Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.
A video is available from Parliament.
3:15 p.m.
Liberal
3:15 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
Thank you all for taking the time to come here today.
Ms. Boisjoly, I was struck by one point in your reply to Mr. Drouin. You said that a personal data breach does not lead to identity theft. That is basically what brings us here today. Canadians want to avoid identity theft, of course; it’s their main concern. I have some questions about it.
You said that people should report suspicious activities associated with a social insurance number. I am a federal lawmaker and I don’t know what a suspicious activity associated with a social insurance number is. I have never been a victim of fraud, thank heavens, and the same goes for the people around me, touch wood. However, I do know people who have been victims. They find out when they receive a bill for a cellphone they do not have, or for a Canadian Tire credit card that they never applied for. They end up with debts and obligations that are not theirs.
Can you tell me exactly what a suspicious activity associated with a social insurance number is?
3:15 p.m.
Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development
Thank you for your question.
You have certainly identified some suspicious activities, as you say. We ask people to protect themselves as best they can by working with a credit bureau so that transactions are monitored as closely as possible. They should look at their bank and credit card transactions. If they see actions in their name that they did not make, we asked them to contact the bureau—
3:20 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I am sorry for interrupting you, but my time is limited and I only have one round.
The suspicious activities or problematic transactions that we may be able to see on our credit card statements can be associated with all kinds of things. It may be someone who has stolen our mail and obtained our address. That is information that is probably easier to obtain. You rightly mentioned that, in terms of the situation we are discussing today, the person has complementary information. In principle, with all the information that has been stolen, that person could easily call Revenue Canada and obtain a new password. If you have someone’s entire file, you have all the information you need.
3:20 p.m.
Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development
Yes, and that is the most important point. We are talking about a number of identifiers. Each one of the organizations is responsible for checking people’s identity.
My colleague said that there must also be a line from the tax return. With employment insurance, there is an access code and you are asked to provide the two figures in that access code. When we are checking identities, we must make sure that we ask questions about identities that are secret and shared only with the people we know. That allows us to better verify people’s identity and to provide them with the service. For example, you would not be able to call Service Canada and obtain employment insurance benefits with the information that has been made public at the moment.
3:20 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
As for getting a new social insurance number, I have a little difficulty understanding. Basically, the argument is that it becomes complicated for people. In principle, a social insurance number is issued for reasons of efficiency. A unique identifier makes transactions with government agencies easier.
Forgive me if this analogy may not be an exact one. If I see a problem with my credit card today, the bank or the company that issued it is still able to transfer a balance or to link the legitimate transactions on my credit card that has been used fraudulently and the new one it sent to me.
Why would a financial institution be able to do that, while you are not able to say that someone’s social insurance number has been compromised and to give them a new number? A former employer, for example, might have to take care of questions about that person’s pension. Knowing that is the same person, why are you not able to link the previous social insurance number to a new one? You may perhaps have to do some additional checking, given that the number has been compromised. But I am still having a little difficulty understanding why you can’t do it.
3:20 p.m.
Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development
When you started, you said that the first reason we do not automatically give out social insurance numbers is that it can make life difficult for people. The first reason is actually that it would not really prevent fraud. This is a very important point. People have to continue to check their previous social insurance number because there are still—
3:20 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I am sorry to interrupt you, but, if I lose my credit card, it does not necessarily mean that it has been stolen. It may have fallen down a sewer somewhere, meaning that it will never be seen or used again. I would still call my bank, Visa or whomever, to ask them to cancel the card. I would still keep checking and I would have some peace of mind, knowing that I am protected.
Why not use the same logic for victims of breaches of personal data, especially ones that are all over the news? To make sure they are protected, people want to dot all the i's and cross all the t's that they can. They change their credit cards and everything, as they do when they lose their wallets. Why not proceed in the same way?
3:20 p.m.
Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development
A social insurance number is not like a credit card, which is a bank's only way of identifying that person. It is an identifier used by employers for as long as people are in the workforce. It is also used for various programs and services.
At the moment, no computer system links all those systems so that social insurance numbers can be updated by employers and by the various groups and programs. That task would be done manually. That is why we do not know all the employers. In the federal government, it would be done manually. As I said, we have only done it a few times. There is a risk of errors. I am just mentioning this to the committee.
3:25 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I have less than a minute left.
At the risk of tangling ourselves up in technical details, I would like to understand this better. If an employer wants to use a social insurance number, how does that work? Surely, things come together in some way when you move up the ladder.
I have one final question, which goes back to what Mr. Paul-Hus rightly said.
Let me take Quebec as an example. When there is flooding, police forces and the Government of Quebec hold public consultations on the spot so that people can attend.
Mr. Guénette, I respect what you said, but perhaps advertising campaigns or posts on social media are not enough.
Given the extent of this theft, this breach, have you considered organizing consultations in person in the key places in Québec, the major centres of Longueuil, Montreal and elsewhere?
3:25 p.m.
Liberal
The Chair Liberal John McKay
Again, Mr. Dubé has asked an important question but has not left any time for an answer, so you'll have to work it in somewhere else.
Usually you're so good, Mr. Dubé.
Welcome to the committee, Ms. Lapointe. You have seven minutes.
July 15th, 2019 / 3:25 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
Thank you very much, Mr. Chair.
Good afternoon to you all and thank you for joining us.
I do not normally sit on this committee, but I gladly agreed to replace one of its permanent members.
I have had discussions with a number of my constituents in Rivière-des-Mille-Îles, which is to the north of Montreal and includes Deux-Montagnes, Saint-Eustache, Boisbriand and Rosemère. They are very concerned. This is something that has come up all the time since the House adjourned on June 21. That is why I agreed to be here today without hesitation, even though I am not familiar with all the studies that this committee has done.
Ms. Ryan, earlier, you began by saying that the Department of Finance establishes the legislation and regulations that govern the Canadian banking system. You then said that oversight of the Canadian financial sector is shared between the federal and provincial governments.
Let us look specifically at Quebec. The provinces are responsible for real estate brokers, and mutual funds and investment representatives, and so on. Desjardins is a provincial cooperative institution. Just now, I mentioned my constituents, but my entire family and myself are also among the 2.9 million people affected. This concerns us a great deal and we are wondering what will be the future impact of this theft on our lives.
Have you had any requests from Desjardins? Mr. Guénette said that there are ongoing discussions between departments, but have people from Desjardins been in communication with you to get additional information?
3:25 p.m.
Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance
To the extent that Desjardins is largely provincially regulated, their first point of contact with a government regulator would be with the Autorité des marchés financiers in Quebec. When I spoke of the system of banking rules and regulations in place federally, that applies to the institutions that have elected to be federally regulated.
To the extent that Desjardins is largely provincially regulated, many of the operational requirements put in place in advance of this incident would have been worked through with the Autorité des marchés financiers.
My colleague from OSFI can speak to how that is put in place at the federal level. In this incident the institution stepped forward and took a number of responsible measures very quickly to be transparent about the leak. That is consistent with both provincial law and federal law in terms of privacy, and the federal and provincial privacy commissioners have struck a joint investigation to look into this incident, but many of the provisions for not just the conduct of the financial regulation of Desjardins but also the consumer protections are provincial in this case. We can speak to the federal system, but I would direct many of the questions you may have to those responsible at the provincial level.
3:30 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
I have one other question. Are credit bureaus in federal jurisdiction?
3:30 p.m.
Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance
It's largely provincial, and in this case it is provincial.
3:30 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
Okay.
Have people from Equifax been in communication with you?
3:30 p.m.
Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance
Equifax would not be in touch with us or the department, and they are largely regulated for consumer issues at the provincial level for this.
3:30 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
Thank you.
I have used half of my time and so I am now going to turn to you, Mr. Guénette.
You talked earlier about the external rules on preventing identity theft, but you have not spoken a lot about the internal rules. I would like to know about the internal rules in the Canada Revenue Agency. After all, we are here today because data was stolen from the inside.
How do things work at the Canada Revenue Agency? Do the employees have to be at certain levels in order to have access to the systems? You talked about centralizing or detecting problems by intervening if necessary. You said that there are strict rules and I would like you to tell me a little more about them. Can people work with their own electronic equipment when they are in front of Canada Revenue Agency screens? I would like to know more about that.
3:30 p.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Thank you for your question.
Of course, we have security rules at several levels. First, we screen the staff that we hire. People with more specific access have “Secret” security clearance instead of a lower level of clearance. A whole host of physical security measures are in place. People working in call centres, who have access to screens showing taxpayer information, may not have their personal phones with them. We have measures in that regard.
As for access to taxpayers' data, those data are on separate servers that are not connected to the Internet. There is a mechanism by which the employees' access to the data is reviewed annually, or each time they change jobs. Managers verify the access those employees have on a regular basis.
As for the workload, in my introductory remarks, I talked about the administrative rules. When we give employees their workload, our business fraud management system checks by using algorithms in real time. The system applies several dozen rules. For example, if employees check their own tax accounts, an alert is automatically issued and the system sees it immediately. If employees work on tasks that they have not been assigned, the system will immediately send an alert to the manager, who would then be able to ask an employee what he or she was doing in the system. Screen shots are captured per minute, which allows us to see which pages employees are consulting or which changes they have made. The system was implemented in 2017 and it is very advanced. It allows us to have controls in place.
In terms of preventing data breaches, employees are unable to copy information onto CDs, DVDs or USB keys. The system does not allow it.
3:30 p.m.
Liberal
3:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
Again, thank you to the departmental officials for being here.
I have just two quick questions for the Department of Finance. You say that your first objective is to prevent data breaches. We know the reality is that these happen and are not localized to the financial sector.
Ms. Ryan, you said that when cybe events occur at a federally regulated institution, which is what we're talking about, control and oversight mechanisms are in place to manage them. Can you explain to Canadians in practical terms what that actually means when you play that out?
3:35 p.m.
Judy Cameron Senior Director, Regulatory Affairs and Strategic Policy, Office of the Superintendent of Financial Institutions
I'll take that question.
I represent the Office of the Superintendent of Financial Institutions. Our mandate is to supervise financial institutions and set rules for them so as to protect the interests of depositors and creditors. Broadly speaking we're looking at safety and soundness, but we also make sure they comply with all federal rules. For example, we expect them to have systems in place to comply with privacy laws.
We set expectations around what institutions should be doing, such as complying with privacy laws. We also expect them to do cyber self-assessments to assess their own internal protections against cyber events. Then we supervise them to make sure they are complying with the expectations we have set out to make sure that they have good compliance management systems in place.
3:35 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Basically, it's just oversight. Now, in this particular circumstance, it's oversight of what's happened to make sure that—
3:35 p.m.
Senior Director, Regulatory Affairs and Strategic Policy, Office of the Superintendent of Financial Institutions
It's oversight of their systems to prevent this, really.