Information & Ethics Committee on Dec. 12th, 2024

Thank you very much, Mr. Chair.

Thank you, committee members, for the opportunity to appear on behalf of H&R Block Canada today. I appreciate the committee's patience and flexibility in accommodating my schedule.

This year, we at H&R Block Canada are proud to be celebrating our 60th anniversary of helping Canadians with their taxes and with receiving their benefits. Back in 1964, H&R Block Canada's first tax office was established in Toronto, and our national headquarters are proudly located in Calgary today. Throughout our 60 years in Canada, our company has grown to nearly 1,000 locations and 10,000 H&R Block Canada associates, serving Canadians in every corner of the country during tax season.

I'd like to reiterate some key points from our earlier November 15 statement and our December 6 submission to the committee.

Throughout our more than six decades of operation, H&R Block Canada has placed the utmost priority on ensuring the protection and privacy of our clients' tax information. H&R Block Canada is proud of our retail offices' privacy framework, which is among the best in Canada. We understand the important responsibilities and obligations that come with safeguarding Canadians' personal information, and we have robust security systems and processes in place to protect it.

Given H&R Block Canada's commitment to data privacy and security, when we became aware of the incident involving our e-file credentials, we immediately conducted a comprehensive internal investigation and concluded that H&R Block Canada's data, systems and software had not been compromised. We are also not aware of any impact to our clients.

I would also like to assure this committee that H&R Block Canada has never sent any Canadians' personal data, including pixels, to companies such as Google and Meta. While we are aware of past media reports in the U.S. regarding this issue, we can confirm that the pixel usage described in those reports does not apply to H&R Block Canada clients.

Allow me to take a moment to speak on behalf of our broader industry.

As co-chair of Tax-Filer Empowerment Canada, the national trade association for Canada's tax preparation and software industry, I believe it is important to articulate the critical role of industry tax software in helping to safeguard the personal information of Canadians. Tax software developed by industry for use by taxpayers directly or by tax professionals on behalf of their clients must undergo intense certification by the CRA each year in order to be approved for use by the public and to be authorized for the electronic filing of tax returns to the CRA. Tax software providers must also ensure that their products and services are compliant with Canadian privacy and data security legislation. These factors, along with industry innovation and ongoing investment to continuously enhance and evolve data security, afford Canadians many diverse industry options to choose from so that they can feel safe providing their personal information.

Diversification mitigates cybersecurity risks, as threat actors have to attempt to infiltrate several different secure IT systems, as opposed to just one system administered by the CRA. With this in mind, along with the fact that the CRA is a high-value target to threat actors and has experienced previous security breaches, the notion that taxpayers' information will be safer if it is solely controlled and managed by the CRA through automatic filing or any type of government tax filing does not have a credible basis.

Before we move to questions that committee members may have, I would like to raise this point. These proceedings are very likely being monitored by threat actors seeking opportunities to identify and exploit potential data security intelligence for criminal gain. As the largest assisted tax preparation company in Canada, H&R Block Canada closely monitors and defends against attempted cyber-threats on a regular basis. Accordingly, any statements we provide as an organization regarding cybersecurity must be careful not to reveal sensitive information that could give threat actors any intelligence to assist with their criminal activities. Further, we are bound by Canadian privacy legislation and H&R Block Canada’s client privacy and data security policies to ensure that no personal information of Canadian taxpayers is disclosed.

Thank you again, Mr. Chair and committee members, for inviting me to appear today on behalf of H&R Block Canada. I am pleased to answer any questions that you may have, to the best of my ability.

Thank you for the question.

As I mentioned in my statement and in earlier submissions to the committee, when H&R Block Canada was notified by CRA that there was a compromise of our e-file credentials, we immediately launched a comprehensive investigation. We left no stone unturned. Throughout the course of that investigation and upon its conclusion, there was no evidence to suggest that H&R Block Canada's systems, software or security apparatuses had been compromised in any way.

As to where this compromise may have taken place, H&R Block Canada can't say for sure, but we know that it was not within our organization.

I am familiar only at a cursory level. I'm here in my capacity today representing H&R Block Canada and our operations here in Canada, but I am familiar with some high-level aspects of collaboration between IRS and the tax preparation industry in the United States, such as the security summit, which is an annual gathering of both the industry and the IRS to share best practices about cybersecurity and talk about potential threats, to the extent that's possible and appropriate.

It doesn't currently happen in Canada. It is something that our company and the industry have recommended to CRA in the past, and we continue to recommend that. To the extent possible, we would like to see more collaboration between the agency and the industry, to combat fraud and any other type of cybersecurity threats.

It has come up in industry conversations with CRA off and on over the last, I would say, two to three years, approximately.

They have always expressed receptiveness to the idea. I think one of the challenges that CRA has communicated to us with that concept is how something like that can be put together and still respect Canadian data privacy legislation.

Our understanding is that CRA is looking into that and, hopefully, once we have a clearer picture of what may be possible, we can potentially explore moving that forward.

Do I see what as an impediment?

I would say that, to the extent that it's preventing CRA from being able to collaborate where appropriate with industry and with our organization, then, yes, it would be an impediment.

I'm not in a position to answer that, given that we did not have a line of sight into CRA's investigation and most of the mitigating measures that they may have employed. I'm not able to answer that with any accuracy.

Yes, it was, in terms of notifying us when this incident may have began. That communication, I believe, did happen in an expedient manner.

I'm not able to disclose the exact date, just for security purposes, but we were notified in April of this year. Immediately upon being notified, we launched our investigation into our system, software and security apparatuses.