Mr. Chair and committee, thank you very much for having us attend today. My associate with me is Chantal Banfield, our legal counsel for TransUnion Canada.
A little about TransUnion, and then we'll talk about the issue of identity theft.
TransUnion, as a global leader in credit and information management, creates advantages for millions of people around the world by gathering, analyzing, and delivering information. For businesses, TransUnion helps improve efficiency, manage risk, reduce costs, and increase revenue by delivering comprehensive data and advanced analytics for decisioning. For consumers, we provide tools, resources, and education to help manage their credit health and achieve their financial goals. Through these offers, TransUnion is working to build a stronger economy worldwide, based in Toronto, with our global headquarters in Chicago.
TransUnion is regulated by consumer and privacy legislation. Our core business is consent based, and one needs to consent to obtain a credit file. We screen and audit process our members for prospective members and legitimate businesses. We process millions of pieces of data a month and update our database on a regular basis. We recognize the importance of safeguarding information, and we are pleased to announce we were the pioneers of fraud alerts in the early 1990s.
When you define the issue of ID theft, it really falls into three categories: a data breach or a compromise, the actual potential ID theft that happens as a result of that, and the fraud that occurs after that. Compromises or data breaches are when a hard drive is stolen, such as the student loan portfolio or theft that occurred at Revenue Canada.
We're aware of these compromises through consumers and through companies. One of the problems is that companies do not always report their compromises as recommended by the federal Privacy Commissioner in “Key Steps for Organizations in Responding to Privacy Breaches”.
When you look at the statistics as reported to TransUnion, there are a couple that stand out. The actual number of reported compromises in the last five years has decreased by 30%. What's alarming about that is the number of potential victims actually increased by 600%. Most would assume these data breaches happen at financial institutions, but contrary to that, that is not the case. The number of reported compromises is actually only 8% from financial institutions; 70% of the number of compromises come from the medical, service, or retail industry. If you look at other industries—government, insurance, and finance companies—the numbers are very small.
What are the implications? The implications are that the financial sector is acutely aware of the safeguarding obligations they have to their constituents. When these losses happen through breaches at financial sectors, they typically bear those costs. This is also driven in part by the OSFI requirements, no doubt.
TransUnion does servicing for many of these institutions. We are PCI compliant. We are in line with the ISO standards, and on a regular basis—