Information & Ethics Committee on Nov. 21st, 2024

Thank you, Mrs. Shanahan.

The agency does a lot in the way of communications. I would say the first recommendation is for people to make sure they don't use the same user name or password for everything. Easily identifiable passwords make people extremely vulnerable. In the unfortunate event a scammer figures out our log-in information, they can access our banking data, our account with the agency or what have you.

The agency has a whole communication strategy on its website. It also provides different kinds of training and tools to help people protect themselves. Digital hygiene is extremely important because most, if not all, of the identity theft cases we're talking about today involve information stolen outside the agency. Everyone has trouble remembering all their passwords, which is why people tend to choose the same ones. The scammers we're talking about obtained access credentials and passwords from a source outside the agency and used them to get into the agency's website. Therefore, it's really important that people protect themselves.

Thank you for that information.

Since we're talking about identity theft, I was at the Standing Committee on Public Accounts last year, when we had the same discussions. One of the witnesses was Mr. Hamilton, who is here today. The Auditor General looked into it and did an analysis, at which point it became public. There were about 20,000 cases at the time.

However, we understand that it's also a matter of timing. We file our tax returns three or four months after the beginning of the fiscal year, which starts on January 1 and ends on December 31. It takes time, both for taxpayers and the CRA, to ascertain that something has happened. Then the process takes a few more months, which can extend to two or three fiscal years. I'd like to hear your comments on that, but first I'd like to know something. The Auditor General found that the actions the agency took at the time were appropriate. Would you say the same is true now? Are you satisfied with the measures the agency is taking at this point?

Yes, I am.

The agency has many systems in place to protect Canadians. We work in partnership with a number of institutions here in Canada, but also internationally. When a situation occurs here or abroad, the institutions disclose it and share techniques to prevent it from reoccurring. There are multiple layers of the safety net. That way, if an attack were to slip through the first layer, another layer would be there to catch it.

One layer of the safety net is multifactor authentication. Every time a citizen wants to change information in their My Account, such as their address or their bank account number, they immediately receive an email. If anyone receives an email that says their bank account number has been changed in their Canada Revenue Agency file and they haven't made that change, they need to immediately call the CRA to block the account.

As you see, we have put in place a number of security measures to prevent fraud as much as possible. Scammers are creative, but so are we. We have the skills. We have a team that keeps its eye on the ball to protect citizens every time a new scam comes up.

Thank you, Minister and Mrs. Shanahan.

Mr. Villemure, you have the floor for six minutes.

I think it's a shared responsibility. Everyone has to take precautions, like buckling our seat belts. People have a personal responsibility, but I can assure you that the agency is focusing a tremendous amount of effort, energy, investment and training on protecting people from identity theft.

Again, the information in question was obtained through systems outside the CRA. People used that information to get into our system. The CRA is implementing a number of measures. For example, in order to access an account, users are required to click on all the squares of an image that feature a bicycle. That's already a way of ensuring that a person, not a machine, is trying to get into the system. Another way is entering a code sent to a cellphone. A number of similar measures are being put in place. You know what I'm talking about, right?

Yes, I understand very well. Thank you.

How many employees does the Canada Revenue Agency have?

There are close to 60,000.

Of those 60,000 employees, how many are front-line supervisors?

I'll ask the commissioner to answer that, because I couldn't tell you.

Mr. Villemure, what do you mean by “front line”?

Okay. I guess that's the second level of customer service.

I'd like to know one thing. When whistle-blowers flag a problem within an organization, the reason is often that they reported the situation but to no avail. What's your take on that?

As far as whistle-blowers are concerned, I completely agree that some situations need to be reported. That is why we support Bill C‑290, which is a step in that direction.

The CRA is unique in that it is a prime target because it holds a lot of personal information. We are governed by the Income Tax Act, including section 241. A lot of measures revolve around that. We have a code of ethics, and we need to comply with it.

All employees are responsible for protecting the integrity of the tax system and obviously cannot compromise ongoing investigations.

Of the 60,000 employees, or the 400 people in senior management positions, how many of them are teleworking?

Okay.

Okay.

Were many of them hired postpandemic?

Of course. Before the pandemic, we had 43,000 employees. At the height of the pandemic, we had 62,000. Today, we have about 58,000.

Every organization has a corporate culture. However, it's reasonable to believe that some employees didn't know the agency as it was before the pandemic. Admittedly, telework may have made it more difficult to adhere to the agency's culture of confidentiality. I would like to know whether employees are being properly supervised, considering that some do not work or have never worked in the office.

I don't know what level of supervision you're talking about, but I think we do find ways to do what we need to do. COVID‑19 has taught us all to work differently.

I can assure you that mechanisms are in place to ensure employee integrity. Obviously, employees' level of access to information depends on their position. Not everybody has unlimited access.

However, the whistle-blowers still felt that nothing was done.