The term “identity theft” is somewhat misleading, insofar as the activity we're talking about covers not just the unauthorized collection or theft of information but the fraudulent use of it. You will find that many experts talk about identity fraud when they're talking about unauthorized use. It really is a two-stage crime. It involves both the unauthorized collection and the fraudulent use. We're using the term “identity theft” broadly as it is commonly used to refer to both stages here.
Identity thieves use a number of techniques to gather personal information. There are relatively unsophisticated methods such as dumpster diving, mail theft, bribing insiders of corporations, and pretexting, which is posing as someone who's authorized to obtain the information in order to get it. There are also much more sophisticated techniques such as skimming, “phishing”, “pharming”, keystroke logging, and hacking into large databases.
A single individual may be victimized many times before he or she knows it. Indeed, victims of identity theft are often unaware of it until they apply for credit from a lending institution and are refused or start getting calls from a debt collection agency. By that time their credit rating has been destroyed and they will likely experience great difficulty restoring it. The victims experience a myriad of difficulties restoring their reputations and recovering the losses suffered, often as a result of no negligence on their part.
I know you're interested in trends. One trend worth pointing out is the use by identity thieves of the Internet to gather and trade in stolen information. It's very easy to find websites right now offering credit card data for sale. Hard drives with personal information on them are being sold on eBay, for example. The Internet, as I'm sure you know, is also used to fool unsuspecting consumers into handing over their account information using techniques such as phishing and pharming. I can explain those later if you're interested.
Unfortunately there are few reliable statistics on identity theft in Canada. PhoneBusters publishes stats based on complaints it receives, but these represent only a fraction of the problem. There are some public opinion surveys that provide insight into the problem, but again it's not complete. We have little else to go on.
Our first recommendation is that we need a national strategy for gathering reliable, reasonably comprehensive data on the incidence, types, and costs of identity theft in Canada.
On identity theft prevention, our research suggests that identity thieves are benefiting as much if not more from unnecessary collection, storage, and trading of personal information by organizations as they are from deficiencies in criminal law enforcement or consumer credulity and carelessness. In many cases there's absolutely nothing the consumer could have done to protect themselves, short of not dealing with the organization that suffered the leak in the first place.
So if we're to attack this program successfully, efforts will be needed in four key areas: data protection law enforcement, prosecution of identity thieves, consumer rights and remedies, and public education.
We have a reasonably good data protection law here in the form of PIPEDA. The law prohibits organizations from collecting more information than they need, retaining it for longer than necessary, and using or disclosing it for purposes other than those for which the individual has consented. It also requires that organizations put in place reasonable security measures to protect against unauthorized access and identity theft.
The big problem with PIPEDA is not any particular substantive deficiency—many of which you have identified in your recent report on PIPEDA—but rather the fact that PIPEDA lacks an effective enforcement mechanism to encourage industry compliance. As a result, many organizations are collecting far more personal information than they need and holding onto it for longer than they should, thereby exposing individuals to a greater risk of identity theft. There are examples of this we can talk about.
Organizations are also failing to secure the personal information they hold through effective encryption, careful employee screening, and other measures. Our study last year of 64 online retailers, which we provided to you last December, confirms that there is widespread non-compliance with even the most basic requirements of the act.
A data breach notification requirement holds some promise for creating incentives for compliance, but only if such notification is made public and only if breaches are not so frequent and widespread as to diminish the reputational damage of publicity. But even so, breach notification rules need to be supplemented with an enforcement regime that creates a real risk of financial penalty for over-collection of personal data or other violations of PIPEDA that contribute to the ID theft problem.
In our submission last December to the committee we made a number of recommendations for strengthening PIPEDA's enforcement regime, including allowing for class actions against organizations that violate PIPEDA, removing financial disincentives for individuals to pursue lawsuits against organizations for breaches of PIPEDA, and punitive damages as a possible remedy for violation of PIPEDA.
We were disappointed that none of these recommendations was adopted or even mentioned by the committee in its report. Addressing this incentive problem, the most important deficiency of PIPEDA and a key factor in the growing problem of identity theft, in our view, is critical if we want to make headway on this problem.
Turning to the issue of public awareness, there are many excellent websites and brochures explaining ID theft schemes and offering tips to avoid identity theft, but there is still a problem. Individuals continue to fall prey to these social engineering schemes, such as phishing and pharming. Young people are posting detailed information about themselves on the Internet, without appreciating the risks.
We are recommending that the Financial Consumer Agency of Canada be mandated to undertake a national public education campaign on identity theft, in consultation with financial institutions, law enforcement agencies, and consumer organizations. The campaign should focus on the most common scams used by identity thieves to gather information directly from individuals and should use mass media, as well as inserts in government mailings, posters, and brochures in store-front offices.
On the issue of consumer protection, first, victims of identity theft usually have no way of knowing the theft occurred until the damage has been done. We think data breach notification will be very helpful in this regard.
Second, even the most educated and motivated victims encounter tremendously frustrating obstacles when they try to attempt to stop the damage and regain their reputations. If such obstacles were removed, victims would be able to mitigate the damage and take preventative action more quickly. In some cases, they could also assist the police in identifying and prosecuting criminals.