Evidence of meeting #165 for Public Safety and National Security in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
NDP
The Vice-Chair NDP Matthew Dubé
Can we agree on two final five-minute rounds for each of the parties at the table right now? Is that okay?
The Chair
I'm good on my end, but I appreciate the generosity with the speaking time from your side.
Conservative
Jim Eglinski Conservative Yellowhead, AB
I'd like to thank the witness for being here.
Brian, I want to follow through with what Mr. Picard was stating.
You stated earlier in your evidence that the money put into the PayPal accounts goes into the United States. Is that true for all countries where you do transactions?
Senior Director, Information Security, PayPal, Inc.
I'm not certain on that, Mr. Eglinski.
I'd have to verify with our product team on where the money is deposited in back-end sources based on locale.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Let's deal with the Canadian customers.
Do all the funds from which we do transactions with you go into the United States, or is some of it done here in Canada?
Senior Director, Information Security, PayPal, Inc.
I'm sorry. I'm not sure which products have storage of data and balances in which accounts, so I can't answer that with clarity.
Conservative
Jim Eglinski Conservative Yellowhead, AB
All right.
Is there a regulatory body in the United States that requires you to report breaches in your program? As you mentioned to Mr. Picard earlier, you have a program that will kick out if a transaction is made and a second transaction is withdrawn from a different locale.
Is that requirement for you? Do you report those to certain security agencies within the United States or Canada?
Senior Director, Information Security, PayPal, Inc.
We have a number of obligations to notify and notification obligations based on regulators across the globe. Again, those are regionally managed at the state level within the U.S., and at the regional level within each of the regulators.
We're governed by the CSSF in Europe, which is overseeing our European banking licence, and the MAS, which is the Monetary Authority of Singapore. We're governed in a number of other jurisdictions where we operate money remitter and payment service provider licences that we do in the United States and Canada.
Those obligations to notify vary based on the condition, but we do notify regulators of occurrences on whether they cross the threshold of notification for any data breach situation, or for any money-laundering operation or fraud scheme that we may detect on the platform. Those are notified through regulators as required.
Conservative
Senior Director, Information Security, PayPal, Inc.
No, sir, we're not. We've discussed with the group, and our threat intelligence team has met with them before, but we're not currently members of the group.
Senior Director, Information Security, PayPal, Inc.
I believe there were other channels that superceded that—threat exchange platforms that are not specifically regional. The CCTX actually subscribes to some of the threat feeds that we're already members of. There are a number of threat exchanges that I believe they already exchange data through. We're not opposed to it, there just wasn't a need, as we've discussed with them, for any unique data exchange.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Okay, thank you.
I've been a member of PayPal, I think since about 2000, and have used it quite often over the years.
Senior Director, Information Security, PayPal, Inc.
Thank you for your business.
Conservative
Jim Eglinski Conservative Yellowhead, AB
How much of my personal information, or other users', goes through your service? Where is that information stored? Is it all stored in the United States, or is it stored in individual countries?
Senior Director, Information Security, PayPal, Inc.
It's all stored in the United States. Personal information is all encrypted. We have extremely high-level encryption technologies at all levels of our infrastructure and technology stack. Personally identifiable information is not shared. Again, we don't sell or rent that data out to anyone, for marketing or any other purpose. It is housed and stays on PayPal's systems in the United States, in our data centres.
Senior Director, Information Security, PayPal, Inc.
Have we been hacked? The direct answer is that we have not been breached. If you're asking if we've been breached in the sense of a customer-notifiable data breach event from PayPal, no. Properties, as you may be aware, of other adjacent companies that we've acquired over the years have reported cyber-incidents. We've had some vulnerabilities, and what would be classified as “hacks” noted in different products as an interface, but none of those have led to a massive breach, or a data loss at the extreme level that would require any notification.
Conservative
Jim Eglinski Conservative Yellowhead, AB
You mentioned that all the data is stored in the United States. Is it stored in only one facility, or do you have a backup-type system?
Senior Director, Information Security, PayPal, Inc.
We have multiple backups, yes. We're geographically distributed across high-availability data centre zones, so that we maintain resilience and disaster recovery capabilities across the platform.
NDP
The Vice-Chair NDP Matthew Dubé
Thank you, Mr. Eglinski.
We will now give the floor to Mr. Graham for the last five minutes.