We are in line with the ISO standards, and on a regular basis, audit under SSAE 16 requirements.
Our data would seem to point to the lack of awareness in industries outside the financial sector and show that there's more need for education in this area, not only in the obligations emanating from a breach but also in awareness around security protocols to prevent a breach.
Awareness by breach notification where warranted will be useful. TransUnion is supportive of the efforts of the government on the part of Bill S-4. While we do not want to inundate customers with notifications, where there is a material risk of harm, there are benefits to customers receiving notification.
Here are some stats on impacts for consumers and TransUnion. The number of potential victims has increased by 600% in the last five years. The number of confirmed fraud victims is up by 100%. Many of these consumers report these frauds to the Canadian Anti-Fraud Centre—PhoneBusters—and while there has been a 300% increase in the number of fraud alerts placed, we still have work to do.
These compromises have a short-term impact on TransUnion and Equifax, increasing call volumes to our centre and requests for alerts to consumer disclosures. We've invested in technology to make that process as effective as possible and to help contribute to that 300% increase in the number of fraud alerts placed on consumer bureaus. What we're doing is helping to reduce the numbers of frauds, and we're pleased that it's not increasing at the same rate of potential victims.
Who pays? The cost is borne entirely by the consumer unless the companies or government bodies that have caused the compromise are willing to step up and pay for the damages that are created. We believe that the burden and those costs should be borne by the companies that compromise the information of the consumer. Not all companies take on this responsibility and agree to pay for these solutions to reduce potential harm to the consumer in mitigating risk.
What should be done? First is notification to the Privacy Commissioner. TransUnion is supportive of the amendments under PIPEDA in this regard in Bill S-4. Where a loss of sensitive financial data has been confirmed, both bureaus should be informed. Where a loss of sensitive financial data has been confirmed, fraud alerts should be placed on both bureaus—at a minimum—to reduce the likelihood of ID theft. As an example, we serve our clients differently, and if a breach has occurred and somebody notifies Equifax, that fraud could still be committed if they go to a financial institution that is serviced primarily through TransUnion. In many cases, both bureaus should be notified.
With respect to synthetic identity, my colleague John Russo talked about synthetic identity and its impact on the Canadian market. In defining the issue, it really is about recreating an identity to commit fraud. In the synthetic fraud, there is no one to complain. There is no constituent to talk to. It is a cost that is borne by many indirectly. In regard to public security, CBC has reported on a few stories, and John referred to the billion dollars in losses that Canadians absorb through different fees and costs. Every consumer pays for synthetic fraud.
How do we work towards a solution? We work with police authorities to report such suspected activities. We take this information, put it into our fraud database, and report it to financial institutions.
The prevention of these crimes requires better technology to ensure that identity cards are not easily replicated and that they cannot be authenticated. If we really want to attack this issue, it also requires the sharing of information between government agencies and the financial sector. The lack of sharing creates silos, and fraudsters take advantage of that.
Today, there's no automated method whereby the private sector can get confirmation as to whether or not a particular piece of ID has been issued by the government or whether that actual ID belongs to the individual who claims it's theirs. TransUnion and Equifax can help by being the conduit to financial institutions, as we already provide, for example, identity verification for AML or KYC. Both of these have been noted in the RCMP paper, the “National Identity Crime Strategy”.
In closing, TransUnion is supportive of the initiative to crack down on identity theft by, first, reporting of breaches through Bill S-4 and notification to both bureaus where a data breach of sensitive financial information has been confirmed, and second, ensuring that companies responsible for the breaches bear the burden and the cost for data breaches, not consumers. Third, on the lack of education and awareness outside of the financial sector in the area of data security and safeguarding, TransUnion is supportive of the data breach notification where circumstances warrant as a key to raising that awareness. Fourth, we are also supportive of a focus on and attention given to synthetic identification, allowing for the sharing of information from government to financial institutions for fraud and ID theft prevention, and investing in security measures for identification cards that are relied upon by the private sector for AML purposes and fraud prevention.
Mr. Chair and committee, thank you very much for having us here today.