Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Absolutely. I'd say it complements market forces, in that sense.
Liberal
The Chair Liberal Tom Wappel
Thank you, Mr. Martin.
Anyone from there? Okay, I'll take the slot.
Ms. Lawson, you indicated it was your view that the Financial Consumer Agency of Canada—this is my wording—should be mandated to launch a massive education campaign. This is somewhat along the lines of Mr. Stanton's question.
First of all, maybe you could tell us a little bit about the Financial Consumer Agency of Canada, as to who they are, who runs them, to whom they are reportable. We heard last week from Industry Canada's group, the Consumer Measures Committee, which seems to have a good working relationship with their provincial and territorial equivalents, because of course this is an interjurisdictional situation, which is something we really haven't touched on with you. So if we already have them—and I think you said they were doing a good job—why do we need to get the Financial Consumer Agency of Canada involved?
So two questions. What is the Financial Consumer Agency of Canada, and why get them involved if CMC is doing a good job?
Executive Director, Canadian Internet Policy and Public Interest Clinic
I'm going to let Mr. Lawford jump in because I think he's done more work with the FCAC.
It's a national agency responsible, as I understand it, for bank regulations involving consumer protection issues. The nice thing about FCAC is that it's national. It doesn't cover all financial institutions, only federally regulated banks, but it has national coverage, which is what we need.
The Consumer Measures Committee has some great information on their website. They are encouraging provinces to do likewise. Some provinces have made some great strides in this area, but when it comes down to it, the CMC is a coordinator of provincial measures, so the citizens of those provinces that choose not to take those measures lose out.
At least in areas of federal responsibility, I think it makes sense to use the federal agency to provide consumers with more one-stop shopping solutions.
I'll let John add to it.
Counsel, Canadian Consumer Initiative
The Financial Consumer Agency of Canada has taken some tentative steps along this line. I believe they're working on phishing documents, so it would be a natural outgrowth for them to continue their work. Whether banks like it or not, they are at the centre of all this, because inevitably, identity theft is reported to them.
The Financial Consumer Agency of Canada has a mandate to educate the public on matters of financial prudence as well as security, and although it only deals with federal financial institutions, as I said, that's the crossroads for this. So it's one place you can look to in the federal government, and it's a logical place, because it doesn't seem that the Privacy Commissioner is interested in doing this stuff and it doesn't seem that the Competition Bureau is interested either.
Liberal
The Chair Liberal Tom Wappel
Is this an agency created by the banks, or is it an agency created by the Government of Canada, or a cooperative, or what?
Counsel, Canadian Consumer Initiative
It is an independent agency, created by an act, which reports annually to Parliament. However, it is financed by the financial institutions rather than by taxpayers.
Liberal
The Chair Liberal Tom Wappel
The CMC, by the way, also has interesting little brochures, cut-outs with interesting information on them.
Mr. Lawford, you mentioned the Federal Trade Commission, and we've talked about it a couple of times. What is their legislative jurisdiction? We've heard there are all kinds of consumer protection laws in each of the individual 50 states; some may have more, some stronger, some weaker, and some may have none. I don't know.
Mr. Lawford, I understood you to recommend that we take a look at them as a model, and I'm just trying to figure out their jurisdiction in the United States.
Counsel, Canadian Consumer Initiative
This particular safeguard, which I've cited to you, comes out of the Gramm-Leach-Bliley Act in the United States, which requires financial institutions to take due care with regard to customers' personal financial information. That's the source of their jurisdiction, in this particular case. They also have general jurisdiction under the Federal Trade Commission Act to protect consumers. I think section 5 is the right section. So they use both of those.
I know they've had a couple of prosecutions under the section 5 power of businesses after a breach.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Unlike our Competition Bureau, the FTC has broader jurisdiction to deal with consumer protection issues. In my view, this is one of the greatest gaps in the federal regime, the fact that the Competition Bureau does not see itself as having a mandate of protecting consumers.
Liberal
The Chair Liberal Tom Wappel
Thank you very much.
We go to Mr. Tilson. The only other person I have listed as a questioner is Mr. Van Kesteren. If anyone else wants to question, would you please let our clerk know? Otherwise, that's it—Mr. Tilson and then Mr. Van Kesteren.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you.
As you know, when we were studying PIPEDA, the topic of notice came up quite a bit. We debated among ourselves and had witnesses. This was as a result of information that escaped from banks--either they thought it escaped and it didn't, or it did escape and ended up in some dump down in the States somewhere. I think Winners was another one. We were given the impression from different speakers that these sources of information didn't want it to get out that these things were happening, and they were going to deal with it.
The credit card companies themselves, Mr. Lawford, are going to cover you if someone takes something on your credit card and you can show that you didn't buy it. It probably justifies their 24% interest charge or whatever. The impression I got from most of the witnesses we heard was that these groups—the banks, the credit card companies, retailers themselves, lawyers—don't want people to know that the information got out or that they got ripped off. Accountants don't want to know that—it's bad for business—so they're going to do whatever they can.
Is this whole topic blown out of proportion? That's my question.
Counsel, Canadian Consumer Initiative
In the sense that businesses, like banks and credit card companies, make an effort to try to stop identity theft, that is true. On the other hand, as you said, they certainly don't have any interest in telling people when there's been a breach.
Would it be okay to just let it go? No, we don't think so, because the lost information can be used now in so many ways. Some of the ways are setting up new credit or defrauding people in other ways, people who aren't compensated. The credit card companies cover you to a $50 loss in the United States and sometimes down to zero here in Canada, but that's not true when someone uses your personal information to put a mortgage on your house. We had to pass an act in Ontario to cover that situation; a couple of people had their house stolen out from under them. That's a horrifying example.
We just don't know the knock-on effects. The immediate ones might be dealt with by the bank, but perhaps there are more for which consumers won't get redress at all. That's our concern.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
In connection with the mortgage fraud, there was a court case, I think, as well. I don't know which court it was, but somebody said to the banks—the mortgagee, whomever—“That's your problem.”
Then you start asking the question. Your presentation was very good, but with all of this information, with everybody who gets this information—everything from your mother's maiden name to your birth date to everything else—and someone commits a fraud on you, even though you've given out this information, is the onus on them to show...should they sustain the loss? I'm comparing it to the mortgagee situation. It may be impossible in many cases, particularly if they've stolen from your bank account, I suppose, but in many cases why should the consumer suffer, particularly when they're being asked to jump through hoops to provide all this information to people?
Executive Director, Canadian Internet Policy and Public Interest Clinic
That's exactly why we're recommending that we make it easier for consumers to, for example, engage in class actions against companies that have been so negligent that large numbers of consumers have suffered. We do need to take some legislative actions here to ensure that negligent organizations are held accountable. I don't think it's happening enough right now.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
You mentioned the issue of auditors going into companies and doing audits. Is that too intrusive?
Counsel, Canadian Consumer Initiative
The Privacy Commissioner of Canada has that power now. So I'm assuming that Parliament didn't think it was that intrusive to put it in at the time. But she has a requirement that she has to have reasonable grounds.
I think when something has come out in the media two or three or four times with one organization, that might be reasonable grounds. Certainly, if we were compiling statistics or there were some other indicators that were objective and factual that might lead to a certain trouble spot or a frequent flier, if you will, on a certain retailer or a certain financial institution, it might be worth an audit, if it's a real chronic problem.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I know we don't want to talk about the Criminal Code too much, but you're both lawyers.
We haven't heard from you; it would be nice to hear from you.
But have you any thoughts on penalties? Anyone?
Executive Director, Canadian Internet Policy and Public Interest Clinic
I can just say that our research shows that the penalties are simply not high enough, and it's just a cost of doing business for the criminals.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Do you have more on that? Would you make a recommendation?
Executive Director, Canadian Internet Policy and Public Interest Clinic
We have published a working paper on case law, which I believe covers criminal law cases as well as civil law cases in this area. I don't have it with me right now with the details. We will be publishing a further one on the issue of enforcement of criminal laws affecting ID theft.
I can just say that our conclusion is that it's very clear and it's one of the problems the police face—and I hope you'll be hearing from them on this: what's the point of spending hundreds of thousands of dollars and hours of their time investigating these often very complicated white-collar crimes when, at the end of the day, they finally catch the guy, they're successful, they've done all their work, and the court just gives them a few months' sentence or a fine that is really just a cost of doing business?
Liberal
The Chair Liberal Tom Wappel
There may be some kind of an impression that we're not dealing with the criminal aspects of this, but as far as I know, that has not been a decided fact by this committee at this point, and in fact we're going to be hearing from the Department of Justice. So as part and parcel of our deliberations, we may decide to leave the criminal aspects or we may not, after we hear all the evidence. So I don't want people to think that we have somehow already predetermined that we're not going to be examining the criminal aspects of this. We may choose to do that, but we have not yet done so.
I have two people left: Mr. Van Kesteren and Madame Lavallée.
Mr. Van Kesteren.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Thank you, Mr. Chair.
I have just a few short questions. I wanted to just talk on what Mr. Martin was talking about.
The reason that was given for breach notification and the reluctance to adopt that type of a legislation or policy, or at least the main reason from the witnesses I heard, was that once we begin to do that, consumer apathy would grow and there would be a disinterest; every day you would be saying, “No, there's another one from Zellers, and this one's from the bank”, and after a while you just don't pay any attention.
What about that?
Counsel, Canadian Consumer Initiative
There's a risk of fatigue in that. However, I believe our recommendation to the Privacy Commissioner on that was that there be a description in the notice you get with a general indication of how serious it is. So hopefully there would be a number that were not so serious that would indicate, “I'm not so serious, we think this is not a big deal”, and others that would indicate, “Yes, this is quite serious, and perhaps you should take some action”. That's one way to approach it.
Another way to approach it, which we suggested to them, was that perhaps there should be a register of every breach. And then people can go through the registry at the end of the year and say, “Oh, actually, I did have an identity theft against me, and look, my company was on there three times”, but not necessarily get a notice unless the Privacy Commissioner, as the committee recommended, thought it was serious enough to recommend a notice go out.
Those are two ways to deal with it. Other than that, I guess we're just disturbed that if there are that many notices going out, isn't there really a huge problem?
