Good morning.
My involvement with the subject of identity theft started in 2005 with a research project that involved four universities and subject matter experts from the financial sector. My group was assigned the task of defining and measuring identity theft. On the measuring side we did a comprehensive survey of Canadian consumers in 2008, but that data is really too old to have much value now, so I'm going to concentrate on the definition problem and then discuss some of the difficulties in measuring identity theft. I hope that can help provide some guidance for your study.
To come up with definitions, we started by trying to organize some of the activities that came up frequently when we were discussing identity theft. I had a diagram. I don't know if you've been given copies of it, but basically at the beginning we had a number of activities that described different ways that identity information can be collected. In the middle we had a number of activities that were involved in the development of a false identity, things like counterfeiting documents and document breeding. Then at the bottom we had crimes that are enabled by a false identity.
We were just looking for working definitions that our various research groups could agree on. In a series of workshops, we decided that identity theft should include all the illegal ways of collecting information and all the activities in that development of a false identity. These are preliminary activities to a fraud.
We said that ID fraud should include all the crimes where the use of a false identity was integral to the crime. In other words, you might want to use a false identity if you're smuggling drugs, because that would be useful if you get caught, but you can still smuggle drugs without using a false identity, so we said that's not identity fraud.
I won't go through our formal definitions, but we were quite pleasantly surprised that our definitions ended up to be very similar to those that the federal government's Department of Justice came up with as they prepared the ID theft legislation introduced in 2009.
A key point from all of this is that identity theft and identity fraud are two different problems. Identity theft is a problem of personal and agency guardianship, that is, keeping personal information secure. Identity fraud is a problem of authentication, or being able to determine that the person who is presenting identification is really who they say they are.
Why is this distinction important? You can have one without the other, and vice versa. The thief and the fraudster are usually different people. In general, identity thieves steal identity information and sell it to identity fraudsters. We notice that cases of identity theft—data breaches, etc.—are rarely linked to cases of identity fraud, because there's this middle area that the information goes through.
Primarily, it helps us to focus on the interest and responsibilities of the stakeholders. So, as an identity owner, I can help prevent some identity theft. I can keep personal items that contain identity information secure and not give out personal information unnecessarily. I really have no ability at all to prevent identity fraud. Once my information has been compromised, the only thing I can do is help detect it and report it as soon as possible.
But as an active participant in life today, I really have no choice but to give personal information to all kinds of organizations. These organizations have roles in preventing both identity theft and identity fraud. They can prevent identity theft by keeping any of my information they possess secure. They can prevent identity fraud by ensuring they have proper authentication processes in place whenever identification is issued or is checked.
Organizations are also responsible for detecting both identity theft, when information has been compromised, and identity fraud when these processes have failed and fraud has occurred.
Even within an organization, if you try to interview an organization about identity theft and fraud, the responsibilities for those two problems lie in different areas of the organization. Who is responsible for the guardianship problem? It's generally the security department when we're talking about physical security, and it's the IT department when we're talking about systems security. Who is responsible for the authentication problem? That's anyone who's involved in designing, or managing, or even conducting all the business processes around all kinds of transactions.
On the topic of measuring identity theft and fraud, there are lots of challenges. The very first comes back to this whole problem of defining. A 2006 Ipsos Reid survey found that 29% of Canadians agreed with this statement: “I hear a lot about identity theft, but I don't know what it means.” So if you want to do a survey to find out the extent of identity fraud, you can't just ask respondents if they have been a victim. Many surveys do this, but you really can't interpret anything valuable from these results. In our survey, we gave very specific examples of the various types of identity fraud that we were interested in.
Besides doing surveys, you can look at reports of identity theft to such organizations as the Canadian Anti-Fraud Centre, but the second problem is a general lack of reporting. Credit card fraud and debit card fraud are investigated and handled internally by the credit card companies and the banks. Only a small proportion of those cases are ever referred to police. A Statistics Canada survey on fraud in retail businesses showed that between 40% and 50% of cases were never reported to police. Less than 40% of individual victims ever report to police.
Why does this happen? In general, businesses are afraid of negative publicity. People are embarrassed that they fell for a scam or that they didn't protect their information. I think both often believe that police can't do anything, and they're right, in many cases.
In terms of costs—I gather it's part of your mandate to look at that—the costs of identity theft are many, and they are borne by individuals, by organizations, and by society. Individual victims are not held responsible for financial losses once it's established that a fraud has occurred, but they often have significant costs getting to that point in terms of time and a lot of frustration and anxiety.
Organizations bear most of the monetary losses associated with ID theft and fraud. There are two problems associated with that. First, organizations are very reluctant to tell anybody what these costs are. Secondly, the costs alone don't provide strong incentives to prevent identity theft and fraud.
When an organization has losses associated with identity fraud, those losses are simply passed on to consumers in the form of higher prices, fees, or rates. As well, in Canada the lack of breach notification requirements means that Canadian organizations do not necessarily even suffer from reputational damage. I understand that the proposed digital privacy act will be taking some steps in that direction, and that's a good thing.
There are also general costs to society in the form of a chilling effect. Different studies, including ours, show that between 20% and 40% of consumers say they have adjusted their online behaviours because of a fear of identity theft. This means that Canadian businesses are not benefiting from all of the advantages that electronic commerce should be bringing.
There are two things I would like to see addressed in your study.
First, I would like to see greater responsiveness to consumers by the credit reporting agencies. As I've said, the one thing that individuals can do is help detect frauds, but if we want them to take these steps, they need greater access to and greater control over their credit files. Credit reporting agencies have to provide a free copy of your credit report each year, but they make this as difficult as possible. To get a free copy, you have to fill out a form, copy a multitude of documents, send it all off in the mail, and wait a couple of week for them to mail you back a report. They provide online service. Online service is more secure, and it has to be less expensive to provide, but they'll charge you $24 for that.
As well, both of the credit reporting agencies offer ID theft protection products for $15 to $17 a month. By offering these products, they are profiting from the problem, which provides little incentive for them to reduce or eliminate the threats.
Finally, it's very difficult to manage something if you aren't measuring it. We need regular, periodic data collection in order to identify trends and to design effective educational initiatives and effective policy. Since there isn't one single measure for identity theft and fraud, we believe the real need is for an identity theft and fraud index that would work like a consumer price index or purchasing activity index. This index would bring in information from regular surveys of consumers, surveys of businesses, as well as reports from law enforcement, from credit reporting agencies, from privacy commissioners, victim services, and any other groups.
Thank you for your attention, I hope that's helpful.