Information & Ethics Committee on April 4th, 2019

Evidence of meeting #142 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

Privacy of Digital Government Services
Committee Business

MPs speaking

Bob Zimmer
Raj Saini
Peter Kent
Charlie Angus
Michel Picard
Jacques Gourde
Nathaniel Erskine-Smith
Anita Vandenbeld
Mona Fortier

Also speaking

Marina Mandal  Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
Della Shea  Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
Angelina Mason  General Counsel and Vice-President, Canadian Bankers Association

3:55 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

As we've seen in the public service with the Phoenix pay system, one problem is that when governments approach a vendor, the vendor provides a suggested product and the purchaser, the procurer, decides to eliminate some of the recommended security safety aspects, and we then see the disaster that we have today. We see the same thing with the Boeing 737 and the safety additions that required extra payment, extra training and so forth.

How do you overcome this in private sector partnerships with government at all different levels? How do you ensure that government political decision-making doesn't interfere with success?

3:55 p.m.

Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.

Della Shea

Everything is going to be a cost-benefit analysis. First of all, there's no such thing as absolute, perfect security. To achieve even close to perfect security will impact not only the financial aspect but also the utility of a service, so you have to really take a balanced approach.

Canada Health Infoway is an example I would urge the government to look to in terms of the way it established a process for vendors to present a solution for health care services. There is oversight and there is governance around the vendors who become certified through that process. That, then, would be a model the government could look to as a potential way of framing how you certify a vendor or a service provider to engage with government services.

Having minimum standards would be absolutely critical, in addition to having an assessment process to assess the various vendors wanting to become part of that ecosystem and then having ongoing monitoring. To speak to your example about airplanes, it is really about having oversight. It doesn't just happen once. It's no longer just about a project; it's now about a product and about a process and having a governance framework around it. Having it be ongoing is really critical.

4 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Not rushing to get a program into place before it's ready.

4 p.m.

Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.

Della Shea

Absolutely.

4 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Ms. Mandal, what are your thoughts in this area?

4 p.m.

Conservative

The Chair Conservative Bob Zimmer

We're at time, but if you have a quick—

4 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Oh, I'm sorry. I'll come back.

4 p.m.

Conservative

The Chair Conservative Bob Zimmer

That's fine. I'm trying to be nice.

Next up, for seven minutes—

4 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

I see a little bit extra. Don't I always say what a good chair you are?

I'm not going to challenge the chair today.

4 p.m.

Conservative

The Chair Conservative Bob Zimmer

Go ahead, Mr. Angus.

4 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you, Chair.

Thank you for this presentation.

I deal with fraud all the time now in my offices. As they started out, you'd have had to be very naive to fall for the 419 scams, but they have become increasingly sophisticated. I've been shocked at how many people—in fact, many people probably never come forward—have been victims of these scams.

The only way it seems that we're stopping them is literally when the bank teller says no. People transferring funds to relatives who are in jail someplace, people transferring money to someone they want to marry who doesn't exist, people transferring funds because they're afraid the CRA is going to arrest them—they are becoming increasingly sophisticated.

Their power comes from this. If you have one point of information on someone, it's a long shot; if you you have two points, you're getting very good; if you have three points of information on someone, you're getting very dead-eye accurate. With AI, with the ability to glean stuff off the net, more and more of this fraud is going to take place. It seems to me, in the work that I do in my MP's office, that often the only thing that stops it is a bank teller saying, “I think you're a victim of fraud here.”

What mechanisms are there in the industry to start to deal with the growing sophistication of targeting people for fraud?

4 p.m.

Angelina Mason General Counsel and Vice-President, Canadian Bankers Association

I would say a significant part of it is education. We educate and let consumers know the risks out there. Also, it's a sharing of information to find technological ways to block certain types of communications.

With the recent launch of the Canadian Centre for Cyber Security, Scott Jones, who was recently at our cyber security summit, was chatting with us about ways in which we could from a technology perspective block those types of communications. It would require some sophisticated analyses and some sharing about how our systems work within industry, but we are very eager to participate in those types of discussions to see whether we can take even more proactive steps to address that concern.

4 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Last year, 90,000 Simplii Financial and BMO customers were affected by a breach of personal financial information. Customers reported that they received conflicting answers about the timing and the scope of the breach, which was worrying. Was that breach by a malevolent outside actor? What was the nature of the fraud that citizens were affected by?

4 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

I can't speak to the specifics of the breach. What I can say is that we have been leaders in the cyber security space. We have had an excellent record. It was a rare incident, and I can assure you that banks took measures to ensure that their customers were whole financially and to provide other assistance to them.

We always continue to fight the fight. We are always looking at ways to detect these breaches. It's a daily thing. We are constantly finding ways to address attacks. We continue to look at it from both the perspective of sharing of information and understanding what new types of attacks could be coming at us. We invest heavily in this space and we continue to make it a priority.

4:05 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

I must confess, I don't keep my money in the bank. I'm in a caisse populaire, but I've been the victim of a few fraud instances, and I'm amazed when they contact me immediately and say that something happened on my card. That level of speed is very interesting.

Is that part of this whole move towards increasing the technological ability to intervene to stop fraud?

4:05 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

Yes. There are different layers. There are cybersecurity types of measures, which are really to address if someone's actually trying to get into our systems and get access to information. There are other types of compromises that can happen on fraud that aren't really cyber-related. Your credentials have been shared or your card has been compromised because they found out the numbers and the PIN.

In addition to addressing cyber, we do all sorts of monitoring so we can detect if there's unusual activity, identify different types of compromises and address them immediately.

4:05 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

RBC was named—I think it was in the New York Times—in one of the Facebook app issues. Because of their app, they were given preferred access, which gave them the ability to read private messages on Facebook. RBC said they never had that access. Facebook said they did. The Privacy Commissioner is investigating.

Does the Canadian Bankers Association look into these issues to be able to reassure customers that this kind of undue personal information is not being accessed by a bank?

4:05 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

We would not be part of that.

4:05 p.m.

Vice-President, Banking Transformation and Strategy, Canadian Bankers Association

Marina Mandal

No.

4:05 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

All right.

Part of our work here is about protecting the privacy rights of citizens and private data. I note that, I think, CIBC and RBC at least have noted in their privacy policies that data can be transferred, processed or stored outside of Canada. That raises questions for our committee in terms of trying to ensure the protection of financial data.

Do you have a policy on trying to ensure the data is kept in Canada, where at least with our privacy laws and national standards we would know that the private information will be kept private?

4:05 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

Having data outside Canada and internationally is common not just across the financial institutions, but across a full range of companies. The Privacy Commissioner has addressed this in guidance.

It's so commonplace that you deal with it in a variety of ways. First of all, our federal privacy legislation requires that if data is to be housed outside of Canada, it must, through contractual and other measures, be kept as secure as if it were in Canada. There's also a requirement to provide notice to consumers so they're aware of that.

4:05 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

In the U.S., does that data come under the Patriot Act?

4:05 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

If you're talking about the potential for that data to be accessed in a lawful manner, it could be accessed through it, but that would of course require a warrant approach.

4:05 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Yes, I've dealt with a number of citizens who were born in the U.S., and there was the whole tax issue in the United States, which was demanding that they pay taxes. We had citizens who had lived here for 40 or 50 years and were concerned. Are they made aware that their data may be held in the United States under the Patriot Act when they sign up for an account?

4:05 p.m.

General Counsel and Vice-President, Canadian Bankers Association

Angelina Mason

Yes, we provide disclosure where that data may be outside of Canada, and we explain the implications of that.