied. That very seldom happens, though.

There is another potential risk. When an individual is notified by the commissioner that the act was in fact breached, that person can take the company to Federal Court for damages. The court has made a few such rulings in the past decade. In five to ten cases, the Federal Court awarded small amounts. In some cases, it awarded no damages, and in others, $5,000.

Last fall, in its ruling on Chitrakar v. Bell TV, the Federal Court awarded $20,000 in damages, and that was a first. Is this the beginning of a new trend? Perhaps. Only time will tell. One thing is for sure: not everyone has the means to take legal action against a company to obtain small amounts in damages. In privacy violation cases, the amounts often range between $5,000 and $10,000. Engaging in a court battle is a complicated and painstaking process.

Furthermore, at the federal level, no incentives exist with respect to class action lawsuits over privacy violations, which have the potential to improve compliance. Incentives do exist in other jurisdictions. And in many cases, companies comply with privacy legislation as a result. Just think of the recent security breaches. Last January, a security breach occurred at Human Resources and Skills Development Canada. In April, a security breach occurred at the Investment Industry Regulatory Organization of Canada, or IIROC. And class action suits were launched in relation to both of those breaches.

In the case of IIROC, a portable drive containing the financial information of 52,000 brokerage firm clients was lost. The damages sought were $1,000 per individual. That has the potential to motivate companies to comply, but under PIPEDA, that isn't an option. The legislation contains no such provision to motivate companies. And even if it did, a class action lawsuit isn't necessarily appealing because authorization to proceed isn't always granted.

In the Quebec case of Larose c. Banque Nationale du Canada, the Superior Court made a ruling in 2010. A typical breach, it involved a lost laptop containing the financial information of many clients. One of the clients was not very happy and took the National Bank to court. At the authorization stage, counsel for the complainant had to show that, as a result of the security breach on the bank's part, actual identity theft had occurred. The court stipulated that the fear of identity theft alone did not entitle someone to compensation. Had there been no evidence of actual identity theft, the court would not have granted authorization for a class action.

That tells you just how high the bar has been set. Proceedings of this nature are not straightforward. And the damages aren't very high. So what's left? If you can't seek compensation because you're afraid you were the victim of identity theft as a result of a security breach, there is little else you can do.

Let's come back to the legislation concerning security measures. Companies are advised to adopt security measures based on the level of sensitivity of the information. Even when companies contract out services to a third party, the legislation says they are still responsible for the information and must ensure its protection through the contract. In reality, what we often see is companies using cloud services or third-party contracts. They contract the service out and then turn a blind eye to what goes on.

I would like you to consider a provision in a piece of Quebec legislation that I see as very useful. It imposes an additional obligation on companies preparing to give or transfer personal information to a third party via a contract. I am referring to section 26 of An Act to Establish a Legal Framework for Information Technology. It reads as follows:

Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.

The person who entrusts the function to a service provider and transfers the data to the provider, whether via cloud computing or some other means, has an obligation to tell the service provider how to protect the information in question. I think incorporating a similar provision in our legislation could be useful.

I am active in the protection of privacy and personal information. There is a prevention component to my work. That entails advisory services, compliance, training, policy development and so forth. I am also involved in crisis management. I help with the management of security breaches, provide assistance when complaints are made to privacy commissioners in various jurisdictions and give advice related to privacy class action lawsuits. Clients rarely ask me to do any prevention work for them unless they have had some sort of crisis first. That shows that companies aren't very tuned in to the issue. And yet, the legislation exists. Are they motivated to comply with the act? Not especially, because they wait until a security breach has occurred before taking action. Not until a crisis arises do they realize how costly it can be and that they might do well to invest in prevention.

It's also interesting to see just how many resources are being deployed to compliance and prevention around the coming into force of Canada's new anti-spam legislation. That piece of legislation is being taken seriously. It includes liability provisions that apply to administrators, executives and employers. And since the penalties it sets out are quite stiff, companies take it seriously. Ever since its coming into force was announced, the legislation has monopolized my practice almost full time. Is spam a bigger problem or greater evil than security breaches or identity theft? I doubt it. Why, then, is the situation the way it is? What are we waiting for to motivate companies to invest in prevention?

I have one last point. My second part will be very short.

Some studies show that most security breaches are the result of human error. I am referring to two studies, in particular, that were conducted two years after the requirement to report a security breach was imposed on companies. The first was done by Alberta in 2012-13 and lists all the notifications and security breaches. According to that report, human error was at fault in many of the cases. The second study was done by the Ponemon Institute in 2013 and says that in 33% of cases, employee error was to blame.

That, too, shows that companies aren't taking employee training around privacy protection seriously. Very often, the security breach resulted from a laptop being left in a car. Was the employee aware that behaviour posed a risk? Was a relevant policy in place? Was appropriate training available? The jury is out.

I know time is running. The second part is going to be quick.

I want to raise the fact that currently under PIPEDA we don't have mandatory breach notification, and I believe that this may well play an important role in addressing some of the financial harm that may be triggered in the case of identity theft following a security breach.

If individuals, whether they be consumers, employees, are notified, it will help them to better protect themselves against harm, such as identity theft, because once they're notified they're going to pay special attention to their financial statements every month, every day, tracking down any suspicious or unauthorized transactions. They're going to monitor their credit through credit-rating agencies, such as Equifax and TransUnion. It will also provide businesses with an incentive to establish better data security practices in the first place.

What's the status on mandatory breach notification outside of Canada? We have it in Europe and in the United States. Most of the states in the U.S. have breach notification laws. In Canada, Alberta so far is the only private sector jurisdiction that has this law, and they prescribe fines up to $100,000 for businesses. They have realized that this breach notification obligation in their law has increased the reporting of security breaches, and it has also increased the privacy training. Businesses are more inclined and are more motivated to spend, because they realize that it's going to be an obligation to disclose the breach if there is such a breach.

In Quebec there is a consensus that it is needed. In 2011, la Commission d'accès à l'information du Québec published a report in which they said that this is needed. It's a matter of time. It's in the hands right now of the legislature, but we will have also this obligation in Quebec shortly, hopefully.

At the federal level, we've had various bills that have been introduced: Bill C-29, BillC-12, Bill S-4 recently, and Bill C-475. The latest one is Bill S-4. Will Bill S-4 do the job if it becomes law? It's better than having nothing, that's for sure. Maybe it's not perfect, but it's better than having nothing.

I guess it would create the incentive for businesses to disclose, and I think we need to trigger that incentive. In an ideal situation there should be clear monetary penalties for not reporting security breaches to individuals and to the privacy commissioners. There should be a duty to report a breach as soon as possible. I'm cautious with providing fixed delays, because I've been on the other side. Sometimes there's a breach and you need to do the investigation before you start notifying individuals and privacy commissioners, because you need to know exactly what happened and what needs to be told or not told.

The Privacy Commissioner, I believe, should be given the power to order an organization to report a breach to customers. These orders should be made public and the organization should be named. I think that would create the necessary incentive for them to invest in preventive measures, which would be beneficial to address a financial harm resulting form identity theft.

This is my last point. It would not be a bad idea to have a uniform breach notification law in Canada. Various systems could become problematic when there's a breach. I know that a few years ago, the Uniform Law Conference of Canada drafted a breach notification act. Maybe it could be used as a tool.

Thank you. I think my time is up.

Yes, I think that is problematic. There is a strong incentive for organizations not to report security breaches. So the law, in order to be effective, needs to address that incentive, needs to provide a counter-incentive, and I think that counter-incentive has to be an objective standard that is low enough that they will be reporting all material breaches. That was the standard in previous iterations of this bill. I'm not sure why it's been changed in Bill S-4.

It's a big issue. There are two standards here. There's one for when the organization has to report the breach to the Privacy Commissioner, which is not necessarily public, and there's an issue over whether that should be made public or not, I suppose. The other is when they are required to report it to the affected individuals.

I think it makes sense to have a lower standard for reporting breaches to the Privacy Commissioner, and a higher standard for reporting to individuals. I'm not sure why the government has seen fit to apply the high standard to both. Security safeguards are a fundamental piece of this identity theft puzzle, and organizations play a huge role in this. By establishing an objective standard under which organizations have to report security breaches to the Privacy Commissioner, we will only then have any decent registry or inventory of security breaches, of ways in which organizations are not meeting the standard for protecting personal information.

Thank you, and good morning, Mr. Chair and committee members.

Thank you for inviting me to address you today on the issue of identity theft. I have been studying and working on this issue from the consumer and victim perspective for over 10 years, first with the Public Interest Advocacy Centre, then with the Canadian Internet Policy and Public Interest Clinic or CIPPIC, the International Centre for Criminal Law Reform and Criminal Justice Policy; and most recently for the Canadian Identity Theft Support Centre.

l've provided a list of publications with my speaking notes today, and I hope that will be distributed to you. These publications include analyses of the range and types of identity-related crime, an international inventory of best practices for victim remediation in both public and private sectors, a gap analysis of legal rights and remedies for victims of identity crime in Canada compared to the United States, and self-help guides for Canadian victims of identity theft. These are all accessible online.

In my capacity as director of CIPPIC, I made submissions to this very committee when it was studying the issue of identity theft back in May 2007. Looking back on those submissions, they are, for the most part, as relevant now as they were then. There have been some developments in the last few years, notably amending the Criminal Code to make it easier for law enforcement to catch and convict identity thieves, which is an important step but only one of many tools needed to address the problem; and also establishing the Canadian Identity Theft Victim Support Centre, which can now be found online at www.idtheftsupportcentre.org, or via its 1-866 hotline. But much more can and should be done to prevent, detect, prosecute, and mitigate the effects of identity-related crime.

I understand that you are interested in the economic impact of identity theft in Canada and that your focus is on privacy or identity-related crime as opposed to mass market frauds generally, or cybercrime generally. I cannot give you any numbers. For the reasons my colleagues have stated, I doubt that it is possible to come up with a good estimate, given the dearth of data on identity-related crime in Canada. Instead, I'd like to use my time just to make five suggestions for policy and law reform in this area.

First, enact security breach notification laws. Individuals can take all the recommended precautions against identity theft, but they can't control what organizations do with their personal data in the custody of the organization. In this age of databases, strong corporate security safeguards are essential to protect against identity theft. Yet, under pressure to cut costs, many organizations are not taking the measures that they should to protect customer data.

A law requiring that organizations report security breaches to the Privacy Commissioner, as well as to affected individuals, would go a long way toward preventing the kinds of security breaches that feed identity criminals. It would also make potential victims aware of their vulnerability, allowing them to take preventative measures before the damage is done. I applaud the efforts of committee member Ms. Borg in this respect, and I encourage the government to consider the private member's bill she has put forward on this issue.

Bill S-4, the new digital privacy act, is a welcome government initiative as it would also require breach notification, but its proposed standard for reporting breaches to the Privacy Commissioner, as opposed to individuals, is inappropriately high, allowing corporations to avoid accountability for inadequate security measures. I know you'll be looking at this bill when it comes before you, and I hope you will look at this very closely.

Second, make data protection laws enforceable. We live in a world of huge and expanding databases of personal information. These are gold mines for identity criminals as well as for marketers, researchers, and even political parties. The Personal Information Protection and Electronic Documents Act, which I'll refer to as PIPEDA, is supposed to protect consumers from the kinds of practices that lead to identity theft and fraud, but practices that violate PIPEDA continue to be widespread in the marketplace. The problem is that PIPEDA lacks teeth. Corporations need not take it very seriously.

The digital privacy act, Bill S-4, would make it easier for the Privacy Commissioner to name and shame corporate offenders. It would also allow the Privacy Commissioner to take action against those who fail to adhere to compliance agreements. These are significant improvements that would make the bill more effective and would be used to hold non-compliant organizations accountable for the kinds of practices that facilitate identity theft, but more could be done to make the data protection laws effective. I hope you will look at all options when Bill S-4 comes before you.

Third, require that credit freezes be offered to Canadian consumers. The messiest form of identity theft is new-account fraud, that is, where criminals use stolen data to create new accounts or take out loans or mortgages in the name of the victim. It can be months before a victim becomes aware of the problem, during which time multiple accounts have been opened and unpaid bills have been run up in the victim's name. Even after the victim succeeds in closing the accounts and dealing with the debts—this is a nightmare in and of itself—the victim can end up paying higher interest rates for years because of their corrupted credit histories.

This may not happen often, but when it happens, it is at a high cost to the individual. By far the best protection against new-account fraud is a credit freeze. A credit freeze bars the credit bureaus from issuing your credit report—the summary of loans and payments that forms the basis of your credit score. Because few lenders will issue credit without first seeing a credit score, identity thieves can't use stolen data to open up new accounts where the credit report is frozen. Credit freezes are particularly helpful for elderly people or for those who don't need to borrow money.

The credit bureau industry has no interest in offering credit freezes for obvious reasons. Doing so would eat into the industry's core business of providing credit reports. However, despite strong industry resistance in the United States, almost all states in the U.S. now require that credit freezes be offered to consumers at no fee or at a very low fee. The reason is to prevent identity theft. There is no good reason why Canadians are not offered similar protection. This is an area of provincial responsibility, but in my view the federal government should be working with the provinces, through, for example, the Consumer Measures Committee to ensure that consumers across Canada have the tools they need to prevent, detect, and mitigate the effects of identity crime, including the ability to freeze their credit reports upon request.

Fourth, coordinate victim assistance initiatives. The Canadian Identity Theft Support Centre, which I'll refer to as the victims support centre, was established in early 2012 with funding from the federal government to provide victims of identity theft with information and support. It has a very specific mandate, and that's all it is. The victims support centre is taking about 10 calls per day now from victims and others inquiring about identity theft, more when there is publicity about the centre. It offers victims hand-holding through the coping and remediation process, which can be extensive.

I understand that the victims support centre provides data to the Canadian Anti-Fraud Centre, but strangely, the Anti-Fraud Centre does not even acknowledge the existence of the victims support centre. Needless to say, there needs to be some coordination and cooperation between these two government-funded agencies so that each can focus on its mandate rather than trying to compete with the other for funds and public profile.

Finally, I would suggest that Canada develop a national strategy for combatting identity-related crime. The four measures I've advocated are just a few of many that are needed to address the many angles of this problem. Canada needs a national strategy to understand and address the specific problem of identity-related crime, a strategy that should be driven by high-level officials and that should involve all key stakeholders. The RCMP's national strategy, which it issued in 2012, is a good start, but it needs a lot more work to get beyond broad generalities and to include the consumer protection angle.

The first pillar of a national strategy should be to develop mechanisms to gather reliable, reasonably comprehensive data on the incidence, types, and costs of identity crime in Canada. On this, I fully endorse the comments of my colleagues, Drs. Sproule and Dupont, on this critical first step in addressing the problem. We need to know the nature of the problem in order to address it effectively. We simply don't have the data in Canada yet.

Finally, sometimes we can learn from our neighbours to the south, and I would suggest that this is one of those times. In 2006, the U.S. President established a special task force to develop a comprehensive national strategy to combat identity theft. The President's task force was co-chaired by the U.S. Attorney General and the chairman of the Federal Trade Commission. It included high-level executives from all pertinent government agencies. Over the course of a year, they examined the problem from all angles and published a comprehensive strategic plan for combatting identity theft in the United States. The plan, which called for a coordinated national approach to policy and law reform, has been largely implemented. There is a lead agency—the Federal Trade Commission—and consumers and victims in the United States now have many more tools at their disposal to prevent and deal with identity theft than do Canadians.

Mr. Chair, and members of the committee, it's time, in my view, for Canada to seize this issue and develop a similar strategy that involves all stakeholders, including consumer protection agencies and privacy commissioners at both federal and provincial levels.

We can do better.

Thank you.

Good morning.

My involvement with the subject of identity theft started in 2005 with a research project that involved four universities and subject matter experts from the financial sector. My group was assigned the task of defining and measuring identity theft. On the measuring side we did a comprehensive survey of Canadian consumers in 2008, but that data is really too old to have much value now, so I'm going to concentrate on the definition problem and then discuss some of the difficulties in measuring identity theft. I hope that can help provide some guidance for your study.

To come up with definitions, we started by trying to organize some of the activities that came up frequently when we were discussing identity theft. I had a diagram. I don't know if you've been given copies of it, but basically at the beginning we had a number of activities that described different ways that identity information can be collected. In the middle we had a number of activities that were involved in the development of a false identity, things like counterfeiting documents and document breeding. Then at the bottom we had crimes that are enabled by a false identity.

We were just looking for working definitions that our various research groups could agree on. In a series of workshops, we decided that identity theft should include all the illegal ways of collecting information and all the activities in that development of a false identity. These are preliminary activities to a fraud.

We said that ID fraud should include all the crimes where the use of a false identity was integral to the crime. In other words, you might want to use a false identity if you're smuggling drugs, because that would be useful if you get caught, but you can still smuggle drugs without using a false identity, so we said that's not identity fraud.

I won't go through our formal definitions, but we were quite pleasantly surprised that our definitions ended up to be very similar to those that the federal government's Department of Justice came up with as they prepared the ID theft legislation introduced in 2009.

A key point from all of this is that identity theft and identity fraud are two different problems. Identity theft is a problem of personal and agency guardianship, that is, keeping personal information secure. Identity fraud is a problem of authentication, or being able to determine that the person who is presenting identification is really who they say they are.

Why is this distinction important? You can have one without the other, and vice versa. The thief and the fraudster are usually different people. In general, identity thieves steal identity information and sell it to identity fraudsters. We notice that cases of identity theft—data breaches, etc.—are rarely linked to cases of identity fraud, because there's this middle area that the information goes through.

Primarily, it helps us to focus on the interest and responsibilities of the stakeholders. So, as an identity owner, I can help prevent some identity theft. I can keep personal items that contain identity information secure and not give out personal information unnecessarily. I really have no ability at all to prevent identity fraud. Once my information has been compromised, the only thing I can do is help detect it and report it as soon as possible.

But as an active participant in life today, I really have no choice but to give personal information to all kinds of organizations. These organizations have roles in preventing both identity theft and identity fraud. They can prevent identity theft by keeping any of my information they possess secure. They can prevent identity fraud by ensuring they have proper authentication processes in place whenever identification is issued or is checked.

Organizations are also responsible for detecting both identity theft, when information has been compromised, and identity fraud when these processes have failed and fraud has occurred.

Even within an organization, if you try to interview an organization about identity theft and fraud, the responsibilities for those two problems lie in different areas of the organization. Who is responsible for the guardianship problem? It's generally the security department when we're talking about physical security, and it's the IT department when we're talking about systems security. Who is responsible for the authentication problem? That's anyone who's involved in designing, or managing, or even conducting all the business processes around all kinds of transactions.

On the topic of measuring identity theft and fraud, there are lots of challenges. The very first comes back to this whole problem of defining. A 2006 Ipsos Reid survey found that 29% of Canadians agreed with this statement: “I hear a lot about identity theft, but I don't know what it means.” So if you want to do a survey to find out the extent of identity fraud, you can't just ask respondents if they have been a victim. Many surveys do this, but you really can't interpret anything valuable from these results. In our survey, we gave very specific examples of the various types of identity fraud that we were interested in.

Besides doing surveys, you can look at reports of identity theft to such organizations as the Canadian Anti-Fraud Centre, but the second problem is a general lack of reporting. Credit card fraud and debit card fraud are investigated and handled internally by the credit card companies and the banks. Only a small proportion of those cases are ever referred to police. A Statistics Canada survey on fraud in retail businesses showed that between 40% and 50% of cases were never reported to police. Less than 40% of individual victims ever report to police.

Why does this happen? In general, businesses are afraid of negative publicity. People are embarrassed that they fell for a scam or that they didn't protect their information. I think both often believe that police can't do anything, and they're right, in many cases.

In terms of costs—I gather it's part of your mandate to look at that—the costs of identity theft are many, and they are borne by individuals, by organizations, and by society. Individual victims are not held responsible for financial losses once it's established that a fraud has occurred, but they often have significant costs getting to that point in terms of time and a lot of frustration and anxiety.

Organizations bear most of the monetary losses associated with ID theft and fraud. There are two problems associated with that. First, organizations are very reluctant to tell anybody what these costs are. Secondly, the costs alone don't provide strong incentives to prevent identity theft and fraud.

When an organization has losses associated with identity fraud, those losses are simply passed on to consumers in the form of higher prices, fees, or rates. As well, in Canada the lack of breach notification requirements means that Canadian organizations do not necessarily even suffer from reputational damage. I understand that the proposed digital privacy act will be taking some steps in that direction, and that's a good thing.

There are also general costs to society in the form of a chilling effect. Different studies, including ours, show that between 20% and 40% of consumers say they have adjusted their online behaviours because of a fear of identity theft. This means that Canadian businesses are not benefiting from all of the advantages that electronic commerce should be bringing.

There are two things I would like to see addressed in your study.

First, I would like to see greater responsiveness to consumers by the credit reporting agencies. As I've said, the one thing that individuals can do is help detect frauds, but if we want them to take these steps, they need greater access to and greater control over their credit files. Credit reporting agencies have to provide a free copy of your credit report each year, but they make this as difficult as possible. To get a free copy, you have to fill out a form, copy a multitude of documents, send it all off in the mail, and wait a couple of week for them to mail you back a report. They provide online service. Online service is more secure, and it has to be less expensive to provide, but they'll charge you $24 for that.

As well, both of the credit reporting agencies offer ID theft protection products for $15 to $17 a month. By offering these products, they are profiting from the problem, which provides little incentive for them to reduce or eliminate the threats.

Finally, it's very difficult to manage something if you aren't measuring it. We need regular, periodic data collection in order to identify trends and to design effective educational initiatives and effective policy. Since there isn't one single measure for identity theft and fraud, we believe the real need is for an identity theft and fraud index that would work like a consumer price index or purchasing activity index. This index would bring in information from regular surveys of consumers, surveys of businesses, as well as reports from law enforcement, from credit reporting agencies, from privacy commissioners, victim services, and any other groups.

Thank you for your attention, I hope that's helpful.