Evidence of meeting #26 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Liberal
Jim Peterson Liberal Willowdale, ON
Going back to my question, whenever there's a fraud, the client is kept whole. The client whose identity was stolen is not penalized. Is that the ongoing practice of all financial institutions in this country?
Vice-President, Policy, Canadian Bankers Association
That's the basic principle; that is exactly the basic principle. Of course, what we try to do is to have systems in place that stop it before a fraud happens. We have systems that can detect unusual patterns, say, on your credit card; if there's a purchase in Toronto in the morning and a purchase in Bangkok in the afternoon, the system shuts that down. We try to stop it, but the principle you've articulated, sir, is exactly right.
Liberal
Jim Peterson Liberal Willowdale, ON
On the latest spate of identify theft involving Winners et al, do you have any views on whether Winners and others handled these issues properly in terms of notification?
Vice-President, Policy, Canadian Bankers Association
Well, it's very difficult to speak for another part of the economy.
You make a good point, in the sense that it's important to bear in mind that those breaches took place at retailers, but I think the point is, let's look at what has happened here. Nobody likes to see breaches, but when they do happen, you want to see that steps have been taken, that notification has happened, that the authorities were brought in and the Privacy Commissioner was dealt with, and that the VISA and Mastercard systems were immediately contacted. They're the principal entities working with the retailers in question. In turn, VISA and Mastercard will let the banks know they've been working with our customers.
But in that chain of events, there was notification, as the authorities and the Privacy Commissioner were contacted. Our sense, from publicly available information, is that the retailers are working closely with the commissioner. Our sense is that shows the system is working well.
Liberal
The Chair Liberal Tom Wappel
You said that your basic principle was that the customer is held “whole”, as Mr. Peterson put it. I presume you're talking about credit cards and not real estate.
There is currently a problem with people's identities being stolen and their homes being sold from under them, and I believe the bankers' position is that their mortgages are valid in that case. Is that not true?
Senior Vice-President, Corporate Operations and General Counsel, Canadian Bankers Association
I think you've got to look at it on a case-by-case basis. As you probably know, there was a case before the Ontario Court of Appeal that came to a conclusion. I also know that the court of appeal is just about to relook at that situation, but I think this very much underscores something that my colleague from the credit union said, that you have to look at it on a case-by-case basis.
Bloc
Bloc
Robert Vincent Bloc Shefford, QC
Thank you for being with us here today.
Did I hear you correctly earlier when you said that debit cards were the client's responsibility? Mr. Law, you said that credit cards were fully reimbursed, but that in the case of other cards, for instance debit cards, when a PIN number ends up in someone else's hands, that is the client's responsibility and that same type of reimbursement does not apply. Is that correct?
Vice-President, Policy, Canadian Bankers Association
I'm sorry, but I must answer in English.
I mention credit cards as a particular instance. But no, if there's a problem with debit cards, if somebody has attained access to a card through identity theft or skimming, the customer is taken care of. The customer is made whole.
What we do make a point of—which I think the Credit Union Central people were saying—is that it's very important nowadays for individuals to take care of their debit card numbers. There are all sorts of cases where basically the bad guys either look over your shoulder or have a little camera on the PIN pad.
We recommend strongly that when you use your cards, you do so carefully. You make sure that it's covered. You make sure that there is no obvious tampering on the machine.
We say, do not share your number with people. It's amazing to have to say this, but it's still true sometimes. Don't share your card and don't share your number, even with somebody you know, because these cards get around. Don't write the number on the back of the card; don't have a little slip of paper in your wallet.
If in fact you have contributed to it, that's a different issue.
I mention credit cards, but we take care of the debit card problems as well.
Perhaps my colleagues at Credit Union Central will want to add to this.
General Counsel and Government Relations Officer, Credit Union Central of British Columbia
I would add that Credit Union Central, and I believe the bankers, have endorsed the debit card code of practice that requires the financial institution to reimburse in the event of a fraud, unless the debit card user has contributed to the loss.
There are some time limits on how the decision-making occurs, but the general premise is that the member should not have to suffer for fraud.
Bloc
Robert Vincent Bloc Shefford, QC
My question was as follows: if a sum of money is stolen from someone's bank account, does that person receive a total reimbursement?
In the case of a stolen debit card, what kind of investigation do your institutions carry out? Can the person be reimbursed quite quickly or does the investigation drag on so that the victim of the theft is only reimbursed months later? What measures do you take to protect people and their bank accounts from wrongdoing?
Linda Routledge Director, Consumer Affairs, Canadian Bankers Association
There is a process in every institution, so that if you go into a branch, it's generally escalated to a central adjudication centre, where it's handled very quickly. There are limits in the debit card code. They have ten days for the investigation to proceed, and then they'll get back to the person.
There may be some additional investigation afterwards, if it's a complex situation, but they try to resolve it very quickly. That's the commitment in the debit card code.
Bloc
Robert Vincent Bloc Shefford, QC
According to the information provided to us by the Office of the Privacy Commissioner, a large number of the complaints received by that organization regarding PIPEDA involve financial institutions. Can you explain why there are so many privacy complaints in this sector, especially if you consider that banks were among the first organizations to be subject to the legislation?
Vice-President, Policy, Canadian Bankers Association
Let's put this in context. Warren mentioned in his opening remarks that we have 11 million transactions a day. That's hundreds of millions of transactions a month, billions a year. We're aiming for perfection, but we're all people. Mistakes will occur, but they occur very rarely.
Sir, if you look at the actual statistics coming out of the Privacy Commissioner, out of the literally billions of transactions a year, there were about 133 complaints against the banks. I think we have the statistics here. It's a very small number. I believe that when the Assistant Privacy Commissioner was before this committee some time ago, she said yes, the banks have the greater number, but it's largely because they're one of the biggest institutions. In the actual scheme of things, relatively, it's a very small number.
I think the reason for that is.... We take privacy very seriously because in effect it's the core of our business. We'd like that number at zero, but we're dealing with people and sometimes there are human mistakes. I think that's the sense of it.
Liberal
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you, Mr. Chairman.
I'd like to ask a question. An issue was raised about Winners. The tone of my questions, I want you to understand, is about whether committees are trying to review this legislation, trying to improve it. To Mr. Campbell in particular, we're not out to attack any bank or Winners or anyone else. Incidents have happened and they're all relevant to all of these topics, whether it's the outsourcing information, notification, or the investigation issue. All of these issues are tied in. With respect to my questions and others, I don't want you to get the wrong interpretation.
On the issue of notification, both the Credit Union Central of Canada and the Bankers Association say pretty much the same thing. The credit union people say that there must be a clear risk of fraud for notification. The bankers, to use your word, whether it's “tweaking” or not, say similar matters. I guess we'll let the lawyers decide.
Is there a reasonable risk that their personal information could be used for fraudulent purposes or identity theft? Well, the problem is if you look at these news stories that have just recently come out with a story by Emily Mathieu in the National Post about HomeSense and Winners, talking about “significantly less than millions of holders” information was removed from company databases and the CBC story on the CIBC losing almost half a million Talvest fund customers, in which case client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information, and/or social insurance numbers....
I'm looking at all that stuff that's been stolen, and you guys are saying that unless there are signs of fraudulent activity, you don't think you should notify. My God, if someone had my name, signature, date of birth, bank account number, beneficiary information, and social insurance number, I'd want to be told. I'd want to be notified. I don't want any sign of fraudulent activity. I want to be told.
Senior Vice-President, Corporate Operations and General Counsel, Canadian Bankers Association
I have no problems with that.
Conservative
Senior Vice-President, Corporate Operations and General Counsel, Canadian Bankers Association
Sure it is. Banks take very seriously the privacy of their clients. For example, in the Talvest situation, sure, there was a clear risk, a reasonable risk, that the information could be used for fraud or identity theft, and the bank acted responsibly.
Director, Consumer Affairs, Canadian Bankers Association
And the bank notified all its customers. Mr. Wallace can attest to that.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
That's why I introduced my comments saying this is not necessarily an attack on anyone. I'm looking at the policy that you're recommending to the Privacy Commissioner--to notify only if there's a risk of fraudulent activity. Doesn't the release of any information allow for the possibility of identity theft or fraudulent activity? The police tell me that if a credit card is stolen, nothing may happen for a year.
Vice-President, Policy, Canadian Bankers Association
I take your point. This is very sensitive stuff, and it absolutely is the case that notification has to happen. We firmly believe that.
We had two points. First of all, however you set the threshold, you have to set that threshold in a way that you are going to avoid two problems. You don't want to have every minuscule or potential breach resulting in issuing notices, because what will happen then is people will be inundated with things and they'll stop paying attention. They'll get inured to it and it will be just a regular routine kind of thing. That's the first thing you want to avoid. What you want to do is have a notice, where in consultation with the Privacy Commissioner, your own privacy experts, and with the police, people say you need to have a notice here.
The second thing you want to avoid is scaring people. There have been cases in the United States, at the state level, where there are these automatic breaches at a whiff of a problem. People get really upset. There was a veterans affairs issue there, where an automatic statutory breach notification went out and people got terribly upset. At it turned out, when people looked at it, there was really nothing going on there.
This is what you have to do when these things happen. There's an incident, but what is it? Is it a breach? How did it happen? Has personal information been accessed? These are just questions, but it's hard to determine. If accessed, is there evidence that they have been used or decoded? You have to get to the bottom of that first. Once you get to the bottom of that, everybody around this table would say oh, absolutely. Of course when you have these suspicions, you go right to the police and the Privacy Commissioner and you work with them.
The main point we're making is that we take notification really seriously. The evidence is that we in fact notify. Our point is that the current voluntary system is working well, as is the evidence, I think. It gives you flexibility. Then you can work with the commissioner on the facts of the case rather than having it hard-wired and at the whiff of something you get something kicking in. It's flexible. It works.
Let me just conclude this part of my comments by saying we agree with what you're saying. We very much agree. What we want to avoid is an inappropriate notification system. We want to signal our sense that the evidence out there suggests it is working well.
