Evidence of meeting #143 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There are situations when you might need to keep something confidential because you want to address it, you want to contain it and you don't want the threat actors to have the information. There is a balance there.
Certainly, it's important that my office be made aware in a timely manner and that the discussion about public communication to do that take place as soon as possible.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
A news report on this matter says:
According to sources, the crisis prompted the CRA to contact the office of Revenue Minister Marie-Claude Bibeau.
The agency prepared media lines to respond to inquiries should there be questions about the breach of H&R Block data and why the agency paid out millions to scammers.
In the end, the public was never alerted to the scheme.
The scenario that you described, sir, was to help contain the threat, perhaps, take action and inform your office immediately, before then informing Canadians. This looks like a government not protecting Canadians but protecting itself from the criticism of Canadians who were the victims of, potentially, the government's negligence—likely the government's negligence, in fact.
Do you believe it's acceptable for the minister to have withheld this information from Canadians?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think my office should have been notified earlier than it was. I think it's beneficial for Canadians to have information as soon as possible. There may be circumstances in which it needs to be kept confidential longer. I point to the 2020 situation, when the Treasury Board made a public announcement on this, so Canadians were aware of the earlier situation.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Right.
In this case, they didn't. They literally just prepared a damage control plan and didn't inform Canadians, whose personal information was being used for the ill-gotten financial gains of fraudsters and criminals.
Isn't there an ethical and a moral obligation for a minister, acting on behalf of the Crown, to inform Canadians?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In terms of best practices, I would want to see notifications to my office, and I would want to see notifications—
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
That didn't happen. Your office was not notified.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We were notified, but late. We were notified—
Conservative
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We were supposed to be notified seven days after the department became aware. We were notified in May 2024.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
How many days later was that?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Some of those breaches dated back to 2020. We're talking many, many days.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Continue with your answer.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think public information is important so that lessons can be learned. There was a public announcement by the Treasury Board in 2020 on the GCKey matter. We investigated it. We issued our recommendations. These are publicly available statements and conclusions that helped the public debate and draw conclusions.
Again, subject to some confidentiality provisions, which may be legitimate for a certain time, these matters should be made public.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
The Canadians who have been defrauded would rightly lose confidence in the institution of government generally.
Also, in this case, the Canada Revenue Agency has extraordinary powers and extraordinary access, and can be the vector by which individuals end up jailed or fined, have their wages garnished and assess massive penalties. This organization—this minister—opted instead to lie by omission to Canadians. Canadians were expected to believe that everything was okay, because they weren't told any different.
Does it cause irreparable harm to the institution of government when this information is concealed from Canadians?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
What we highlighted in our earlier report is that these breaches have impacts on Canadians. They can cause stress. You highlighted garnishing. There can be situations in which people have to take very distressing steps.
As much as possible has to be done for Canadians in these circumstances, in terms of informing them, notifying them and protecting them—and in terms of drawing lessons from that.
December 5th, 2024 / 5:05 p.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
In my remaining time, Chair, I want to give notice of a motion:
Given that, at a time when Canadians are lining up at food banks in record numbers and facing the worst cost of living crisis in a generation, Justin Trudeau's Minister of Emergency Preparedness accepted two taxpayer-funded VIP suite tickets to attend a Taylor Swift concert in Vancouver, the committee:
1. call on the Minister of Emergency Preparedness and PavCo Chair Gwendolyn Point to testify before this committee for no less than two hours, separately; and
2. order PavCo to provide the names of all federal ministers, officials or staff provided with tickets to any of the Taylor Swift concerts at BC Place, and any related communications.
Conservative
The Chair Conservative John Brassard
Thank you for that, Mr. Barrett. The motion is on notice. That concludes your time.
Mr. Fisher, you have six minutes. Go ahead, sir.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you, Chair.
Thanks to the witnesses for being here. I really appreciate their very focused answers. It has really helped in a situation in which not everybody has a depth of understanding.
Some of the things I've scribbled down here may seem like they're not in any specific order. They're things that were said during your discussion today.
What is “credential stuffing”?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Credential stuffing is when you reuse passwords you obtained from other sources. You're using these, as a bad actor, to gain access to websites and portals. It's essentially to gain access to information.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Obviously, we know data breaches are on the rise. I think you were speaking about your office having to continuously adapt. You talked about some one-time funding and a need for that to be more permanent.
Can you tell me a bit about how you are, as an office, continually adapting to this increase in data breaches?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We have made these funding requests to Parliament. We obtained temporary funding. We will be continuing to push for this to be permanent, because those breaches are not diminishing. We're looking at processes, right now, within the OPC. One of my three strategic priorities is to protect and promote privacy with maximum impact. We're looking at our structures. We're looking at whether we are putting enough resourcing in the compliance side of the office, including breach protection. We're asking for more permanent resources.
We're also looking internally to see how we are structured and operating. We're looking into our technological knowledge. We have a technology lab, and we're continually developing our expertise there. We're working with international partners and partners in Canada—the privacy commissioners in the provinces and territories, and international partners. I indicated that I launched an investigation, along with my colleague, the UK commissioner, into 23andMe. That's an investigation into another major breach.
We're leveraging each other's expertise. We're learning from each other. Breaches and cybersecurity are themes we're discussing more and more in the privacy community here in Canada and around the world.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you for that.
You talked about some of your recommendations—improving communications, incident response plans and accountability.
How have reporting procedures and methods changed because of these events—or have they?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The measures have changed because of the recommendations we made in that investigation.
CRA and ESDC have taken steps. They've put multifactor authentication in place. They have worked on their processes, assessments and communication frameworks. Some of those recommendation elements had a six-month timeline. Some of them have a 12-month timeline, so they're not all completed. However, they're on track to being completed. That's what we want to see when we make recommendations. In this case, the departments agreed with our recommendations and accepted they had to implement them. We want to see that.
We'll see what this next investigation results in. If there have been some shortcomings, there will be more recommendations, and we would expect the same collaboration and compliance.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
MFA, or multifactor authentication, was brought up by Mr. Housefather, and I think a few other people mentioned it as well. If MFA had been present, would that have prevented this particular breach or this set of breaches?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We found that in the investigation we did on the GCKey in 2020, in many cases it would have provided additional protection, which would have prevented the breach. Without it, it's all too easy to gain access.