Information & Ethics Committee on Nov. 21st, 2024

Thank you, Mr. Chair.

Thank you for the opportunity to discuss the Canada Revenue Agency’s work regarding unauthorized access to taxpayer information.

First and foremost, it is absolutely essential to mention that protecting taxpayer information remains one of the highest priorities for the Government of Canada and the agency. We have zero tolerance for fraud in all of its forms.

Allow me to use this introduction to paint you a picture of the world we are currently living in. Unfortunately, the increase in fraud and identity theft is a global trend. All government institutions and private sector organizations around the world face these constant and persistent threats. No organization is immune to this phenomenon, not even Government of Canada institutions. In fact, the Canadian Anti-Fraud Centre continues to warn Canadians about these ongoing threats. Within the agency, since 2020, there has been a significant increase of identity theft cases and unauthorized use of third-party taxpayer information following the announcement of COVID‑19 emergency benefits.

Later that year, the agency also saw a marked increase in external data breaches and cyber-threats. I want to reassure everyone that the agency has implemented a multi-layered security approach to counter these threats. First, the agency regularly monitors taxpayer accounts for suspicious activity to identify, prevent, and quickly address potential fraud and identity theft.

The agency has also implemented many tangible measures to make its systems more robust. These include multifactor authentication, the revocation of high-risk identifiers, the requirement to have an email registered in the agency’s My Account portal, CAPTCHA tests, which ensure that the agency is dealing with a human, not a robot, and increased penetration testing of its computer systems. To combat fraud, the agency also combines advanced data analytics with intelligence gathered from a variety of sources, including law enforcement and financial institutions.

In addition, the agency continues to collaborate with domestic and international partners to develop and update its strategy, and prevent these violations from continuing. To this end, the agency maintains regular communication with the Office of the Privacy Commissioner of Canada on various subjects. These communications include privacy breach management, privacy investigations, and new or amended initiatives that involve the use of personal information.

Internationally, the agency is a member of the joint chiefs of global tax enforcement, known as the J5. This organization brings together five countries, including Canada, which conduct coordinated operations to apprehend fraudsters who commit cross-border tax crimes.

In addition, the agency has dedicated teams to address issues related to fraud, whether it be privacy breaches, identity theft or tax schemes of all kinds. In recent years, the agency has also increased the resources dedicated to combatting fraud of all kinds.

Finally, I can assure you that the agency continues to invest tirelessly in security while improving its technologies, processes and controls.

I'll conclude by telling you that the Government of Canada and the agency take the fairness and integrity of Canada's tax system very seriously. Canada's self-assessment system is based on the trust of individuals and businesses in the agency. Everyone here is doing everything in their power to keep that trust at a high level.

Thank you, Mr. Chair.

Thank you, Minister.

For the benefit of other committee members, I've asked Mr. Hamilton to make his declaration in the second hour, so that we can maximize the time we have with the minister.

Minister and Mr. Hamilton, as you know, members have short periods of time to ask questions. Please don't take any offence if they want to reclaim their time and ask another question.

Mr. Chambers, you have six minutes. Go ahead, sir.

Thank you very much, Mr. Chair.

Thank you for coming. I believe it's our first time at committee together.

When were you first made aware of the privacy breach that was reported by the CBC just a couple of weeks ago?

As you know, I can't speak of any specific occurrence.

However, I can tell you that as soon as I took up my post at the Canada Revenue Agency in July, I was given a comprehensive briefing on all potential fraud situations and the cases being examined. I am also notified of any situation that requires special attention.

You were informed of fraud when you arrived at the CRA, or when you received your first briefing. Is that correct?

I was given a general briefing on background and the possible problems.

I appreciate that, but as it relates to the specific privacy breach that was reported in connection with H&R Block, when were you made aware of those cases?

Mr. Chambers, I'm sure you're well aware that, under section 241 of the Income Tax Act, I can't talk about a specific case, whether this one or any other. I can't answer that question.

Minister, I'm very familiar with section 241. We are not talking about a particular taxpayer at the moment. We're asking when you were made aware.

There is a briefing note, a memo, that has the following in it: “Consensus is that these gaps pose major risks to the agency. While there are [internal] funding and [human] resource considerations, all agree that visibility is needed”.

Do you recall receiving that memo?

I get quite a lot of memos. I am briefed, whether verbally or in writing, on a regular basis. It wouldn't surprise me.

Perhaps the commissioner might be able to shed some light.

Do you recall the memo that I'm referring to? This was reported by the CBC.

I have very limited time, Commissioner. I appreciate it.

Minister, your testimony is that you cannot tell Canadians when you learned of a serious privacy breach that was reported in the news.

I am quickly notified when the agency detects a potential fraud case.

It would be fair to say that, if you were rapidly informed, when the breach occurred you likely would have been informed shortly thereafter. Is that correct?

Absolutely. When there is a privacy breach of any significance, I am quickly notified.

Wonderful.

Why was that breach not reported to the public, as a material breach, when you learned of it, shortly after it occurred?

The way we operate at the agency is as follows: As soon as we suspect that identity theft has occurred, we block the account and then we communicate directly with the individual, individuals or company concerned.

Only in cases where the issue is more widespread, such as during the COVID‑19 pandemic, do we alert the public. However, the individual or individuals involved were immediately notified.

There are thousands of taxpayers affected, though. If this breach occurred outside of government, there are obligations for those organizations to inform the public. Why is it that this breach was not publicized? Worse, why was it withheld from the Privacy Commissioner until after the deadline passed for him to include it in his report in 2024?

As the Auditor General of Canada's 2022 report shows, we had begun disclosing, and passing on, the information. You're talking today about 31,000 accounts that were affected by identity theft, but that happened over a number of years. If you go back to the Auditor General's report from 2022, it's clear that 23,000 cases had already been made public.

If the process at CRA works really well and the minister is informed relatively shortly after—you're made aware of privacy breaches that happened over multiple years—it is reasonable to assume that you or your predecessor were made aware of these privacy breaches well before the March deadline that the Privacy Commissioner needs in order to include these privacy breaches in their annual report to Parliament. Why was it that these privacy breaches were reported to the Privacy Commissioner after the deadline, when your own testimony suggests that you would have been made aware of these privacy breaches well before the deadline to report these to the public?

I am quickly notified whenever there is any attempted identity theft, which must then be verified. That involves immediately notifying the individual or individuals of the problem and reporting it. As I said, we had already started reporting the situation, as per the Auditor General's 2022 report.

Minister, according to the Privacy Commissioner, there have been very few breaches at the CRA, because he was not made aware of them to include them in his report in 2024. The timeline just doesn't quite work for me at this moment, but I believe I've exceeded my time.

Thank you, Mr. Chambers.

Next, we're going to go to our friend from Châteauguay—Lacolle.

Ms. Shanahan, you have six minutes. Go ahead, please.