Evidence of meeting #151 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Clerk of the Committee  Mr. Naaman Sugrue
Michele Mosca  Director, Quantum-Safe Canada
Brian O'Higgins  Chair, Quantum-Safe Canada
Christopher Parsons  Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto, Citizen Lab
Karen McCrimmon  Kanata—Carleton, Lib.
Jim Eglinski  Yellowhead, CPC
Normand Lafrenière  President, Canadian Association of Mutual Insurance Companies
Steve Masnyk  Principal, SkyBridge Strategies

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

I'm not familiar with what the banks have, but I can tell you that our members shell out a lot to make sure their systems are protected and secure.

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Who are your members?

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

Mutual insurance companies.

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

To your knowledge, is what your members spend on system security comparable to what the banks spend, taking into account routine operations?

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

For now, that's speculation, since we don't have the information. Isn't that right?

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

That's right. We don't have the information, but percentage-wise, it's certainly true.

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

How does your industry define a cyber-threat?

February 27th, 2019 / 5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

The risk of a third party gaining access to our systems and retrieving information.

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

What criteria do you follow when recruiting staff to make sure you have some control over the human risk factor?

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

My job is simply to represent the association. It's not our staff; it's the companies who do the hiring and have the computer systems.

Unfortunately, I can't answer your question.

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Right now, do your member companies and the banks share any data?

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

As we speak, then, there's no electronic access. It's reasonable to believe that the members of your association do not offer third parties a way into the banking system, a vulnerable entry point, if you will.

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

5:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Thank you.

That's it for me, Mr. Chair.

5:40 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Picard. You've had the penultimate question, and I'd like to ask the ultimate question before we adjourn.

I wonder whether you are understating the significance of the data that you hold. You keep talking about how many bathrooms and who cares, but actually that can be quite significant data in the hands of certain people who wish to do us harm.

I wonder whether in fact you might be taking a bit too casual an approach to your own cybersecurity from the standpoint of data protection, because—and I guess this is a heightened sensitivity on the part of this committee—you never really know how individuals with malicious intention can use that data against both policy-holders and the institutions themselves.

I refer you to a $100-million lawsuit against Zurich Insurance. When the lawsuits start to happen over cybersecurity, everybody starts to run around in dizzy circles because they realize that maybe the data they had or have is far more significant than they actually realize.

I'm curious about your reaction to the value of your data.

5:40 p.m.

President, Canadian Association of Mutual Insurance Companies

Normand Lafrenière

We're always concerned with the data we hold. We hold personal information, names, addresses and that kind of stuff. Of course, we cannot ask for as much information as others can. We cannot ask you how much you make or what your job is and that kind of stuff. That's separate from what the insurance companies ask. They want to know what kind of use you make of your vehicle. That's the kind of information they ask for and that you see in the files of insurance companies.

5:45 p.m.

Liberal

The Chair Liberal John McKay

Google is awfully interested in how far I drive and when I drive. I got into the car in my garage on Sunday morning and it told me that it was 21 minutes to get to my church. I think it was kind of surprised that I went to church.

What I would describe as innocuous data becomes, in the hands of others, fairly significant.

5:45 p.m.

Principal, SkyBridge Strategies

Steve Masnyk

Mr. Chair, you're absolutely right. We don't know what we don't know until somebody finds out what we don't know and that becomes valuable.

5:45 p.m.

Liberal

The Chair Liberal John McKay

Yes.

5:45 p.m.

Principal, SkyBridge Strategies

Steve Masnyk

It could be that we're understating it, but I think it's a question of degree. Banks and financial institutions have 100,000 times more data on you as a consumer than an insurance company would. Sure, there is personal data that insurance companies possess, as well as brokers, agents and so on, but it's a question of degree.

5:45 p.m.

Liberal

The Chair Liberal John McKay

I don't want to press you on the point, but I'm not sure I buy your core argument.

Anyway, thank you for that.

With that, we are adjourned.