Thank you, Mr. Chair.
My question is for the Canada Revenue Agency representatives, and is about the measures taken in the event of privacy violations.
Recently, a USB key or a laptop—I can't remember which—was left in a bus. Malicious people got access to CRA data. The vulnerability that made this possible is called Heartbleed.
In another incident, the CBC made an access to information request, and was given a file mistakenly in response. So the CBC ended up with very sensitive information, and, naturally, it reported on all that information.
I'd like to know exactly what measures are being taken in this regard. Earlier, there was talk of possible damages, but you don't seem to be envisaging them for the moment, since they're not mandatory. What do you do to inform and reassure taxpayers in such cases? Do you take measures to attenuate the repercussions for the victims of these privacy breaches, such as ensuring that their credit score remains good? When the data falls into the wrong hands, what do you do? How do you react?