No, I would disagree.
Should we make it a law that companies are responsible...they're going to cover their butts, quite frankly, and they will, for any reason, start to—I'm wondering how we get around that—
Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
No, I would disagree.
Should we make it a law that companies are responsible...they're going to cover their butts, quite frankly, and they will, for any reason, start to—I'm wondering how we get around that—
Executive Director, Canadian Internet Policy and Public Interest Clinic
Excuse me. We have a law saying the companies are responsible right now. The problem is it's not good enough.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
If we put some teeth into it—So at this point now, if they don't give breach notification, they're liable. I can assure you that we'll be just flooded with anything that—
Executive Director, Canadian Internet Policy and Public Interest Clinic
If you're looking seriously at this, I would recommend that you perhaps think about calling some witnesses or hearing from some people from California, which put in place its data breach notification law at least three years ago. They've had experience with it. I've heard some people say there is a problem with notification fatigue.
I think we need, and I personally want to see, some good unbiased studies. Unfortunately, there are very biased studies. Javelin Research, for example, has been hired to do polling and reports by industry who oppose security breach notification, and they're clearly biased reports.
To get a really neutral, unbiased report on the results, how successful that particular approach to data breach notification has been, very much depends on the thresholds you set for notification. Obviously, the higher the threshold, the fewer notifications will be required. There are different ways of doing it, as you have suggested in your report, and as John is saying now, which could involve a public registry, the Privacy Commissioner as a kind of filter, and check on whether or not notification is required in that particular circumstance.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Very quickly getting back to responsibility of consumers, I don't read anywhere and I wonder why—Why don't we put warning labels, like we do on cigarette packages? Simply throw them up on the screen, you know, that this and this can happen? Is that a possibility? Is that something you've—?
Counsel, Canadian Consumer Initiative
It's a question that might come up in a situation like on-line banking, where you could say this is a potentially risky activity. I don't know whether the fatigue would show up there or not. But one of my concerns is that consumers take in e-mails, and if they're from a financial institution, as Philippa said, they don't know that 99% of those from financial institutions are frauds. Perhaps they should get a list mailed to them from their bank once a year, telling them that when they get an e-mail from someone asking for account details, do not reply. I don't know if it's being done or not.
Are there other warnings you can think of?
Executive Director, Canadian Internet Policy and Public Interest Clinic
I think the problem is that banks and other industry are quite loath to issue such warnings because they don't want to deter people from engaging in on-line commerce.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
But if we made it a requirement that if you accept moneys over the Internet, when an institution does that, they are required to say that when you do this sort of stuff there are risks. That would provide some consumer awareness.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Two problems. One is that the fraudster isn't going to issue those warnings. I'm trying to think how it would technically work. What's happening is that the individual is not in fact dealing with legitimate organizations. They think they are, but they're dealing with the fraudsters. So how is the warning going to reach them at the time it needs to reach them? I'm not sure how that would work.
Secondly, as I've already pointed out, even if you were able to warn customers—actually, if you could get all customers to stop responding to all phishing and pharming and all of that, it's only going to deal with a fraction of the problem. We still have, but without the statistical support, what seems to us is that perhaps the majority of the problem here is leaks by businesses, hacking into computer databases, insider theft and such, which consumers have absolutely no power over.
Liberal
The Chair Liberal Tom Wappel
Thank you.
Madame Lavallée, and then an intervention by Mr. Wallace.
Mr. Reid, a point of order.
Conservative
Scott Reid Conservative Lanark—Frontenac—Lennox and Addington, ON
Thank you, Mr. Chairman.
I apologize to Madame Lavallée and to our witnesses for doing this at this time. I'm simply worried that we're about to run out of time at this meeting.
My understanding is that the subcommittee that deals with studying the agenda for this committee has made arrangements to deal with the matters of the motion that had come before this committee and was voted on relating to Afghanistan and so on. I assume that involves summoning witnesses as early as Thursday, and I am concerned that we won't have a chance to discuss this prior to that actually taking place. That would obviously be problematic from the point of view of ensuring that the committee has reached a consensus with regard to who we're summoning.
I'm hoping we can all find a way of leaving ourselves enough time to deal with that today.
Liberal
The Chair Liberal Tom Wappel
Thank you for bringing that up. I'm sure we're not going to exhaust the clock, so let me deal with that. It's not a point of order, but it's a legitimate question. I was going to deal with it.
First of all, the committee decides what we do, not the steering committee. The steering committee makes recommendations. In fact, the steering committee did meet, and it has recommendations, which will be circulated.
The first item of business on Thursday will be the steering committee report. It will be up to the committee to decide whether it wishes to adopt that report, either as presented or as amended.
On the off chance that the committee will adopt that steering committee report, either as presented or as amended, we do have a confirmed witness—one so far—for Thursday. Mr. Jeff Esau is a freelance journalist, who sold his story to the Globe and Mail. He has made two access to information requests with respect to this matter.
Obviously he will be here so we don't lose the time. If we spend the entire meeting discussing the steering committee report, so be it. That's the decision of the committee. But he will be here in the event that the decision is relatively quick. If we don't get to him, he'll be available once the committee makes the final decision.
At the present time, the committee's decision is to proceed with identity theft. But because of the wording of “urgently consider”, I'm putting the steering committee's report as the number one item of business for Thursday morning at 9 a.m.
Does that answer your question?
Conservative
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I do not necessarily have questions. I would like to talk about the list of guests who are going to discuss identity theft. I wonder when it would be best to do that.
Liberal
The Chair Liberal Tom Wappel
Not now. We have our witnesses here.
You could make your suggestions to our clerk. He can discuss whether they are already on the extensive list of witnesses. If they are not, then we can discuss it among ourselves. So just give the list to the clerk.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Yes. Earlier, we started to talk about the laws that need to be changed, and I did not feel that you were sufficiently clear on which federal laws we can change. During the discussion, you added that we must require stores to be more vigilant in combating fraud. You mentioned making class actions easier to bring. in Quebec, we have everything we need to bring class actions; I do not know how things happen in other provinces. You also mentioned provincial laws.
In your opinion, does identity theft fall under federal or provincial jurisdiction?
Executive Director, Canadian Internet Policy and Public Interest Clinic
Both, federal and provincial.
In terms of the class actions, we are recommending specific amendments to PIPEDA. If you look at our recommendations numbers 1 to 7 in our submission of November 28 on PIPEDA reform, we're saying the provinces, particularly Quebec, have a very effective class action system. The problem is that complainants under PIPEDA have no way of pursuing those complaints in a Quebec class action right now. You need to amend PIPEDA in a way that allows them to use the class action system to pursue their complaints.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
No, because in Quebec, there is another act that protects personal information, a Government of Quebec act. Class actions work well in that system, so we do not need, in PIPEDA—
Executive Director, Canadian Internet Policy and Public Interest Clinic
But if problems arise with a bank that is regulated—
Executive Director, Canadian Internet Policy and Public Interest Clinic
If it's a federally regulated institution, the matter falls under PIPEDA, as opposed to the Quebec law.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
That is worth checking out, but I think that there have even been class actions in Quebec against the federal government. So I think that the system or the program of class actions has nothing to do with the person being sued. I am not a lawyer, I am just telling you what I have seen and heard.
You do not just need a translator, but an interpreter as well.