Public Safety Committee on July 15th, 2019

You'll be happy to hear, as I understand the committee was informed, that I won't be making any opening remarks. I am present here today simply to address any questions you may have. As this, on its surface, does relate to an ongoing criminal investigative matter, it would be inappropriate for me to provide details of an investigation, particularly an investigation that is not being undertaken by the RCMP.

I welcome all questions. I am here to provide whatever assistance I can.

That will depend on the jurisdiction where it occurs. In the jurisdiction where we are, the police have jurisdiction, so they have the provincial and municipal responsibility. It would be forwarded to our intake process there, whether it be our telecoms office, the front desk of a detachment or a particular investigative unit that's identified for that.

In cases where we are not the police of jurisdiction, like in Ontario and Quebec where we are the federal police, we will become aware of these instances through our collaboration with our provincial and municipal partners. We will look at the information and determine whether or not there are any connections to other investigations that we have ongoing, and offer our assistance to the police of jurisdiction should they require it, although on many occasions this type of incident is very well handled. We have very competent provincial and municipal police forces that are able to handle these on their own.

The RCMP doesn't automatically step in solely because it crosses multiple provinces. As occurs with traditional crimes, whether a theft ring on a border between two provinces, or homicides, the police forces in those jurisdictions are used to collaborating and do so very well.

When there's an incident that occurs from a cyber perspective, if it's going to have an impact on a Government of Canada system, a critical infrastructure operator or there are national security considerations to it, or if it's connected to a transnational, serious and organized crime group that already falls within the priority areas we're investigating, then that matter will be something we will step into.

From a cyber perspective, we have ongoing relationships and regular communication with most of the provinces and municipalities that have cyber capabilities within their investigative areas. We know that many of these incidents occur in multiple jurisdictions, whether they be domestic or international, so coordination and collaboration are really important.

That's why the national cybercrime coordination unit is being stood up as a national police service to aid in that collaboration, but prior to that being implemented, one of the responsibilities of my team in our headquarters unit is to have regular engagement, whether regular telephone conference calls or formal meetings where we discuss things that are happening in multiple jurisdictions to ensure that collaboration and deconfliction occurs, or on an ad hoc basis. When a significant incident occurs, our staff in the multiple police forces will be on the phone speaking to each other and identifying and ensuring that an appropriate and non-duplicating response is provided.

I'd like to stay away from discussing this particular investigation, but I can tell you that investigations of this nature absolutely will lead to discussions occurring. That happens as a consequence of the fact that we do have those regular meetings, whether it be in cyber or other types of crime that are going on in different jurisdictions. These, obviously, on a scale of this nature, would lead to discussions.

I am not involved involved in any of those discussions at this time. It is not something I have knowledge about.

Absolutely. We actually have a program at the Canadian Anti-Fraud Centre and a close relationship with telecommunications service providers, who have been very helpful in addressing some of the challenges we've had around telemarketing and the mass fraud committed over the telephone. As we learn about numbers that are utilized for fraud, we are validating that, and the telecoms industry is blocking those numbers to reduce the victimization. We have adapted some of our practices to ensure that this occurs at a much more timely rate than it has historically.

With any mass fraud campaign, whether it be tied to an instance like this or just in general, people need to have a strong sense of skepticism and take action to protect themselves. There are many resources under the Government of Canada, with such organizations as the Canadian Anti-Fraud Centre and Get Cyber Safe, that provide a list of advice for Canadians. It simply comes down to protecting your information and having a good sense of doubt when somebody is calling you. If it's a bank calling, call your local branch and use your local number. Don't respond to the number they provide and don't immediately call back the number they provide. Go with your trusted sources to validate any questions that are coming in.

I have experienced calls similar to yours. I had a very convincing call from my own bank. I contacted my bank and they gave me the advice that it was not legitimate. It was interesting, because in the end it turned out to be legitimate, but we all felt very safe in the fact that the appropriate steps were taken. I would rather risk not getting a service than compromising my identity or my financial information.

The RCMP's role, as I explained earlier, in many of these situations is to work with our provincial and municipal partners. It's important to recognize that our provincial and municipal partners are very skilled at responding to many of these incidents. It's not always the case that the RCMP has additional powers, authorities or capabilities to the ones they have when dealing with an incident that is singular in nature, where an individual is involved in a single event, as opposed to a broader one.

However, there's always a standing offer from the RCMP to our provincial and municipal partners, that should they require technical assistance, advice or guidance, we are available to them for that. It would be inappropriate for the RCMP to inject itself into the jurisdiction of another police force to run the investigation they are operating.

Again, outside the scope of this particular investigation, cybercriminals do commit the majority of their crimes to gain access to personal or financial information for the purposes of gaining access to financial institutions and the money that's housed in those locations. The RCMP work continuously with the international community to identify and pursue the individuals who are committing a great number of these crimes.

The RCMP are working closely right now with those international partners, as well as many of the large financial institutions in Canada and the Canadian Bankers Association, to ensure that we are targeting the individuals who are causing the most significant harm. Our federal policing prevention and engagement team has hosted sessions with both the financial institutions and the cybersecurity industry. We have a new advisory group that's helping us target those individuals.

As far as knowledge goes, it's only in the hands of those cybersecurity and financial institutions. We're trying to ensure that as we are putting the resources we have into investigations, we are targeting those individuals who are causing the most harm.

We do that, as well, internationally. As incidents occur, we speak to our international law enforcement partners. We identify the behaviours we have in our cases or in our Canadian law enforcement partners' cases, so that if there are connections or individuals who are in those other jurisdictions, we're using the mutual legal assistance treaty, and we're using police-to-police collaborative efforts that we have to ensure that, internationally, all of those efforts are put towards a problem.

Now, I want to stay away again—and I apologize for doing that—from this exact incident. I cannot express what is or is not being done in this particular incident.

I am unable to speak about this particular incident. It would be inappropriate for me to do so.

We have formal, regular engagement with our policing partners across the country. That occurs on a monthly basis in the cyber area, as well as biweekly in some other areas. However, when there are incidents such as this, as you described, there are immediate calls that go out to ensure that collaboration is occurring and that any of our international partners' information that's relevant could be utilized to aid in those investigations.

Yes, we do. We work very closely, as I've stated, with our provincial and municipal police agencies. In fact, I take great pride in the fact that at some of those meetings that I described, where our federal policing prevention and engagement team brought together the private sector, financial institutions and cybersecurity, one of those policing partners actually stood up at the front of the room and thanked the RCMP for the collaboration they are seeing in the area of cyber, which is far better than anything they've ever seen in their career.

I take great pride in that because that has been a priority for me, my staff and our engagement folks, to ensure that we are not being competitive but are being collaborative and, in that collaboration, we are supporting each other. We are not superseding other police forces' authorities, but we're also ensuring that we can assist the others in that.

The threat comes from multiple directions, and I can't say which is greater, because, in our experience, we have seen a significant number of organized groups or individuals perpetrating the crimes across the Internet. The Internet is an enabler as much as it's a tool for us to use in leveraging and utilizing all the fantastic services that are out there.

Yes, absolutely. We have seen a rise in what we refer to as cybercrime as a service to aid others who are less skilled at committing cyber offences, whether they are creating the malware, operating the infrastructure, or creating the processes by which somebody can monetize the information that is stolen. That is a key target area for the RCMP under our federal policing mandate, and we are targeting those key enabling services so that we can have the most significant impact on the individual crimes that are occurring, as opposed to chasing each individual crime.

Thank you, Mr. Chair. As requested, I'll keep my presentation on the shorter side.

Mr. Chair and honourable members of the committee, my name is André Boucher, and I am the associate deputy minister of operations at the Canadian Centre for Cyber Security.

Thank you for the opportunity to appear before you this afternoon.

Let me begin with a brief overview of who we are.

The Canadian Centre for Cyber Security was launched on October 1, 2018 as part of the Communications Security Establishment. We are Canada's national authority on cybersecurity and we lead the government's response to cybersecurity events.

As Canada's national computer security incident response team, the cyber centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response.

The cyber centre's partnerships with industry are key to this mission. Our goal is to promote the integration of cyber defence into the business model of industry partners to help strengthen Canada's overall resiliency to cyber threats. Despite these efforts and those of Canada's industry, cyber incidents do still happen.

This brings me to the topic we are here to discuss today. The cyber centre is not in a position to provide any details on this incident and does not comment on the cybersecurity practices of specific businesses or individuals. Any cyber breach, not just this specific instance, can be taken as an opportunity to revisit best practices and to refine systems, processes and safeguards.

In this case, media reporting and public statements indicate that the disclosure of personal information occurred as a result of the actions of an individual within the company—what is termed insider threat.

In our recent introduction to the cyber-threat environment, the cyber centre described the insider threat as individuals working within an organization who are particularly dangerous because of their access to internal networks that are protected by security parameters. For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly, what this incident underscores is the human element of cybersecurity. The insider threat is only one example of this.

Cybercriminals have proven especially adept at exploiting human behaviour through social engineering to deceive targets into handing over valuable information. Fundamentally, the security of our systems depends on humans—users, administrators and security teams.

What can we do in a world of increasing cyber-threats? At the enterprise level, adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cybersecurity practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.

Then we need to invest in knowing and empowering our people. Training and awareness for individuals and businesses are very important. Only with awareness can we continue to develop and instill good security practices, a fundamental step in securing Canada's cybe systems.

As well, we always need to identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.

At the cyber centre, we'll continue to work with industry and to publish cybersecurity advice and guidance on our website. We regularly issue alerts and advisories on potential, imminent or actual cyber-threats, vulnerabilities or incidents affecting Canada's critical infrastructure.

Under, we hope, different circumstances, we'll continue to participate in conversations like this one, which help to keep the spotlight on these issues.

Ultimately, there is no silver bullet when it comes to cybersecurity. We cannot be complacent; there is too much at stake. While long-promised advances in technology may make the task easier, the need for skilled and trustworthy individuals will remain a constant.

Thank you, and I look forward to answering your questions.

From a policing perspective, I believe that the public expectation is that police are going to pursue the person and anyone associated with that person who is involved in either the theft or the monetization of information—whether through cyber-threat, cyber-compromise, insider threat, or so on—and hold them to account and bring them into the judicial process to ensure that there are consequences, and that steps are taken to prevent this type of incident from occurring.

It's not an area of expertise for me, as a police officer, to confirm identity. I would go back to my earlier statement about using your local resources, whether it be financial institutions or other types of service. If you're able to use a local service to confirm it, that is your best way to deal with those companies when there are questions about your identity.

That is correct. It's important to point out that the only measure of success is not necessarily prosecution. In fact, in the cyber area many of those prosecutions will occur in other jurisdictions as we work collaboratively.

One of the approaches in the RCMP, and I know in some of our other police forces as well, is that we are bringing financial institutions and cybersecurity experts into our investigations. That is different from what we traditionally have done in our criminal investigative efforts. That has already borne fruit. It has already provided significant advantages. Those “partners”, as I refer to them, are able to see information that we as police officers might not know is important and we may not independently be able to identify that this could be used to provide protection for their customers. I know of at least one incident in a major investigation we've been undertaking where several financial institutions, through that collaboration, were able to identify and reduce potential harm to accounts that through that sharing were identified as compromised.

So I think the approach we are taking is providing benefits that are not solely measured by arrest and prosecutions.

Thank you for your question.

That ties in with my opening statement. A few tools are available, but what works best is going back to the basics—in other words, taking a holistic approach to security.

First, that means a well-established internal security regime for staff. It is important to understand exactly where the information that needs protecting resides, to know the individuals the organization works with and to constantly update the security regime. An individual's personal situation can easily change after they've been interviewed, so an organization should have those kinds of conversations with staff members on a regular basis. For individuals, a clear training and education program should be in place, one that includes refreshers, and the underlying processes should be clear.

IT teams have access to data loss prevention tools that can help to detect fraud. By the time fraudulent activity is detected, however, it's often too late. It is therefore important that organizations invest as early as possible in measures that build trust and confidence and that they work with reliable people.

Thank you for your question. It's a vast question. I think you will have testimony this afternoon from experts from that specific sector of financial institutions.

I would say that from a cybersecurity perspective, the financial sector is quite mature, where we have both regulators in place and best practices that are part of the community. As cybersecurity-focused experts, we put a lot of effort into that collaboration in those best practices. We leave it to the regulators who are sector-specific to put in those minimum standards and guidelines that need to be in place, enforced and reviewed. We in fact appeal to the best and try to tease that up as much as possible for entire sectors, in this case the financial sector. The financial sector is one that's very mature. It's one where collaboration is established. It is where reputational risks are measured at their true value. Significant investments are made in that regard.

From a Canadian perspective, I would feel quite reassured that as a sector, there are both minimum standards and applications through the regulators that are in place and teams that are working at bringing the best out of enterprises so that they perform as well as possible.

I can assure you that we're quite vigorous in taking all the measures at our disposal, whether they be best practices in collaboration or measures that are enforced and in place.

The sad or unfortunate reality that we all have to compose with is that, as was pointed out earlier, when data gets lost and gets in the wild, we never get to recover it. It is not like a tangible asset that you can go and purge and bring home. It is a new reality for clients, it is a new reality for customers and it is a new reality for enterprises.

I would go back to the comment I made earlier that it just puts more fuel into the need to invest early, with early investments in having programs, in choosing our employees better, and in making sure we have a holistic approach to security to make sure we don't find ourselves trying to recover our losses.

Thank you for your question.

We have an extensive program. On our website, cyber.gc.ca, people can find information on how to protect themselves. Of course, people have to be aware when they are online. That is the most basic rule of cybersecurity. People have to know not only how to use the Internet, but also what they are sharing with others online. We are constantly running campaigns to educate people on using their devices securely and being smart about who they choose to share confidential information with.

Having the best protection and keeping it up to date is the first step, but making smart choices is another. People should visit only the sites of companies they consider to be reliable and reputable. Once they've done those two things, people need to choose what information they agree to share with the company. It's a three-step approach, and it is all available in the information and guidance we provide to people.

Yes. I always look for opportunities to promote our website, so on our website, we talk specifically about how long and complex passwords should be. We also provide some tips. I encourage people to explore our website for themselves. It is often said that people should change their passwords regularly, but the problem with that is having to memorize a bunch of ever-changing passwords. The guideline has evolved over time. Nowadays, it is recommended that people choose at least one strong password, using certain parameters, which are available online, based on password length and/or complexity, depending on the available options. If it's possible to have a password containing up to 15 characters, people should try to choose a password that uses all 15 characters. If the password can have only eight characters, that's pretty bad, but people should at least choose a more complex password.

Constantly changing one's passwords is of minimal benefit if it means people have to write them down somewhere or use the same one for many different sites. What we want people to do is be diligent about choosing their passwords: choose something that is unique and as strong as the provider's parameters allow. People can use the same password, but if a data breach occurs, they have to act fast, changing their password and taking additional security measures. It's important to do a combination of things.

Now you're asking me to be very pragmatic.

What I would advise people, other than being very pragmatic, is to base their passwords on their level of uncertainty when it comes to the various online services they are using. For instance, for online banking, people should use a number of distinct passwords that are as complex as possible. However, for their online account with their local curling club, say, people may wish to be a little less rigorous and use the same password a few times, even though that isn't what I would recommend.

I believe most, if not all, banks require a minimum level of sophistication when it comes to the passwords they accept. They already have a certain standard in place to protect themselves from clients who are less diligent than they should be in selecting a password.

It's fair to say that the Canadian Centre for Cyber Security has the resources to deal with all aspects of cybersecurity. The case we are talking about today involves an insider threat and stolen information. Strictly speaking, it's not a cybersecurity issue.

I'm not trying to evade the question, but the issue actually comes down to legislation or fraud. It's not a cybersecurity problem. That's not to say, however, that, if we see something happening, we aren't going to respond.

The first thing we do every day is talk to our partners, including the RCMP, to share what we know and update them on anything new. We make sure that whoever is responsible for the matter does something with the information we provide. The national team is the best there is and won't let anything fall by the wayside. The members of the team endeavour to fix any problems and do everything they can to keep Canadians' information safe.

Thank you for your question. You don't ask easy ones, Mr. Clarke.

I'm not an expert in social insurance numbers or their use, but I can talk about identifiers. No matter what identifiers are used, whether they involve complex or simple cryptology, information management is always an issue and the potential for data theft always exists. It's a very complex issue, and I'm going to let the experts in social insurance numbers speak to your specific question.

The bigger problem, as I see it, is how identifiers are managed. They are key pieces of information, and learning how to manage them properly in the large security systems I was talking about earlier is crucial.

The reality is that whenever personal information, passwords, etc., are released on the Internet, they are there forever. People need to be cautious and vigilant about that, and use the services that are available, like credit monitoring, etc., to ensure that triggers are put in place to notify them when someone's trying to use that information, to help prevent an actual fraud from occurring.

I'm trying to respect the timeline.

The RCMP operates the Canadian Anti-Fraud Centre in partnership with the Ontario Provincial Police and the Competition Bureau. That is one of your best places to go to report fraudulent activity, whether it be the telephone numbers that people are calling from, or an individual identity theft or fraud that occurred. They collate that information. They share that information. Police investigations are launched based on the collation of that. That would be the first place you should call, as well as your local police force.

Local police forces—whether they be the RCMP or, in Ontario and Quebec, another police force—need to hear about the crimes that are occurring. There are connections between organized crime involved in fraud and other criminal activities.

Do you mean generally or in this specific case?

As I explained earlier, the Canadian Centre for Cyber Security is responsible for providing advice. It prepares and protects information of national interest. It is responsible for incident management and response, including mitigation strategies. Every step is undertaken in coordination with the centre's partners, as per its mandate. When a fraud-related issue arises, the national team is called in. It is made up of centres that have already been appointed. We make sure all stakeholders have access to the available information so we can move forward. Work on the case continues, and if more information becomes available, it is shared with the person responsible.

Here's where the value of this business model lies. If something changes while the case is under way—for instance, if it ceases to be an investigation—the Canadian Centre for Cyber Security takes over until the victim receives or, rather, until the case is closed.

I'm going to say the same thing I did earlier. I'm not an expert in social insurance numbers, but we strongly advise people to use two factors whenever possible. It's not perfect, but it improves the security of their information.

Absolutely. I can't name them today, but a number of countries around the world have endeavoured to adopt a system that relies on a national unique identification number. Some have been successful, and others, less so. As you said, the number becomes an essential piece of information and the slightest vulnerability puts the data at risk.

Yes, absolutely, using all the measures I mentioned earlier.

We have an extensive security program in place from the get-go, starting with the selection of personnel. Of course, a culture of security prevails throughout the organization, one that encompasses personnel security, physical security and computer system security.

The processes are in place. The system is evergreen, meaning that it's constantly updated. We don't rest on our laurels, so to speak. We review the system on a regular basis. It's an extensive and complex process, but the investment is worth it.

Our approach is modern, but we don't have a monopoly on security programs. Documentation is available. Public Safety Canada put out a publication on developing appropriate security programs. It's an excellent reference that refers to the same models we use.

Regarding your question about reporting incidents, I would just point out that we recommend organizations invest before an incident occurs. The organization has to have a security program in place, one that can detect threats and so forth. We always recommend that people report incidents and share them with their community because there are usually commonalities that everyone can learn from.

As the country's cybersecurity centre, we work to gather that information across all communities and to find commonalities in order to issue advice and guidance that could lead to enhanced security nationally. Yes, incidents should definitely be reported.

With respect to the physical versus the cyber harm, I agree with you. It's a very difficult thing to understand. We struggle in policing to determine where we are going to apply our resources, because we always look at where we're going to be able to have the most significant impact in reducing harm.

If you look at fraud, fraud is a very large and significant threat in Canada and globally. It is difficult to measure $400,000 worth of fraud or $2 million worth of fraud against a physical threat or a homicide, or an assault against an individual. We struggle with that, but I can tell you that we're aware of it and are examining how we measure that risk and how we prioritize.

Yes, it's absolutely a consideration.

The specific data from those compromises...?

We are seeing fraudsters utilizing information that is compromised in operations. The RCMP had a successful investigation into Leakedsource.com, which was reselling some of the information from the large compromises that were made public. There was a guilty plea in that case.

It is not an unusual circumstance that somebody is reselling that. We are seeing that occur.

I haven't taken note specifically of the rate of crime, but it is certainly a type of crime that we are seeing.

I can speak for my organization. We have a national responsibility, and that includes working with our Quebec partners. We invest in education and training, and we also make our services available to Quebec businesses.

I don't have that information with me today.

I think every large enterprise has to measure its own key assets and the value of those assets and make a risk-based decision on how much they're going to invest to protect those assets. Starting from a position of zero trust is the reality of the complex environment we live in today. Don't assume your system is going to work on its own. It takes a holistic investment in a security program—in the right people, the right processes and the right technology. The sum of these things will....

It is a consensus that you have to invest in all of these aspects.

Thank you, Mr. Chair. I will go first, if that's all right.

My name is Annette Ryan. I am the associate assistant deputy minister of the financial sector policy branch within the Department of Finance. I am joined by Robert Sample, director general of the financial stability and capital markets division, as well as Judy Cameron, managing director of the Office of the Superintendent of Financial Institutions Canada, and her colleague. We are pleased to appear before you today.

My remarks today will address two areas that, I believe, are pertinent to the issues before you. Specifically I will clarify the roles of government departments and agencies and private sector actors within the federal financial sector framework and update the committee on efforts being undertaken by the Department of Finance, federal regulatory agencies and banks in support of cybersecurity and data protection.

Protecting the privacy and security of Canadians' personal and financial data is an objective shared by both levels of government and the private sector, and it is one that's crucial for maintaining continued trust in Canada's banking system.

I'll address the roles within the federal government and then discuss provincial government and private sector roles.

The Department of Finance along with federal financial sector oversight agencies has responsibility for the laws and regulations that govern Canada's federally regulated banking system. We collectively set expectations and oversee implementation to ensure that operational risks related to cybersecurity and privacy are properly managed by the financial institutions that we regulate.

The Minister of Finance has overarching responsibility for the stability and integrity of Canada's financial system. Cybersecurity is a primary aspect of financial cyber-stability as it ensures the sector remains resilient in the face of cyber-threats and attacks

In turn, Public Safety has recognized the financial services industry as being a critically important sector within its wider national critical infrastructure strategy.

The Department of Finance works closely with a range of partners responsible for financial regulation and cybersecurity both domestically and internationally to ensure that the sector is adopting appropriate cyber-resiliency and data protection practices and that the specific needs of the financial sector are considered within economy-wide policies and statutes that relate to cybersecurity and data security.

I'll describe the general responsibilities among financial regulators. The Office of the Superintendent of Financial Institutions is the prudential regulator of federally regulated financial institutions, including banks. OSFI develops standards and rules for managing cyber-risks as is consistent with its wider oversight of operational risks that institutions must manage.

The Bank of Canada monitors financial market infrastructures, such as payment systems, to enhance resilience to cyber-threats, and the bank coordinates sector-wide responses to systemic-level operational incidents.

Other federal agencies have responsibilities for laws of general application in respect of privacy. The Office of the Privacy Commissioner of Canada oversees the banks' compliance with Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, known as PIPEDA. PIPEDA sets out requirements that businesses must follow when collecting, using or disclosing personal data in the course of commercial activities. These include putting in place appropriate security safeguards to protect personal data against loss, theft or unauthorized disclosure.

The Department of Innovation, Science and Economic Development has overall policy responsibility for PIPEDA. In November of 2018 the Government of Canada implemented amendments to PIPEDA related to data breach reporting requirements and associated monetary penalties for failing to report.

As you've just heard, other federal departments and agencies, including Public Safety, the Canadian Centre for Cyber Security and the RCMP, share responsibilities with respect to broader Government of Canada cybersecurity initiatives.

It is important to note that supervisory responsibility for the financial sector in Canada is divided between federal and provincial governments. Provinces are responsible for the supervision of securities dealers, mutual fund and investment advisers, provincial credit unions and provincially incorporated trust, loan and insurance companies.

Accordingly, federal and provincial financial sector authorities have protocols in place for information sharing, particularly where matters of financial stability are concerned. Financial institutions, themselves, of course, are most immediately responsible for maintaining cyber and data security on a day-to-day basis, directly managing operational risks through an extensive series of protective and preventative measures, both individually and through industry-level co-operation.

These are supported by policies and standards that are continually updated to address the evolving threat landscape and remain in line with industry best practices.

Cyber-attacks are a serious and ongoing threat. I will focus on some of the steps being taken by the Government of Canada, the financial sector, regulatory agencies and the banks to ensure cybersecurity in the financial sector.

In budget 2018, the federal government invested over half a billion dollars in cybersecurity, and in October of 2018, it established the Canadian Centre for Cyber Security, which serves as a single window of technical expertise and advice to Canadians, governments and businesses. The centre defends against cyber-threat actors that target Canadian businesses, including federally or provincially regulated financial institutions, for their customer data, financial information and payment systems. Efforts to address cybercrime have been further bolstered by the newly created national cybercrime coordination unit within the RCMP, which provides a national cybercrime reporting mechanism for Canadians, including incidents related to data breaches or financial fraud.

More recently, in budget 2019, the government proposed legislation and funding to protect critical cyber systems in the Canadian financial, telecommunications, energy and transport sectors.

Our colleagues at the Treasury Board Secretariat continue their work with provincial governments, financial institutions and federal partners toward a pan-Canadian trust framework for digital identity with the goal of strengthening digital ID protection in the context of cyberthreats.

On the regulatory side, earlier this year OSFI published new expectations on technology and cybersecurity breach reporting via the technology and cybersecurity incident reporting advisory. This is intended to help OSFI identify areas where banks can take steps to proactively prevent cyber incidents, or in cases where incidents have occurred, to improve their cyber-resiliency.

While the first objective is to prevent data breaches, the reality is that these events happen and are not localized to the financial sector. Having said this, when cyber events occur at a federally regulated financial institution, control and oversight mechanisms are in place to manage them.

To summarize, cybersecurity is an area of critical importance for the Department of Finance. We are actively working with partners across government and in the private sector to ensure that Canadians are well-protected from cyber incidents and that when incidents do occur, they're managed in a way that mitigates the impact on consumers and the financial sector as a whole.

Thank you for your time. I'm happy to take questions.

Thank you very much, Mr. Chair.

My name is Elise Boisjoly, and I am the assistant deputy minister of the integrity services branch at Employment and Social Development Canada. I am joined by Anik Dupont, who is responsible for the social insurance number program.

Thank you for the opportunity to join you today. My remarks will focus on the social insurance number, or SIN, program. Specifically, I will clarify what the social insurance number is and provide information on its issuance and use; inform the committee on privacy protection related to the SIN; and provide information on our approach in the case of data breach.

What is the SIN? The SIN is a file identifier used by the Government of Canada to coordinate the administration of federal benefits and services and the revenue system. The SIN is required for every person working in insurable or pensionable employment in Canada and to file income tax returns.

It is issued prior to your first job, when you first arrive in Canada or even at birth. During the last fiscal year, over 1.6 million SINs were issued.

The SIN is used, among other things, to deliver over $120 billion in benefits and collect over $300 billion in taxes. It facilitates information sharing to enable the provision of benefits and services to Canadians throughout their life such as child care benefits, student loans, employment insurance, pensions and even death benefits. As such, the SIN is assigned to an individual for life.

The SIN is not a national identifier and cannot be used to obtain identification. In fact, it is not even used by all programs and services within the federal government; only a certain number use it. The SIN alone is never sufficient to access a government program or benefit or to obtain credit or services in the private sector. Additional information is always required.

While data breaches are becoming increasingly commonplace, the Government of Canada follows strong and established procedures to protect the personal information of individuals. My colleague mentioned the Privacy Act and the Personal Information Protection and Electronic Documents Act, which is being administered by Innovation, Science and Economic Development Canada. They provide the legal framework for the collection, retention, use, disclosure and disposition of personal information in the administration of programs by government institutions and the private sector, respectively.

As my colleague mentioned, on November 1, 2018, a new amendment to the Personal Information Protection and Electronic Documents Act came into force, which requires organizations that experience a data breach and that have reason to believe there's a real risk of significant harm to notify the Office of the Privacy Commissioner, the affected individuals and associated organizations as soon as it's feasible. Violating this provision may result in a fine of up to $100,000 per offence.

At Employment and Social Development Canada, we have internal monitoring strategies, privacy policies, directives and information tools for privacy management, as well as a departmental code of conduct and mandatory training for employees on protecting personal information. We believe that any security breach affecting social insurance numbers is very serious and, in fact, we ourselves are not immune to such a situation. For example, in 2012, the personal information of Canada student loan borrowers was potentially compromised. The breach was a catalyst for further improvements to information management practices within the department.

Preventing social insurance number fraud starts with education and awareness. This is why our website and communication materials include information that can help Canadians better understand the steps they should take to protect their social insurance numbers. Canadians can visit the department websites, call us or visit us at one of our Service Canada centres to learn how best to protect themselves. It is important to note that protecting the information of Canadians is a shared responsibility among the government, the private sector and individuals. We strongly discourage Canadians from giving out their social insurance numbers unless they are sure that doing so is legally required or necessary. Canadians should also actively monitor their financial information, including by contacting Canada's credit bureau.

A loss of a social insurance number does not necessarily mean that a fraud has occurred or will occur.

However, should Canadians notice any fraudulent activity related to their social insurance number, they must act quickly to minimize the potential impact by reporting any incidents to the police, contacting the Privacy Commissioner and the Canadian Anti-Fraud Centre, and informing Service Canada. In cases where there is evidence of the social insurance number being used for fraudulent purposes, Service Canada works closely with those affected.

Despite ever larger data breaches, the number of Canadians who have had their social insurance number replaced by Service Canada due to fraud has remained consistent at approximately 60 per year since 2014.

That being said, we understand that many Canadians have signed a petition asking Service Canada to issue new social insurance numbers for those impacted by this data breach. The main reason we do not automatically issue a new social insurance number in these circumstances is simple: getting a new social insurance number will not protect individuals from fraud. The former social insurance number continues to exist and is linked to the individual. If a fraudster uses someone else's former social insurance number and their identity is not fully verified, credit lenders may still ask the victim of fraud to pay the debts.

In addition, it would be the individual's responsibility to provide their new social insurance number to each of their financial institutions, creditors, pension providers, employers—current and past—and any other organizations. Failing to properly do so could put individuals at risk of not receiving benefits or leave the door open to subsequent fraud or identity theft.

It would also mean doubling the monitoring. Individuals would still need to monitor their accounts and credit reports for both social insurance numbers on a regular and ongoing basis. Having multiple social insurance numbers increases the risk of potential fraud.

Active monitoring through credit bureaus as well as regular reviewing of banking and credit card statements remain the best protection against fraud.

In closing, protecting the integrity of the social insurance number is critical to us, and I can assure you that we will continue to take all necessary action to do so, including reading this committee's report and considering advice from this committee and others on how to best improve.

Thank you for your time. I'd be happy to answer your questions.

Thank you, Mr. Chair.

Good afternoon to all committee members.

My name is Maxime Guénette. I'm assistant commissioner of the public affairs branch and chief privacy officer at the Canada Revenue Agency. With me today is my colleague Gillian Pranke, deputy assistant commissioner of the assessment, benefit and service branch at the CRA.

The CRA is an organization that touches the lives of virtually all Canadians. We're one of the largest holders of personal information at the Government of Canada. We process more than 28 million individual income tax returns annually. It's therefore critical that the CRA has an extensive privacy framework in place to manage and protect personal information for all Canadians.

Integrity in the workplace is the cornerstone of agency culture. The agency supports its people in doing the right thing by providing clear guidelines and tools to ensure privacy, security and the protection of personal information, our programs and our data.

The agency is subject to the Privacy Act and associated Treasury Board policies and directives for the management and protection of Canadians' personal information. Section 241 of the Income Tax Act also imposes confidentiality requirements on its employees and others with access to taxpayer information.

The agency also adheres to the policy on government security and direction provided by lead security agencies like the Communications Security Establishment and the Canadian Centre for Cyber Security.

In April 2013, the agency appointed its first chief privacy officer, who is also responsible for the access to information and privacy functions within the agency.

Part of my role as the chief privacy officer is to ensure that the CRA's respect for the privacy of the information it holds is reinforced and strengthened by overseeing decisions related to privacy, including assessing the privacy impacts of our programs; championing privacy rights within the agency, including managing internal privacy breaches when they occur; and reporting to CRA senior management on the state of privacy management at the agency.

Our responsibility for sound privacy management goes beyond appointing a chief privacy officer, though. It's a responsibility that all employees share.

Protecting the CRA's integrity includes ensuring that we have the proper systems in place to safeguard sensitive information from external threats. Agency networks and workstations are equipped with malware and virus detection and removal software, which are updated daily and protect the CRA environment from the increasing threat of malicious code and viruses.

At the agency employee level, computers are secured with a suite of security products ranging from anti-virus software to host intrusion software.

External services are conducted on secure platforms and protected by firewalls and intrusion prevention tools to detect and prevent unauthorized access to agency systems.

During online transactions we ensure that all sensitive information is encrypted when it is transmitted between a taxpayer's computer and our Web servers. Regardless of how Canadians choose to interact with the agency, they must complete a two-step authentication process before gaining access to their account.

These steps are crucial to making sure that access to personal information is only available to authorized individuals. The process includes validation of a number of personal and confidential data points, including a person's social insurance number, their month and year of birth, and information from the previous year's income tax return.

The CRA will shortly also be implementing a new personal identification number for taxpayers who choose to use it when calling the individual inquiries line. In addition, the CRA is currently examining additional security procedures to safeguard the information of taxpayers. As cybercrime and phishing scams become more sophisticated and commonplace, the CRA is being proactive in warning the public about fraudulent communications claiming to be from the CRA.

One very simple way in which taxpayers can safeguard against fraudulent activity is to sign up for My Account, or for businesses to sign up for My Business Account, so that they can use the CRA's secure portals to access and manage their tax affairs easily and securely. When an individual is signed up for My Account, they can also sign up for online mail in order to receive account alerts informing them of possible scams or other fraudulent activity that may affect them.

CRA is proud of its reputation as a leading-edge organization committed to excellence in administering Canada's tax system. However, inappropriate fraudulent activity can occur in the workplace. CRA has incorporated a broad array of checks and balances to ensure that those who access taxpayer information are strictly limited to employees required to do so as part of their job and to detect misconduct when it does occur.

Monitoring of employees' access to taxpayer information is centralized, ensuring an independent process that enables the agency to detect and, if necessary, address any suspect transactions in our systems. This provides assurance that authorized users are accessing only the applications and data they are allowed to access based on strict business rules.

In 2017 the CRA implemented a new enterprise fraud management solution, which complements existing security controls and further reduces the risk of unauthorized access and privacy breaches. This solution enables proactive monitoring and detection of unauthorized access by CRA employees. Any allegations or suspicions of employee misconduct are taken very seriously and are thoroughly investigated. When wrongdoing or misconduct is founded, appropriate measures are taken, up to and including termination of employment. If criminal activity is suspected, the matter is referred to the proper authorities.

Upon hire, agency employees are required to read and acknowledge the agency's code of integrity and professional conduct and the values and ethics code for the public sector.

The code clearly outlines the expected standard of conduct, including the obligation to protect taxpayer information in accordance with section 241 of the Income Tax Act. Unauthorized access to taxpayer information is considered to be serious misconduct, as reflected in the agency's directive on discipline.

The code ensures that current and former employees are aware that the obligation to protect taxpayer information continues even after they leave the CRA. All employees are asked to review and affirm their obligations under the CRA's code of integrity every year.

In the event a privacy breach does occur, it is assessed in accordance with TBS policy and procedures to document and evaluate all potential risks to the affected individual. In such a case, the CRA offers support to the affected individual through a dedicated agency representative so that the client has the opportunity to ask questions and find information as well as, on a case-by-case basis, get access to free credit protection services.

On the rare occasion when a taxpayer's information is confirmed to have been compromised, the CRA will act to resolve all outstanding issues. This includes reviewing all fraudulent activity that may have occurred in the account, including fraudulent refund payments.

We at the agency are deeply committed to safeguarding the trust Canadians place in our organization, and to meeting their expectations that we have the right checks and balances in place to secure the information entrusted to us. We have worked hard to earn the public's trust, because it is the foundation of our self-assessment tax system.

A good reputation takes years to establish. We safeguard it by remaining vigilant in our efforts to protect taxpayers from security breaches and to protect Canada's tax administration system from misconduct and criminal wrongdoing.

Thank you, Mr. Chairman. I'd be pleased to answer any questions you may have.

I briefly mentioned that in my presentation and I thank you for giving me the opportunity to talk about it at greater length.

First, an information leak does not necessarily mean that fraud or identity theft has occurred. Second, we do not automatically change social insurance numbers after a leak like this because it doesn't really solve the problem or automatically remove all risk of fraud.

Let me explain that first point a little more. If you do not change the social insurance number linked to a certain credit number and if a credit agency uses the old credit number, the person involved will not necessarily be able to get credit. In addition, if a lender does not properly check the identity of that person, and a fraudster borrows money using his name, the lender could ask him to pay the debt. So there can be other cases of fraud if lenders do not correctly check people's identity.

The second reason is that it can create serious problems of access to benefits and services. As I said in my presentation, victims of data breaches must warn everyone, financial institutions, credit agencies, past and future employers, and the managers of pension schemes to which they belonged with their old social insurance numbers, and make the necessary changes. Often, people no longer remember those to whom they have given their social insurance number, especially at the beginning of their careers. That can prevent people from receiving a pension, for example, because it is no longer possible to establish a link between an individual and the benefits to which they are entitled.

At federal level, we would certainly advise the Canadian Revenue Agency and all organizations involved. But changes could be made manually and there may be errors. This could complicate the calculation of pensions or employment insurance benefits. If someone forgets an employer and makes errors, the calculation of employment insurance benefits or the old age pension could be wrong.

When fraud has been proven, we look at the type of fraud and discuss the matter with the person involved. Often people decide not to change their social insurance numbers. They register, or have someone register them, at a credit checking agency. By so doing, they will be better protected than they would be if they changed their social insurance number. Often, having been informed, people decide not to change their social insurance number. In a very small number of cases, 60 per year since 2014, people insist on making a change when fraud has been confirmed. At that point, we allow a new social insurance number to be issued, but we will also explain that it will not necessarily solve the problem.

Absolutely. Let me make two points about that.

First, since this leak was made public, we have received between 1,400 and 1,500 requests directly from members of the public. They have called us to find out how to better protect their personal data and we have given them a lot of information about doing so. They will often take the steps that we advise them to take, such as looking at the credit agency reports and checking their bank transactions.

Second, if they notice a suspicious activity, they must follow the very clear procedures to give us that information. If suspicious transactions are detected, we ask them to contact Service Canada, which will be able to take the steps needed to help them.

Our website, our call centres and the Service Canada centres tell Canadians who they may give their social insurance numbers to. When we issue social insurance numbers, we actually tell people who they should and should not give it to. A certain number of organizations are authorized to ask for social insurance numbers, for example when a bank or creditor pays interest, which the Canada Revenue Agency needs to know.

If someone not on that list asks for a social insurance number, people can refuse and ask to provide another form of information. For example, a long time ago, landlords often asked tenants for social insurance numbers in order to check their credit. They can simply provide a credit report rather than give out their social insurance number. The person asking the question must—

Thank you very much.

These glasses just—

Thank you.

To answer your first question on new measures, every situation like this gives us the opportunity to review our security and privacy protection measures. All of our colleagues and myself certainly focus on that when there are incidents of this kind. The colleagues who have gone before us spoke a lot about the evolution of cybersecurity. They said that we always have to be ready. We are certainly always focused on that.

My colleague mentioned the Treasury Board, whose mandate includes identity management. They are focusing on ways in which we can better solve the problems associated with digital identity, specifically by conducting pilot projects with the provinces. We participate in those forums, and we are thinking of ways to move the discussion on digital identity forward.

Second, in terms of the number of identity thefts, we have been advised of many in the last 14 or 15 years. Probably millions of people have already been affected and, despite that, the number asking for a new social insurance number remains rather low. So I cannot answer your question, because I am not aware of the future, but I can say that there have been a lot of thefts and that the number seems constant, around 60 per year.

Thank you for the question, Mr. Paul-Hus.

As Ms. Boisjoly said, there is never a bad time to remind people about the things they can do. At tax time, we conducted advertising campaigns and communication initiatives online and on social media to remind people about the services at their disposal. However, more can always be done. We are always looking for opportunities to communicate more in this respect. So—

Currently, because the investigation is still in progress, there is a lot of information…

I can assure you that very proactive discussions are going on between the various departments involved.

As far as the revenue agency is concerned, as I said in my remarks, the social insurance number, the address and the date of birth are some of the pieces of information people need in order to identify themselves to the agency. We also need information on tax returns from previous years, which was not in the information stolen from Desjardins, according to the discussions we have had. However, once again, the investigation is still in progress. So these questions—

Yes.

Certainly.

Thank you for your question.

You have certainly identified some suspicious activities, as you say. We ask people to protect themselves as best they can by working with a credit bureau so that transactions are monitored as closely as possible. They should look at their bank and credit card transactions. If they see actions in their name that they did not make, we asked them to contact the bureau—

Yes, and that is the most important point. We are talking about a number of identifiers. Each one of the organizations is responsible for checking people’s identity.

My colleague said that there must also be a line from the tax return. With employment insurance, there is an access code and you are asked to provide the two figures in that access code. When we are checking identities, we must make sure that we ask questions about identities that are secret and shared only with the people we know. That allows us to better verify people’s identity and to provide them with the service. For example, you would not be able to call Service Canada and obtain employment insurance benefits with the information that has been made public at the moment.

When you started, you said that the first reason we do not automatically give out social insurance numbers is that it can make life difficult for people. The first reason is actually that it would not really prevent fraud. This is a very important point. People have to continue to check their previous social insurance number because there are still—

A social insurance number is not like a credit card, which is a bank's only way of identifying that person. It is an identifier used by employers for as long as people are in the workforce. It is also used for various programs and services.

At the moment, no computer system links all those systems so that social insurance numbers can be updated by employers and by the various groups and programs. That task would be done manually. That is why we do not know all the employers. In the federal government, it would be done manually. As I said, we have only done it a few times. There is a risk of errors. I am just mentioning this to the committee.

To the extent that Desjardins is largely provincially regulated, their first point of contact with a government regulator would be with the Autorité des marchés financiers in Quebec. When I spoke of the system of banking rules and regulations in place federally, that applies to the institutions that have elected to be federally regulated.

To the extent that Desjardins is largely provincially regulated, many of the operational requirements put in place in advance of this incident would have been worked through with the Autorité des marchés financiers.

My colleague from OSFI can speak to how that is put in place at the federal level. In this incident the institution stepped forward and took a number of responsible measures very quickly to be transparent about the leak. That is consistent with both provincial law and federal law in terms of privacy, and the federal and provincial privacy commissioners have struck a joint investigation to look into this incident, but many of the provisions for not just the conduct of the financial regulation of Desjardins but also the consumer protections are provincial in this case. We can speak to the federal system, but I would direct many of the questions you may have to those responsible at the provincial level.

It's largely provincial, and in this case it is provincial.

Equifax would not be in touch with us or the department, and they are largely regulated for consumer issues at the provincial level for this.

Thank you for your question.

Of course, we have security rules at several levels. First, we screen the staff that we hire. People with more specific access have “Secret” security clearance instead of a lower level of clearance. A whole host of physical security measures are in place. People working in call centres, who have access to screens showing taxpayer information, may not have their personal phones with them. We have measures in that regard.

As for access to taxpayers' data, those data are on separate servers that are not connected to the Internet. There is a mechanism by which the employees' access to the data is reviewed annually, or each time they change jobs. Managers verify the access those employees have on a regular basis.

As for the workload, in my introductory remarks, I talked about the administrative rules. When we give employees their workload, our business fraud management system checks by using algorithms in real time. The system applies several dozen rules. For example, if employees check their own tax accounts, an alert is automatically issued and the system sees it immediately. If employees work on tasks that they have not been assigned, the system will immediately send an alert to the manager, who would then be able to ask an employee what he or she was doing in the system. Screen shots are captured per minute, which allows us to see which pages employees are consulting or which changes they have made. The system was implemented in 2017 and it is very advanced. It allows us to have controls in place.

In terms of preventing data breaches, employees are unable to copy information onto CDs, DVDs or USB keys. The system does not allow it.

I'll take that question.

I represent the Office of the Superintendent of Financial Institutions. Our mandate is to supervise financial institutions and set rules for them so as to protect the interests of depositors and creditors. Broadly speaking we're looking at safety and soundness, but we also make sure they comply with all federal rules. For example, we expect them to have systems in place to comply with privacy laws.

We set expectations around what institutions should be doing, such as complying with privacy laws. We also expect them to do cyber self-assessments to assess their own internal protections against cyber events. Then we supervise them to make sure they are complying with the expectations we have set out to make sure that they have good compliance management systems in place.

It's oversight of their systems to prevent this, really.

I think that the number of federal partners you have had as witnesses today speaks to that.

The investments in the cyber centre were part of the first line of defence in strengthening the ability to prevent cyber incidents, and they are focused, as André Boucher spoke to, on the appropriate response to a cyber event. In this case there was a specific type of cyber event, a breach by an employee, so many of those defences that have been built by the cyber centre were not triggered in this case, but the resources of the cyber centre are complemented by new resources for the RCMP. You heard the RCMP speak about the national cybercrime centre and their efforts at the Canadian Anti-Fraud Centre.

We also realize that a cyber event or a data event does play out on the privacy side. Therefore, measures such as the new requirements for businesses to notify customers that there has been a breach are a key part of a citizen's ability to be vigilant about their own finances and to know that important information about them has been put into play. A monitoring service like Equifax is important because it helps put that person into the mix to know when something that's being done in their name is not right.

We're supposed to leave around 4:30, but maybe we can add—

Probably an hour would be okay.

Thank you very much.

Good afternoon, Mr. Chair and members of the Standing Committee on Public Safety and National Security. I'm joined this afternoon by Denis Berthiaume, Senior Executive Vice-President and Chief Operating Officer, and Bernard Brun, Vice-President, Government Relations, Desjardins Group.

First, I want to say that, at Desjardins, we were ambivalent about this exceptional committee meeting.

On the one hand, this meeting may seem premature, since we're in the process of managing this situation and the police investigations are ongoing. It's far too early to assess the situation. As such, we intend to tell you everything that we know, but in a way that won't interfere with the ongoing investigations.

On the other hand, we see this special meeting as an opportunity to inform legislators and the public about the security of personal information and the need to rethink the concept of digital identity in Canada. In my reflection process, this point prevailed.

First, I'll state the obvious. What happened at Desjardins has happened elsewhere and could happen again in any private company or public organization whose mission involves personal information management. We can think of several banks around the world, such as the American bank Chase, Sun Trust, the Korea Credit Bureau, or a number of government entities in Canada and the United States, to name a few, that have been the victims of malicious employees.

Desjardins is a leading financial institution and one of the largest cooperative financial groups in the world, with more than $300 billion in assets. In 2015, Bloomberg ranked the Desjardins Group as the strongest financial institution in North America, ahead of all Canadian banks. In other words, even the best aren't immune, and we believe that this message must be heard.

Personally, I've been working at the Desjardins Group for 27 years. I chose this organization at the start of my career because the financial institution has managed, after nearly 120 years, to successfully combine the economic and social aspects of our society.

The malicious actions of one employee led to this deplorable situation. That employee has now been dismissed. He violated all the rules of our cooperative. In this situation, we acted as quickly as possible and as transparently as possible, with the sole objective of protecting the interests of our members. That was our priority.

On June 20, a few days after learning of the extent of the situation, we went public and shared all the information available, in conjunction with the police forces. At that time, we also announced the measures implemented to address the privacy breach.

We've taken all the necessary measures to address the situation. We quickly implemented additional monitoring and protection measures to protect the personal and financial information of our members and clients. We informed all the relevant authorities, including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Autorité des marchés financiers, the Office of the Superintendent of Financial Institutions, and the Quebec and federal departments of finance.

We've implemented additional measures to confirm the identity of individuals when they contact us. We're constantly monitoring all our members' accounts. The procedures for confirming the identity of our members and clients when they call the Desjardins caisses, Desjardins Business centres and our AccèsD call centre have also been the focus of additional measures.

We contacted the affected members through the AccèsD private messaging system and by personalized letter, to inform them of the situation and of the steps that they needed to take.

We've also added extra measures to help with the activation of the Equifax monitoring package. The affected members can now register in four ways. They can register on the Equifax website, through the AccèsD telephone service, through the AccèsD web and mobile application, and directly in our Desjardins caisses by speaking with their advisor.

We're actively working with the different police forces. Lastly, we're working with external experts to continue to protect our members' personal information.

I can confirm that we acted diligently. After we received information from the Laval police service, we conducted an internal investigation and quickly traced the source of the breach to a single employee. The employee was suspended and then dismissed.

At this time, our main priority is to reassure, assist, support and protect each and every member affected by the situation.

Again this morning, we announced new protection measures for all our members. In this digital age, we at Desjardins believe that all our members must be protected.

As I was saying, Desjardins announced this morning that, from now on, all members of our cooperative will be protected from unauthorized financial transactions and identity theft. Membership is automatic and free of charge, regardless of whether they've been affected by the data breach. Since this morning, Desjardins has been protecting all its individual and corporate members. This sets a precedent in the financial services world in Canada. We're the first institution to take this step. In this situation, Desjardins is acting with rigour, a sense of duty and the willingness to honour its special relationship with its members.

We've entered an age where data is a resource on par with water, wood and the raw material needed to run entire sectors of our economy. Data is now the raw material for a whole innovative economy that will lead to tremendous productivity gains and make life easier for Canadians.

Canada is a few months away from the implementation of 5G mobile connectivity, which will increase the flow of data tenfold. According to experts, this ultra-fast connectivity will lead to futuristic applications related to artificial intelligence. Canada is already among the world leaders in this area with its three hubs, Montreal, Toronto and Edmonton. In addition, as we speak, the Department of Finance Canada is in the process of conducting a consultation on open banking, which would help open up the transactional sector. Several European countries have already made the shift.

I'll humbly ask you, the legislators, the following questions.

Is Canada currently well equipped to manage these promising technological developments, which also involve new risks? Should our identification systems be adapted to the digital age to ensure the protection of privacy and to better deal with cybercriminals? This issue is the whole notion of digital identity, which I referred to a few minutes ago.

I want to respectfully point out that these are real issues raised by the situation at Desjardins.

In closing, I want to make a proposal. I'd like to invite the committee to recommend to the Government of Canada the creation of an ad hoc multi-stakeholder working group to advise the government on how to regulate the management of personal data and digital identities. We believe that a group that listens to Canadians' concerns should at least include representatives of governments, the financial services and insurance sector, and the telecommunications sector, along with jurists and experts, or any other group that the government deems it appropriate to involve in the reflection process.

The mandate of this committee should consist of advising the government on legislation and regulations; ensuring the protection of the public; encouraging innovative technological development for the benefit of Canadians and communities; and ensuring the strategic monitoring of best practices around the world, so that Canada is always up to date.

I personally believe that Canada can't pursue excellence in digital technology and artificial intelligence without having the same ambition for data and personal information management. We must all learn from the current situation at the Desjardins Group.

Thank you.

To answer the first part of your question, we made the decision this morning to set up a protection program for all our individual and corporate members. The corporate component sometimes isn't covered by other institutions or even by Equifax. We've decided to offer this service free of charge to our members as long as they stay at Desjardins. We won't charge them anything. I want to quickly reiterate that the program covers all unauthorized financial transactions involving a person's account, deposits and money. If a transaction hasn't been authorized, we'll reimburse the person. That's one thing.

Second, if a person is unfortunately a victim of identity theft, we'll provide assistance, not a list of the steps to take. We'll call on our experts to provide assistance, and the experts may even participate in conference calls to help the person recover their identity.

Third, we'll provide coverage of up to $50,000 to reimburse members for expenses that they may have incurred, such as lost wages, child care costs or the cost of obtaining documents.

This concept of free service is extremely important to us. If you're a member of the cooperative, you have access to the program.

We humbly propose that a committee be established to, among other things, address the issue of whether privacy should be managed by third party companies. I think that the status quo isn't an option.

That's a relevant question. In Canada, Equifax is the firm with a market share of over 70% in data and information protection and management.

When the incident occurred, we decided to turn to the Canadian company that offered this service to Canadians. We worked with the company. However, in the days that followed, we noticed some issues. We quickly took our own steps to resolve the issues concerning member registration on the Equifax website. We went through this. We saw the need to improve the procedures and methods, and we took charge of the matter.

Now, should one, two or three private companies in Canada manage all this? We must think about it.

Basically, the thought process behind the new measure announced this morning is that we're in the digital age. There will be fewer and fewer paper transactions in the coming years. This data becomes raw material for our economy. Given the importance of the data, at Desjardins, we've taken on the responsibility of offering protection to all our members.

I said that there were three pillars. The first pillar is the financial aspect that you're referring to. If Desjardins members see an unauthorized transaction in their transactions accounts, Desjardins will fully reimburse them. This answers the first part of your question on the financial transactions aspect.

In terms of other types of identity theft involving credit card transactions made elsewhere, such as cellphone purchases or car rentals, people can contact Desjardins and they'll be taken care of. Second, if they need help with recovering their identity, not from a financial perspective, but in relation to other aspects of their private lives, Desjardins will support them. If we need to call government agencies or private firms, or help them prepare notarized documents or a presentation, we'll do so. We're no longer talking about the financial aspect. We'll help the people with the other steps that they may need to take.

There are two or three parts to my response. When this incident occurred, we contacted several federal and provincial government agencies. We spoke with the different departments of finance. I want to tell you that the departments were very helpful and supportive. Bernard Brun can confirm that very clear and open discussions were held.

I've noticed that both the federal and provincial government authorities want to reassure the public. You have no idea how important this is to us. Sometimes, we see what's being written and said. I understand that people have concerns and questions. As MPs, you must hear about many of them from the people in your constituencies.

I can see that the federal and provincial government officials want to reassure people and give them the proper information. This is very helpful to Desjardins. People must be told to contact us so that we can introduce them to the programs that we announced this morning. Whenever we meet with people in our caisses or client contact centres, we're in direct contact with them and we reassure them.

We don't want to trivialize the situation. However, according to several studies and several experts who are currently assisting us, there's a clear difference between a data breach and what happens in a real data theft. This isn't a “one-to-one” case. The proportions are very small.

By adding the protection that we announced this morning, we're telling all our members, including businesses, not to worry. If any issues arise, they should call Desjardins. We'll assist them.

Exactly. There's new internal protection. As I said, it's the first pillar. If people see an unauthorized transaction posted to their account, they must notify Desjardins. We'll then review the transaction with them and give them a full reimbursement. I must point out that there's no limit, whether the amount is $10,000 or $100,000.

Second, if they're victims of identity theft, they must contact us. We'll assist them and hold conference calls. We even offer a period of psychological support, through our life insurance companies, to people who are going through this highly emotional situation.

Third, it's the new $50,000 protection for people who must incur personal expenses to recover their identity. Desjardins will cover these expenses. This is extremely important.

I want to reiterate that people who are victims of the data breach must continue to actively register for Equifax services, since this gives them access to the alert service. The alert service could notify them of an unauthorized transaction in the following weeks or months, and this service isn't included in the Desjardins package. The Desjardins Group strongly recommends that members who are victims of the breach register for Equifax services.

Thank you.

I'll let Mr. Berthiaume answer that. He'll undoubtedly be very happy to do so.

We provide the same type of service with TransUnion. On the web and on mobile devices, you can access your credit rating in real time. With regard to the alert system, I think that we've explained it well. We work with Equifax, but we're also considering the possibility of providing an alert system with TransUnion.

The current situation at Desjardins was not our only reason for making this morning's proposal, but we certainly sped up the process. At the beginning of each year, we do some planning. Based on security, our new products and our new offers, we consider what we should offer our members according to their needs.

Look, right now, the important thing is to reassure the members and to offer protection to everyone. We won't start determining whether data sent abroad comes from the data breach at Desjardins or from an information leak in another organization. We want to cover and reassure our members.

To answer your question, if fraud occurs in a Desjardins account, we'll cover the member concerned. As is the case with other financial institutions, in the event of attempted fraud, whether the account is a current transactions account, a credit card account or another type of account, we don't hold the members liable.

Yes. First, we wanted to proceed quickly with Equifax, and I think that was the intent of the process. The people at Equifax have been very helpful. They've even adjusted their service offer to accommodate us in several ways. We've worked very well together.

Now, over time, we've learned about the limits of the French-language capacity at Equifax. As a result, we've introduced a number of additional measures. The president mentioned the four initiatives that have been implemented.

First, people can go online or use their cellphones to register directly for Equifax services. We'll take care of referring them to the services, establishing the link with Equifax and providing the authentication.

Second, people can obtain a French-language service by contacting our AccèsD call centres. Wait times are very reasonable. We act as a bridge, in a way, between our members and Equifax to improve the experience. We've been implementing this approach over the past few days and weeks. We believe that this approach has been successful.

Thank you for your question.

It's extremely relevant because we operate in a bijurisdictional system. That said, overall, Desjardins is perfectly comfortable in the current framework. Obviously, with technological exchanges, the interconnectedness within the financial system is becoming more and more apparent. In this regard, we mustn't act in isolation.

Mr. Cormier pointed out earlier that we worked well together. We were able to speak with all the federal and provincial government stakeholders. We strongly encourage them to work together. We can see the collaborative efforts, but we urge the governments themselves to hold discussions.

With regard to the fact that an entity such as the Desjardins Group operates on both sides, I don't see this as an issue. However, we clearly need support in this area. We can feel it and we're focusing on it. This relates to our suggestion regarding the creation of a multi-stakeholder committee with people from different governments. This will enable us to move forward and adopt effective policies that will affect everyone.

My colleague can talk about our practices, and then I will complement his comments based on my perspective.

The first thing is that rigorous security investigations are constantly being conducted at Desjardins. Investigations are indeed related to the job level. That is an important element.

Regarding the situation before us, we could wonder whether anything could have been detected. I would like to point out that internal fraud by a malicious employee is the most difficult risk to protect against. That is recognized across industry, and there are many examples of it.

In addition to security investigations, security mechanisms were in place. Obviously, we are talking about a malicious employee who found a way to circumvent all the rules and used a scheme to extract data. That said, I want to reassure you that security mechanisms are in place.

With time, will we be able to go further in terms of the situation we are going through? As I was saying, in the digital age, people handle personal data not only in financial institutions, but also in all kinds of businesses. Today, when someone wants to enrol their child in daycare, they must provide their social insurance number, and that number can remain on the table for five, 10 or 15 minutes, during the enrolment process. That is the reality in Canada.

I think that any business where employees handle personal information must ensure they have been screened.

There is Mr. Bélanger.

Mr. Berthiaume, can you talk about operations?

Yes.

Regarding operations, I first want to say that no one, when they turn on their computer in the morning, has access to all the data. That is not how things work. At Desjardins, jobs are categorized according to the data required to do the work. That's the first thing.

Moreover, our organization has implemented a number of internal security and control mechanisms, but we do not want to discuss those publicly, as even our employees are unaware of those mechanisms. So I cannot describe them in any great detail.

Concerning this particular situation, a police investigation is under way, and that makes the issue highly sensitive. Quite frankly, we don't want to hinder the ongoing police investigation in any way.

As I just said, we cannot provide details on our security mechanisms, as they are important for helping us prevent this from happening again. The situation involves a single employee, but I can tell you that our security mechanisms detect external or other elements of fraud. I want to reiterate that it is extremely difficult to completely protect against a malicious employee.

Concerning the security measures, we are constantly evolving. In any given year, Desjardins invests $70 million in security, and data and personal information protection. We are constantly improving in order to adapt to new technologies that create new fraud possibilities. People try to create new schemes, and we are constantly evolving to be able to identify them.

In the early days, Equifax enrolment was a challenge for us.

So we made the decision to provide a service to people without Internet access. As of today, people who want to could still obtain the alert service. That service will be taken over by Desjardins, which will be able to communicate with them afterwards. We have innovated when it comes to Equifax to find a solution for those people.

Mr. Berthiaume, you can answer the question on the five-year period, and then we will come back to the answer from this morning. That is a question we have already been asked.

First, we wanted to respond quickly by providing five years of protection. As we were unhappy with that protection period, we decided to extend it. The president announced this morning that Desjardins was committing to provide protection for life. We did not settle for a five-year protection period. We have a partnership with Equifax to provide that protection, which is important in two ways.

We are noting a strong increase in the number of Equifax enrolments, but we are not satisfied with that number. Judging from the current trend, we fear that, at the end of the day, only 20% or 25% of our members will sign up for Equifax. That still leaves people without coverage who choose not to use the alert system for their own reasons. However, we do not want to leave 75% or 80% of our members without any protection. We want to provide them with an assistance service in case something happens. That is what led to this morning's announcement. We want to go beyond the Equifax protection and provide our members with umbrella-type coverage.

Yes, that is the new solution we just launched. We will get organized to ensure that people can sign up for Equifax. Then, instead of Equifax contacting the individual by email, Desjardins will liaise between Equifax and the person. We will receive alerts and make sure they are real, and then we will contact the affected members, like your grandmother, in a way that suits them. That is what we are implementing.

I would like to briefly point out what the key message is. The Desjardins Group quickly decided to be transparent and to provide the information on June 20. When we looked at the data of 2.7 million people, we realized that some people did not have Internet access. There were also estate accounts. Situations arose, and we saw that we had to innovate and find solutions to them. So far, for all those cases, we are collaborating well with the Equifax people. They are helping us find a different solution, including for people like your grandmother.

The affected members are primarily in Quebec. There are some affected members in Ontario and very few in other provinces. We are talking about people who no doubt moved to other provinces and are members of Desjardins. That is an important aspect. They are affected Desjardins members.

Clients of State Farm or Patrimoine Aviso, which are our partners, are unaffected. We are talking about only caisse members who may have moved to other provinces or members of our caisses in Ontario.

They are not impacted at all, no.

That's correct.

Those were not impacted at all outside of the scope of what we talked about—

I'm not sure I—

Let me be very, very specific here. It's strictly the members of our caisse network who are impacted. Let's say you were a member a year ago and you closed your account for whatever reason. If you do not receive a letter, you will not be impacted. There is no impact. You haven't been impacted—

If you did not receive a letter.... The key is whether you have personally received a letter. If you received a letter, it means you're a member that may be affected and we encourage you to subscribe to Equifax.

The answer is no, because you could be a former member of Desjardins and you closed your account a year ago—

—but you may be affected if you receive a letter.

Yes.

We're talking about the Ontario caisses....

The answer is yes. For the caisses in Ontario, merged or not merged, it's possible that there are some members of these caisses who have been impacted by the breach.

The answer is no.

The data that has been leaked outside includes some phone numbers and some emails. The answer to your question is yes, there may be phishing, but again, that's if they are members of a caisse, not if they're clients. If they're clients of Aviso Wealth or of former insurance operations or of life and health insurance, or they're property and casualty clients, they are not impacted.

It's only caisse members.

According to the information we have, only those who receive a letter are affected.

If they have not received a letter, they are not affected.

On June 14, we received information from the Laval police force. That information enabled our computer investigative teams to provide us with the figures of 2.7 million individuals and 173,000 businesses. We sent letters to those people.

Despite everything, we are hearing people's concerns. That is why, this morning, we decided to speed up the launch of this protection program for all members, be they affected or not.

There are two things to consider. First, it is urgent to connect Canadians across the country to the Internet if we want to enter the 21^st century. On our end, as some of our members are not connected to the Internet—sometimes by choice, sometimes because they have no access to it—we have proposed an additional solution in partnership with Equifax. Mr. Berthiaume can explain that.

People who don't go online and don't necessarily have an email address must still be reached. Therefore, we have set up a call centre so they can reach us by telephone. We will undertake to sign them up for the Equifax services.

We have implemented an innovative solution with Equifax, which will enrol them, take care of monitoring and alerts, and then send us the results. At that point, we will contact those without Internet or email access. That is what we implemented today.

Yes. Currently, Equifax has the ability to handle alerts. As we were saying earlier, Equifax holds 70% of the Canadian market when it comes to credit bureaus and detection and alert systems. So those are the services we use for this aspect.

Once again, we liaise for people who have more difficulty accessing the Internet or don't have an email address. We reassure people and, in case of alert, we contact them.

Far be it from me to give you the perfect example that should be followed, because there will always be gaps in the perfect solutions that we think we have found. There will always be dishonest people who will try to get around these solutions. However, countries such as Estonia, India and even some European countries have put in place measures regarding unique identifiers or, at the very least, measures to ensure that government-issued cards, whether drivers' licences or health insurance cards, do not become ways of identifying people. The objective of these countries was to restore the primary role of these cards, which have become identification documents over time. Canada should draw inspiration from these countries.

On this subject, we have nothing conclusive. We relied on the data provided to us by the police services. We don't have conclusive data on why someone was on the list or not. We don't have that information.

The department is in contact with us and collaborates with us. We have been talking directly with its representatives for more than two weeks now, whether it is about social insurance numbers or the situation Desjardins is in.

I do not believe that the information was requested, at least not on an operational level. I don't have that information. I don't know if Mr. Brun or Mr. Berthiaume know more, but I don't think so.

We will have to see if this is possible. From a legal point of view, I am not sure.

When you talk about the current cabinet, you are talking about the cabinet....

Yes, that's right. I had a discussion with Minister Morneau on the situation. He offered me his support to see how the federal government could support Desjardins in this situation.

The first question was whether Canada is well equipped to manage technological development, which is full of promise, but also involves new risks.

Do we need to adapt our identification systems?

My two answers are simple: I think the status quo is not an option. The status quo in Canada today is not sufficient in the digital age, in the upcoming 5G era, and in the era of reflection about the world of financial services, including open financial services. On these two issues, I think we should not be satisfied with the status quo.

That is why we humbly propose the creation of a committee composed of several stakeholders, including citizens, governments, businesses—not just financial institutions, but companies that process data—to reflect on these issues and see if, using examples from other countries around the world, we can continue to be leaders.

As I mentioned in the beginning, I think that in artificial intelligence, Canada is taking an important leadership position in the world. At the same time, we must have the same ambition with regard to personal information and data protection. My answer revolves around these points.

As a citizen, I would say that elected officials are elected to provide a framework and adopt laws. In the current digital age, regulatory parameters must be put in place to protect citizens in this regard. That's my message, as a citizen.

This is also why, despite the fact that we found this meeting premature, we still made the decision to be present. We feel that this situation is sounding the alarm and that there is an awareness and a real willingness on the part of elected officials to address this issue. We wanted to provide our point of view on this subject.

That's what I was saying. Often, seniors do not necessarily have an Internet connection or an email address. We take care of them. These people can call us. We will take charge of the situation from that moment on and act as intermediaries with Equifax regarding the alert system and what these people will receive as a message.

I told you a few minutes ago: I think the status quo is not an option. That's why we're here today. Desjardins will be very honoured to participate in the discussions, if they are held.

I think we need to bring together the stakeholders who work in the data field in Canada to think about how we want to change the situation. Sometimes it could be about regulation, sometimes it could be about business processes, sometimes it could be about working together. I think the status quo is not an option.

That is why we accepted the invitation.

Mr. Brun, I know you've talked to this group. Can you give us the true story on that?

Thank you for this very relevant question.

The Bank of Canada obviously has an extremely important role to play in ensuring financial stability. Recently, it announced the creation of a committee to develop supervision and review oversight by discussing matters with all kinds of partners. Naturally, it turned to the big banks and the regulator. We have had discussions with people at the Bank of Canada and we feel that they have an opportunity to explore this.

As already mentioned, the financial system is extremely interconnected. All the players in this sector have issues, regulations and regulators, but they must be able to work together, go beyond that and discuss matters. We certainly have a great interest in participating in all of this. We felt that there was an opening in this direction and we are waiting to see what form this will take.

Desjardins Group is certainly a Canadian and Quebec financial institution of systemic importance. If there are discussions, we should be involved.

That is why we humbly submit a recommendation to the committee today.

In Canada, 30, 40 or 50 years ago, we put in place certain mechanisms, which today are no longer used for what they were created for. It is time for industry players to sit down together to rethink all of this, and try to draw inspiration from best practices around the world; this reflection, as I can see very well, has already begun.

All of the information, per the announcement we made this morning, of all of the people who were on the list of the members who have been affected by this leak will be taken care of by this program. With this protection program, if it's their financial activities in their accounts, if it's having access to assistance for recovery of their identity, or if there are problems with some fees they have to pay regarding the recovery of their identity, they will be allowed to go under this program.

This is something that we are looking at right now in our files. Among these 2.7 million people, we are looking right now if there are some more sensitive people. You probably read about policemen, judges, people like officials. This is something that we're looking at right now. Our priority was to send the letters to make contact with the people. Now we're looking what may be other sensitivity that we should be more careful—

Yes. We will look at it.

When we say “zero trust”, we need to identify what we are talking about. Zero trust, we have people who have access to data. They need it to actually do their work. With zero trust, clearly we want to make sure that we have security mechanisms in place that aim at the zero trust principle. However, when you put it in practical terms, sometimes there's a difference between the theory and what you can really do practically. The objective is there to make sure that the data given to us by our customers, by our clients, is fully secure. That's our goal.

Thank you for your question.

As you know, the social insurance number is one identifier among many. As we have already mentioned, on our website, we are advising citizens that they should only give their social insurance number in very limited circumstances. This is explained to them. We tell them not to give their social insurance numbers to organizations that cannot legally request them. However, from what we hear, citizens often give it voluntarily to organizations that are not authorized to take it.

We are certainly aware of the discussions. We are still looking at what we can do to improve the protection of our systems and practices related to the social insurance number.

We want to hear the recommendations or see the report that this committee will publish, as well as other reports.

I can assure you that work on improving the security of our systems is ongoing. I know that Treasury Board is also very actively working on digital identity projects. We are participating in these discussions to see how we can improve the digital identity of citizens in Canada.

The social insurance number is an identifier that provides access to federal programs and services, as well as to income and tax systems. In the case involving the federal government, with respect to benefits, for example, my colleague explained that at the Canada Revenue Agency you have to ask an additional, secret question to identify individuals, such as the amount entered on a certain line of the tax return. In the case of employment insurance, participants are given a program access code, and must give two digits of this code in order to access private information related to the employment insurance program.

The social insurance number is an identifier, but it is accompanied by other questions to validate the identity of the person with whom we do business.

Thank you for your question.

All our call centres, Service Canada offices and agents have received very clear instructions. Our call centres and Service Canada offices answered questions from approximately 1,500 citizens. They have informed them of the steps to take, including contacting a credit bureau, verifying their financial and banking transactions, and exercising extra vigilance with respect to the transactions they make. If they identify activities that are not related to their transactions, they should contact the police, Service Canada offices and the various institutions so that we can resolve the situation. To date, no fraud has been reported.

As I was saying, despite the number of leaks detected in recent years, there are about 60 cases per year requiring a change in the social insurance number.

One of the reasons is that we do not know to whom citizens have given their social insurance number. The social insurance number should only be used as an identifier to link certain information to provide benefits. Individuals are the only ones who know to whom they have given their social insurance number and for what purpose. You can give your social insurance number for private pensions, insurance and car rentals or purchases, for example.

The social insurance number should not be used to identify the person. This is a number that allows you to link certain files. We need this number to link the information. We now link the two social insurance numbers in our systems, but the first should never again be used by the individual.

You raise an interesting question.

The first thing to do, according to the Personal Information Protection and Electronic Documents Act, is to inform third parties. As you have heard, Desjardins has contacted us to ensure that we will provide the information and help Desjardins branches obtain as much relevant information as possible to help their members. In this case, we have given a lot of information on how to protect their members.

In view of the multiple leaks that can occur, the goal is to ensure that citizens and the benefits due to them, whether tax refunds or other benefits, are always protected. That is why we worked very closely with Desjardins to define what measures would enable us to support it in its relations with the affected citizens.

Desjardins has implemented measures. When there were leaks at the federal level, very similar measures were taken with respect to credit bureaus, because it is really the best way to protect citizens from fraud. We continue to work with Desjardins. If an exchange of information proved to be a good solution, we would consider it. However, at this stage, the measures put in place are the best that could have been taken.

Absolutely.

To be proactive, we have put additional information on our website. We have issued press releases. We used social media, as you said. We hold workshops on the social insurance number in several communities. These are workshops that are given on a regular basis and I won't see why we can't use this method as well.

So, thanks for the recommendation. We will take it into consideration.

That is an excellent question.

As I always say, it is important, when you have situations like this, to review and rethink certain things.

As far as the social insurance number is concerned, as I said, it is one of several identifiers. At the federal level—and, of course, in many places— people are invited to add secret questions that only they can answer. It is not a PIN, but it is an additional way to ensure security and identify the right person.

You are absolutely right. You do not have a PIN.

Is this something we could consider? Maybe. What is important to say is that, to access a service, you must give other identifiers such as the line...

That is an interesting question. I don't know if any predecessors have addressed this issue.

Currently, we have a very clear list of who can do so. We have very clear instructions for citizens. When someone asks them for a social insurance number and they are not on the list of people who should ask them for it, they can seek redress with the Privacy Commissioner of Canada.

Yes, it would be something to check, but I don't have any information on that today.