Information & Ethics Committee on May 27th, 2014

Thank you, Mr. Chair. Good morning, committee members.

My name is John Russo. I am vice-president, legal counsel, and chief privacy officer for Equifax Canada. To my left is our Canadian president, Ms. Carol Gray, and to my right is Ms. Tara Zecevic, vice-president of decision solutions and fraud.

We would like to start by thanking the committee for the opportunity to speak in support of your study of the growing problem of identity theft and its economic impact. We'd also like to congratulate the government for taking such a positive and proactive step to help stem the growth of identity-related crimes in Canada. Canadians truly benefit from coordinated strategies that involve government, law enforcement, industry, and consumers, and this committee is an excellent example of that. Our approach to identity theft is not about individuals stealing from others. It's about broader, deeper ways of taking advantage of a vulnerable system, which are organized, focused, and definitely global in nature.

Think about that for a moment. Think about the ramifications.

With that in mind, we have three key thoughts we'd like to address before the committee.

First, with the rising number of data breaches, the increased use of electronic delivery channels and networks, and the influence of social media in our society, at Equifax we have seen identity-related crimes increasing steadily since 1998. In fact, the number of Canadian identity theft victims increased 14% in 2013, according to the Canadian Anti-Fraud Centre. Another pertinent example we'd like to highlight today is that we estimate today that synthetic or fictitious identity fraud schemes cost Canadians potentially $1 billion a year in losses. They are real numbers based on carefully calculated cost analysis.

Second, we would like to address the types of identity theft—real and synthetic—impacting both businesses and consumers. Finally, we'd like to point out why Canadian consumers and business should be concerned, and what steps they can take to prevent future financial losses and other hardships associated with identity theft.

Before an identity-related crime can be perpetrated, the theft of personal information needs to occur to set up and prepare for the crime. At Equifax we have noticed a substantial increase in the amount of personal information lost by or stolen from a variety of sources, such as rogue or careless employees and other unauthorized access at various institutions ranging from retailers, health care providers, financial institutions, and even, unfortunately, government. Also, keep in mind the increased identity thefts stemming from data breaches. For example, at our bureau, over the past 18 months, we have protected more than 1.5 million Canadian credit files with credit alerts or credit monitoring as a direct result of data breaches, and these numbers are steadily on the rise.

Recent statistics prove that the bulk of these threats to personal information are through malicious or criminal attacks on an organization's database. Data breaches are truly becoming a treasure trove for fraudsters. Key findings published in a recent Ponemon Institute study include the following. Forty-two per cent of incidents involved a malicious or criminal attack. Similarly, data breaches due to malicious attacks cost companies in North America approximately $246 per compromised record, significantly above the mean of $200. Finally, more consumers terminated their relationship with the company that had the breach; the average abnormal churn rate increased by 15% between 2013 and 2014.

When it comes to ID theft prevention, Canadian businesses have taken a number of steps to mitigate the effects of the crime, but the electronic transfer of personal information is critical when processing financial transactions, and there are only so many steps industry can take. Indeed, thousands of personal credit reports are electronically transmitted every day, which are acquired, secured, and used lawfully by our members. Furthermore, thousands of credit applications are also processed daily ranging from bank loans to car financing.

Yet, there have been numerous cases where rogue employees, or “foot soldiers” as we call them, will take credit application information from their place of employment, and much like any trafficker, sell the personal information on those applications to organized crime.

In many of those ID theft investigations, police services report that stolen personal information is frequently found during traffic stops and other lawful searches. Simply put, there is little to no legitimate reason for anyone to possess piles of consumer credit applications, financial information, or other identity-related documentation.

l'd like to provide a little more information on identity theft statistics and trends in Canada. Since 1998, Equifax has been documenting the exponential growth in identity-related crimes. Between 1998 and 2003, Canada experienced a 500% growth in identity theft reports, where applications were submitted and damage was incurred to a legitimate Canadian consumer. From 2004 to 2005, the growth rate levelled. In 2008, the numbers climbed back up to the highs of 2003 and fictitious, also known as synthetic, identity crimes started to blossom.

What are synthetic identity crimes? Synthetic, or fictitious, identity crime occurs when information is either stolen—where components of that information are used to create a non-existent person—or information about an identity is simply made up. The perpetrator often does this by taking the personal information, such as a SIN, of someone who is deceased or not yet part of the credit granting system, like a child, to build a non-existent identity. The perpetrator then monitors progress of the fictitious identity, by pulling credit reports and conducting hundreds of thousands of dollars in financial transactions, before abandoning the identity of the synthetic person they originally created and disappearing without a trace. More concerning is the fact that we commonly see tens, or even hundreds, of fictitious identities operated by the same group at the same time. Organized crime plays a big role in this, with the proceeds of these crimes being used to finance a wider range of other global activities, possibly even terrorism.

Recently, l participated in a CBC investigative report on synthetic identity, following Project Mouse by the Toronto Police Service. To some, this may seem like a faceless, victimless crime, but the consequences are chilling. Fake names on real credit cards, real driver licences, and real passports pose a real threat to national, if not our global security. I encourage you to watch this report by Rick MacInnes-Rae on CBC's The National.

Without question, fictitious identity creation is on the rise, and tens of millions of dollars are being siphoned by organized criminals each year. Correspondingly, Equifax sees, on average, 1,300 fictitious consumer files being created monthly from across the country by fraudsters and other organized criminals. The fact of the matter is that criminals will not stop evolving, and our laws, our security, and our prevention tactics must change with them. Thieves are stealing real IDs or building upon fictitious identities as we speak, and this problem isn't going away without a confluence of legislation, law enforcement, and solutions from organizations like Equifax. It's what we estimate to be a multi-billion dollar business in Canada.

The financial services and credit industries continue to do their part for victims of identity-related crimes by investing millions of dollars each year to detect identity fraud as quickly as possible. Identity-related crimes have grown to a level that affects all Canadians, either directly or indirectly. Unlike 15 years ago, I am hard-pressed to find a person today who hasn't been a victim of an identity crime, had a debit or credit card skimmed, worked with an employee who was terminated for dishonest behaviour, or had credit or other applications submitted using that person's identity. I'm sure many of them are your constituents.

Finally, combatting identity-related crime is a battle that transcends politics. It starts with education and awareness from each individual consumer and every household in Canada, especially, in light of recent data breach incidents, where it is not only individuals losing information, but corporations being hacked or maliciously attacked for your sensitive information; your confidential and personal information.

Hacktivism is on the rise. According to a recent study by ABI Research, hacktivism now represents 47% of all activity around various cyber-threat groups. These hacktivist activities may not seem connected on the surface, but the release of any personal information that can later be used to gather a synthetic or real identity has a real impact on consumers. The term “data breach” has become a household term.

A recent North American study by Javelin Strategy and Research reports that one in every three consumers affected by a breach becomes a true victim of identity theft. This is up from nearly one in four, in 2012. Consumers and businesses should be concerned.

What steps can they take to prevent or at least detect theft and mitigate future damages?

First off, we advise consumers to check their credit file at least once every quarter to spot any abnormalities or possible fraud on their file. Our consumer slogan at Equifax is “check to protect”. You can do so for free, 365 days per year, at any one of the Canadian credit bureaus.

Second, if you are a victim of a data breach incident, ask the organization, at their expense, of course, to provide you with credit monitoring services for at least the next 12 months. From our experience, 12 months is the time period that most identity theft crimes are committed.

Finally, be vigilant on what information you are providing to institutions. Do they really need your SIN or date of birth to conduct a simple retail or rental transaction?

Mr. Chair and committee members, on behalf of Equifax, we commend you for helping to address the growing problem of identity-related crimes in Canada, and for inviting us to speak on these very timely and critical issues.

Thank you.

Mr. Chair and members of the committee, thank you for having us,

I'd also like to recognize my associate, Bob Groves, who may advise me as we progress here, depending on your questions. I'd like to take a little different approach here today as both my colleagues at Equifax and TransUnion will focus on the macro level. I'd like to focus on a group that I think are particularly vulnerable and that would be first nations communities.

I'll give you a little background on Forrest Green. We're well versed in supporting public sector organizations. We have secret clearance. We've worked with the Assembly of First Nations and with AANDC.

Our position is that first nations communities are one of the most vulnerable to fraud and financial abuse. We submit that a lack of credit bureau data means they're more susceptible to fraud. In many cases, they don't understand the concept of how credit bureaus function. They rarely check their credit reports, and as a result, individuals I've spoken with are keenly monitored; they get a call from a collection agency....

A member of Parliament called me on Friday indicating they believed they were a victim of identity theft. They knew almost immediately because of the processes that take place. Individuals on reserve are difficult to find, and they rarely reach out and connect with credit bureaus.

On the next page I've provided some insight into a format. It's not a real credit report, and I would submit we were extremely generous when we indicated that less than 5% of first nations have viewed their personal credit report. I would submit that it's closer to 1%. Out of curiosity, can anyone on the committee who has viewed their credit report in the last year put up their hand? Okay, that's impressive. We see that close to half the members here have not viewed it, so imagine remote communities. I think they're particularly vulnerable in that regard.

We implement solutions for online authentication and we work with police services. The next page shows a screen print from the Hamilton Police Service. To avoid having to come in and show photo ID, we have a solution whereby we leverage credit bureau data to authenticate a person, so it's an anti-fraud solution. What's interesting is that when we're dealing with aboriginal communities in remote areas, many of them are low income and the challenge is that the people in remote communities should be the ones who are provided access to online services so they don't have to fly in or drive hundreds of kilometres to show photo ID. Ironically, because they don't have credit bureaus they are the ones who are forced to do these kinds of activities. I think it's important we understand that the ramifications of leveraging credit bureau data are quite profound.

The issue of identity verification is also interesting in the sense that when people are applying for low-wage jobs particularly, credit bureau data is often also used in employment searches and analytics. There's a certain irony that the people who are most vulnerable and who most require access to jobs could be discriminated against because they have poor credit ratings. I realize that's somewhat tangential, but I think there are some interesting relationships with lack of data or poor data, fraud, identity theft, and vulnerability.

I wanted to make some interesting references here to the Standing Committee on Aboriginal Affairs and Northern Development. I think when you look at some of the statistics below, it demonstrates a propensity for aboriginal communities not to trust organizations that gather data; 80% of family allotments are done outside the Indian Act, and 50% of band leasing is unregistered. This demonstrates that aboriginal communities do not trust or have not bought into the concept of sharing data.

I think if there was one theme we could have when we finish this dialogue, it would be that education needs to play a key role in what we're going to do to solve this. We need to talk and we can't just rely on leaders today. They haven't been educated. They can't tell their children how to formulate a good credit report because no one's told them, no one's educated them.

The last page is just further evidence supporting access to information and the challenges of not having identities, not having photo ID, not having credit bureau data. Not only does it lead to fraud, there was an interesting, a sad story, quite frankly, of a lady who had received a settlement for residential schools, had difficulty opening a bank account, cashed the cheque, brought the money home, and was robbed and murdered on reserve.

I think this demonstrates there is a vulnerability of these people, and we need to start examining some of the root causes. I don't think we should forget on this fraud issue that with a lack of documentation—this is my humble opinion—I think they are more vulnerable to fraud than people who can catch it within a week, as many Canadians do. Now, my colleagues here may debate that, in fact, it's much more rampant and difficult, but the people I know who are experiencing fraud are reacting very quickly.

Thank you very much for your time.

Mr. Chair and committee, thank you very much for having us attend today. My associate with me is Chantal Banfield, our legal counsel for TransUnion Canada.

A little about TransUnion, and then we'll talk about the issue of identity theft.

TransUnion, as a global leader in credit and information management, creates advantages for millions of people around the world by gathering, analyzing, and delivering information. For businesses, TransUnion helps improve efficiency, manage risk, reduce costs, and increase revenue by delivering comprehensive data and advanced analytics for decisioning. For consumers, we provide tools, resources, and education to help manage their credit health and achieve their financial goals. Through these offers, TransUnion is working to build a stronger economy worldwide, based in Toronto, with our global headquarters in Chicago.

TransUnion is regulated by consumer and privacy legislation. Our core business is consent based, and one needs to consent to obtain a credit file. We screen and audit process our members for prospective members and legitimate businesses. We process millions of pieces of data a month and update our database on a regular basis. We recognize the importance of safeguarding information, and we are pleased to announce we were the pioneers of fraud alerts in the early 1990s.

When you define the issue of ID theft, it really falls into three categories: a data breach or a compromise, the actual potential ID theft that happens as a result of that, and the fraud that occurs after that. Compromises or data breaches are when a hard drive is stolen, such as the student loan portfolio or theft that occurred at Revenue Canada.

We're aware of these compromises through consumers and through companies. One of the problems is that companies do not always report their compromises as recommended by the federal Privacy Commissioner in “Key Steps for Organizations in Responding to Privacy Breaches”.

When you look at the statistics as reported to TransUnion, there are a couple that stand out. The actual number of reported compromises in the last five years has decreased by 30%. What's alarming about that is the number of potential victims actually increased by 600%. Most would assume these data breaches happen at financial institutions, but contrary to that, that is not the case. The number of reported compromises is actually only 8% from financial institutions; 70% of the number of compromises come from the medical, service, or retail industry. If you look at other industries—government, insurance, and finance companies—the numbers are very small.

What are the implications? The implications are that the financial sector is acutely aware of the safeguarding obligations they have to their constituents. When these losses happen through breaches at financial sectors, they typically bear those costs. This is also driven in part by the OSFI requirements, no doubt.

TransUnion does servicing for many of these institutions. We are PCI compliant. We are in line with the ISO standards, and on a regular basis—

Certainly. Do you want me to just continue from this point?

We are in line with the ISO standards, and on a regular basis, audit under SSAE 16 requirements.

Our data would seem to point to the lack of awareness in industries outside the financial sector and show that there's more need for education in this area, not only in the obligations emanating from a breach but also in awareness around security protocols to prevent a breach.

Awareness by breach notification where warranted will be useful. TransUnion is supportive of the efforts of the government on the part of Bill S-4. While we do not want to inundate customers with notifications, where there is a material risk of harm, there are benefits to customers receiving notification.

Here are some stats on impacts for consumers and TransUnion. The number of potential victims has increased by 600% in the last five years. The number of confirmed fraud victims is up by 100%. Many of these consumers report these frauds to the Canadian Anti-Fraud Centre—PhoneBusters—and while there has been a 300% increase in the number of fraud alerts placed, we still have work to do.

These compromises have a short-term impact on TransUnion and Equifax, increasing call volumes to our centre and requests for alerts to consumer disclosures. We've invested in technology to make that process as effective as possible and to help contribute to that 300% increase in the number of fraud alerts placed on consumer bureaus. What we're doing is helping to reduce the numbers of frauds, and we're pleased that it's not increasing at the same rate of potential victims.

Who pays? The cost is borne entirely by the consumer unless the companies or government bodies that have caused the compromise are willing to step up and pay for the damages that are created. We believe that the burden and those costs should be borne by the companies that compromise the information of the consumer. Not all companies take on this responsibility and agree to pay for these solutions to reduce potential harm to the consumer in mitigating risk.

What should be done? First is notification to the Privacy Commissioner. TransUnion is supportive of the amendments under PIPEDA in this regard in Bill S-4. Where a loss of sensitive financial data has been confirmed, both bureaus should be informed. Where a loss of sensitive financial data has been confirmed, fraud alerts should be placed on both bureaus—at a minimum—to reduce the likelihood of ID theft. As an example, we serve our clients differently, and if a breach has occurred and somebody notifies Equifax, that fraud could still be committed if they go to a financial institution that is serviced primarily through TransUnion. In many cases, both bureaus should be notified.

With respect to synthetic identity, my colleague John Russo talked about synthetic identity and its impact on the Canadian market. In defining the issue, it really is about recreating an identity to commit fraud. In the synthetic fraud, there is no one to complain. There is no constituent to talk to. It is a cost that is borne by many indirectly. In regard to public security, CBC has reported on a few stories, and John referred to the billion dollars in losses that Canadians absorb through different fees and costs. Every consumer pays for synthetic fraud.

How do we work towards a solution? We work with police authorities to report such suspected activities. We take this information, put it into our fraud database, and report it to financial institutions.

The prevention of these crimes requires better technology to ensure that identity cards are not easily replicated and that they cannot be authenticated. If we really want to attack this issue, it also requires the sharing of information between government agencies and the financial sector. The lack of sharing creates silos, and fraudsters take advantage of that.

Today, there's no automated method whereby the private sector can get confirmation as to whether or not a particular piece of ID has been issued by the government or whether that actual ID belongs to the individual who claims it's theirs. TransUnion and Equifax can help by being the conduit to financial institutions, as we already provide, for example, identity verification for AML or KYC. Both of these have been noted in the RCMP paper, the “National Identity Crime Strategy”.

In closing, TransUnion is supportive of the initiative to crack down on identity theft by, first, reporting of breaches through Bill S-4 and notification to both bureaus where a data breach of sensitive financial information has been confirmed, and second, ensuring that companies responsible for the breaches bear the burden and the cost for data breaches, not consumers. Third, on the lack of education and awareness outside of the financial sector in the area of data security and safeguarding, TransUnion is supportive of the data breach notification where circumstances warrant as a key to raising that awareness. Fourth, we are also supportive of a focus on and attention given to synthetic identification, allowing for the sharing of information from government to financial institutions for fraud and ID theft prevention, and investing in security measures for identification cards that are relied upon by the private sector for AML purposes and fraud prevention.

Mr. Chair and committee, thank you very much for having us here today.

In Canada, since the birth of credit agencies, the law requires us to have offices in certain provinces. Thus we have an infrastructure that allows a consumer in Nova Scotia, for example, to go to a TransUnion Canada office to get a credit report. Because of these legal requirements, we must have an infrastructure that supports the offices we need to have in various places in Canada.

Furthermore, as Mr. Skinner stated, we are investing in telephone technologies such as interactive voice response systems. For example, people will no longer need to send proof of identity through the mail, they could simply go through an authentication process over the phone and receive their credit file through the mail.

You have the example of the United States. In 2005 or 2006, the Fair and Accurate Credit Transactions Act was passed. Under its provisions, American consumers have the right to consult their credit file once a year and the selected means is online access.

For our part, we already have an infrastructure that we need to support since the beginning of the 1990s, when these laws were adopted in most provinces. Things have evolved slightly differently here.

Yes, I'll respond. I'll just add a few nuances to Ms. Banfield's message.

First, in Canada, at Equifax you can receive that via a walk-in centre, as Ms. Banfield noted. You can also receive your credit report over the phone in a couple of days, again with the IVR process, as well as over the Internet for a small charge.

As Ms. Banfield noted, in the U.S. it's one file per year per individual. After that you have to pay. Here you can access your file every day, 365 days a year, and the infrastructure we built accommodates that, the mail-in requests and everything. We bear those charges in terms of the letters, envelopes, and stamps that have to go to these individuals as part of the verification process and the security processes that go into place to make sure that we're sending the right credit file to the right person.

I won't reiterate what Ms. Banfield said. She gave you a brief history of the legislation.

Thank you.

That's an excellent question. We discussed this about 10 years ago when the legislation was coming out in Ontario with regard to Ontario's Bill 152, where you could put an alert on your file to say, “Please contact Ms. Carol Gray before granting credit.” She could provide her cellphone number so you could access her right away to make sure you were dealing with the right individual.

Why the Province of Ontario at that time shied away from it was because consumers wanted real-time authentication. They want real-time access to credit. Let's say you have a credit freeze on your file and you have an emergency, let's say a car accident, and you have to pay certain charges to fix your car, or you have another unfortunate situation where you need access to funds, access to credit. That freeze would totally put you out of the game in terms of accessing that credit in a real-time fashion. It would slow down the whole access to funds, especially in emergency situations.

You see in the U.S. that some of the states have shied away from that and are actually moving away from the credit freeze concept.

If I could add, I think there are multiple approaches to the solution and there's unfortunately no one-size-fits-all or silver bullet. So in addition to what John was saying, there are real-time monitoring services that don't inhibit the consumer from getting access to credit, but would alert them in a real-time environment should their consumer report be accessed without their knowledge and they could take immediate action.

Pardon me. I wasn't sure if you said Russo or Rowe.

Sorry. Could we go back a little bit there? I was trying to follow.

I don't have the exact statistics because while we track the number of inquiries or consumers who ask for it, some of them could be duplicates over the course of a year. I would say it's very safe to say 25% to 30%. At the high end it would be 30% of consumers over the course of a year, so there's a lot of room for improvement.

That would vary dramatically by demographic. Elderly people would tend to access it less frequently than younger people who are establishing credit.