Evidence of meeting #140 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cases.
A recording is available from Parliament.
Commissioner of Revenue, Canada Revenue Agency
First, I'll just repeat that I won't be able to answer that question, because I don't know. We are very public with our writeoffs in the public accounts. That's where there are some numbers. As much as we can reveal is revealed there.
We can go back and look at those. Maybe I can find the number that you're looking for. We actually have some officials who may—
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Hamilton and Mr. Chambers.
Mr. Bains, you have five minutes. Go ahead.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Thank you, Mr. Chair.
Thank you to the minister and our officials for joining us today.
Minister, in your opening remarks you talked about the fact that there's an international effort to combat tax fraud. Can you give us some more details about this, please? Are there partnerships internationally that allow you to re-collect funds that would have gone abroad?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
Thank you. Yes, we are involved in a variety of partnerships.
One is the OECD Forum on Tax Administration, chaired by Commissioner Hamilton. The J5 is another such partnership, which we often talk about and which was in Ottawa about a month ago. The J5 brings together both public agencies—our counterparts in the five member countries—and financial institutions. In other words, it brings together both the public and private sectors.
There is also the international tax treaty network, which enables us to share information on specific cases—for example, on multinationals. There are international electronic funds transfers, for which we have information-sharing agreements with about 100 countries. In addition, we of course have a lot of tools that we share here in Canada.
Therefore, we are very active on the international stage to share information and track down tax evaders.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Are you able to re-collect the funds that have gone abroad and that are fraudulently lost?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
We already have agreements with certain countries that enable us to share information. I don't have any concrete examples I could use to illustrate how much money we've been able to recover.
Can you add to my answer, Commissioner?
Commissioner of Revenue, Canada Revenue Agency
We would have mechanisms in place not just to share information. If we have a dispute that arises about money that should have been paid in one jurisdiction or another but wasn't, we have methods of trying to resolve it. We work very closely with other countries to have those mutual agreement procedures to resolve disputes.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Are we successful in those? Have we successfully recovered funds? Has that happened?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
I have an example in front of me. In the case of the Panama Papers, we were able to recover $83 million.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
I want to go back to what my colleague across the way was talking about. There are fraudsters pretending to be CRA agents, and it's difficult for CRA agents to ensure they're interacting with the right person. Similarly, it's difficult for taxpayers to ensure they're really in touch with a CRA agent.
What are the best practices that you're recommending to taxpayers with respect to that? Should they always be those initiating the calls by using the number on your website? What is the mechanism in place for that?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
Yes, we have to be very careful when we share information. If a Canada Revenue Agency agent calls you, they will have information to share with you, not information to ask for. When in doubt, when the agency reaches out to you, whether in writing or verbally, you can always end the interaction and call the agency at its general number. In addition, when you receive an email, it contains a code. So, if you call back the agency and provide it with this code, and you're told that the code means nothing, it's because it was fraud. Conversely, if the code is related to our file, it's because it was indeed an email from the agency. So someone from the agency who calls you will give you information, but they won't ask you for it.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
What happens to taxpayers who are victims of identity theft? Are there measures to support them?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
When identity theft occurs, we work with TransUnion, among others, an agency that is more or less the equivalent of Equifax, which many people know. This makes it possible to track the financial accounts of clients who have experienced identity theft. Again, it depends on the severity of the identity theft. Did the fraudster simply change a piece of information? Did they just change the bank account number to receive benefits, without seeing the taxpayer's other information? In some other cases, the fraudster was able to see everything. It's rarer, but it happens, as well. So the level of support for the customer's protection can vary depending on the severity of the fraud.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Bains.
I have a question, Madam Minister. There were 31,468 privacy breaches between March 2020 and December 2023, which directly affected 62,000 Canadian taxpayers. Only 113 of those privacy breaches were reported to the Office of the Privacy Commissioner, yet 31,468 were reported retroactively. Why weren't those numbers known at the time—that only 113 were given to the Privacy Commissioner? Why wasn't he able to access that information?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
It's true that there was some delay, but we disclose that information on a quarterly basis in the Auditor General's reports. In addition, we come to this committee, to the Standing Committee on Finance or the Standing Committee on Public Accounts, and we provide that information.
The reason for the delay in disclosure is that there was an unusual wave of identity theft. In such cases, our priority is to freeze the account in question and to call the individual to verify whether identity theft has in fact occurred. Sometimes, we fear that there has been identity theft, but we realize that the person has actually made a change. So that validation must be done, and that's our priority. However, since the number of identity thefts was unusual, our team was really mobilized to protect people, to follow up and to tighten things up.
Once again, every time a situation involving identity theft occurs, there's a rush to understand what happened and close the loophole.
Conservative
The Chair Conservative John Brassard
Are you able to break down...? I'm not asking for the information, but I just want to know: Of these 31,000 people who had their privacy affected, do we know who they are, and have they been contacted individually or not?
Liberal
Marie-Claude Bibeau Liberal Compton—Stanstead, QC
Absolutely. The first thing we do is block the account and call the individual.
Conservative
The Chair Conservative John Brassard
Thank you, Madam Minister.
We will suspend the meeting for a few minutes while we prepare for the second hour of the meeting.
Conservative
The Chair Conservative John Brassard
Welcome back, everyone.
The committee is resuming its study of privacy breaches at the Canada Revenue Agency. Our witnesses are here for the second hour.
From the agency, we have Mr. Hamilton, commissioner of the CRA, back with us. We also have Sophie Galarneau, assistant commissioner, public affairs branch, and chief privacy officer; Harry Gill, assistant commissioner, security branch, and agency security officer; Gillian Pranke, assistant commissioner, assessment, benefit and service branch; and Marc Lemieux, assistant commissioner, collections and verification branch.
Commissioner, I want to thank you for holding off on your statement. You have up to five minutes to do it now. Go ahead, sir.
Commissioner of Revenue, Canada Revenue Agency
Thank you, Mr. Chair.
Thank you for the opportunity to continue our discussion. You've introduced people already, and they are people who can answer some of the more detailed questions that we talked about earlier.
I want to say that the protection of taxpayer information remains one of our highest priorities. If you look at our mission in the agency, it's to provide service to Canadians, fairness in the tax system through compliance and protection of information, so we take it very seriously.
In today's increasingly digital world, the rise in fraud and identity theft has become a global trend. We're not the only jurisdiction or the only organization that's facing it. Internationally, responses to these trends include the joint chiefs of global tax enforcement, J5, which the minister mentioned, convening a special working group targeting cybercrime. The agency, representing Canada, is an active member of the J5.
Despite the rigorous security controls already in place, the agency, like any organization, recognizes that it's not immune to these growing trends and acknowledges that privacy breaches and identity theft cause concern among those affected.
The agency does not publicly discuss tax schemes utilized by bad actors, to avoid inspiring other would-be fraudsters to follow suit. Nevertheless, it's important to note that a privacy breach does not necessarily mean that our systems have been compromised or that information has been extracted. In the vast majority of cases that we encounter, fraudsters access data external to the agency, attempting to exploit it by posing as real taxpayers, which we discussed in the earlier session.
That said, the agency has a multi-layered system of defences to identify, protect, detect and respond to threats like fraud, identity theft and tax schemes. We are successful in protecting hundreds of thousands of fraudulent attempts to gain personal and business taxpayer accounts.
To support transparency, we report all material privacy breaches to the Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner of Canada. Admittedly, as we've discussed before, there have been some delays following the pandemic, but we do report them and consider ourselves to be very transparent in that regard.
We also report on privacy breaches at the end of each fiscal year in our “Annual Report to Parliament—The Administration of the Privacy Act”.
When fraud is suspected, the agency takes immediate precautionary measures on the taxpayer's account, such as blocking it to prevent transactions, and conducts in-depth reviews with the people involved.
Our identity protection service then takes over. This service is dedicated to both private and corporate clients. We offer an accessible, high-quality service to those affected by identity theft. When identity theft is reported, the agency offers credit protection and monitors the accounts of affected customers to prevent taxpayers from being victimized again.
In rare cases in which fraudulent funds are paid out, the agency takes every available enforcement action to return the funds to the Crown and to hold the offending parties accountable. This includes criminal investigations at our own operation, which could also be referred to the RCMP.
There is no silver bullet to protect against fraud or privacy breaches. That's why we have implemented these multi-layer safeguards, including multifactor authentication as a mandatory measure. This requires persons to enter a one-time password every time they access the agency's log-in services.
The agency also regularly performs security assessments such as vulnerability scanning, penetration testing and security risk assessments of the agency's digital services and systems. We regularly conduct routine checks to identify taxpayer credentials that may have been obtained by unauthorized external parties, and we take immediate steps to revoke these IDs to prevent them from being exploited by fraudsters.
In addition, we continually invest in security by enhancing our technologies, processes and controls to ensure the safety of taxpayer information. As fraudsters' tactics evolve, the agency adapts by remaining vigilant in its efforts to stay one step ahead.
Thank you, Mr. Chair.
We would be pleased to answer any questions from the committee.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Hamilton.
We will have six-minute rounds, starting with Mr. Chambers for six minutes.
Go ahead.
Conservative
Adam Chambers Conservative Simcoe North, ON
Thank you, Mr. Chair.
Thank you to the witnesses for appearing at committee.
Mr. Commissioner, you mentioned that there were some delays in reporting the privacy breaches. I'm just trying to get a handle on the decision rights framework within CRA. Whose decision would it have been to not report those breaches in a timely manner?
Commissioner of Revenue, Canada Revenue Agency
I take responsibility for what happens within the CRA. It wasn't a conscious decision in the sense of, “Well, let's not report them.” It was that we had a massive backlog. We were sorting out the process to report these privacy breaches, because we hadn't had that number in the past. We had processes to make sure that we blocked the accounts to prevent the damage and that we informed the people, and then we tried to find out what had gone on. Then, as time went by, we were able to report them.
Conservative
Adam Chambers Conservative Simcoe North, ON
The minister had no knowledge of this, so you're saying that the decision to not report was not a ministerial decision.
Commissioner of Revenue, Canada Revenue Agency
I'm sorry, but what did you say?