Public Safety Committee on July 15th, 2019

Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.

A video is available from Parliament.

On the agenda

Meeting Requested by Four Members of the Committee to Discuss their Request to Undertake a Study of the Desjardins Group Data Breach

Desjardins Group Data Breach

Committee Business

MPs speaking

Also speaking

Superintendent Mark Flynn Director General, Financial Crime and Cybercrime, Federal Policing Criminal Operations, Royal Canadian Mounted Police

André Boucher Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment

Annette Ryan Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance

Elise Boisjoly Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development

Maxime Guénette Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Judy Cameron Senior Director, Regulatory Affairs and Strategic Policy, Office of the Superintendent of Financial Institutions

Guy Cormier President and Chief Executive Officer, Desjardins Group

Denis Berthiaume Senior Executive Vice-President and Chief Operating Officer, Desjardins Group

Bernard Brun Vice-President, Government Relations, Desjardins Group

4:35 p.m.

Conservative

Alupa Clarke Conservative Beauport—Limoilou, QC

I have a supplementary question, which will probably be the last one. I am addressing Mr. Cormier, the citizen.

You made a very important announcement this morning. You said that the protection applies to all members, whether or not they are affected by this unfortunate event. You said all they have to do is call you and you can take care of them. You will establish contacts, take action and take the necessary steps.

Do you think that's exactly the kind of attitude that the government, the federal state, should have right now towards the 2.9 million Canadian citizens?

Citizens are being asked to contact us, and I think it is the federal government that should contact citizens. Let's say that citizens are communicating with the federal government, shouldn't the federal government have the same approach as you and say that it takes care of everything?

The representative of Employment and Social Development Canada said that, if citizens' social insurance numbers were changed, they would have to call all their former employers. That's not what you're doing. You, incredibly, say you're going to take care of everyone at the last minute.

As a citizen, would you like the federal government to act in the same way towards the affected members?

4:40 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

As a citizen, I would say that elected officials are elected to provide a framework and adopt laws. In the current digital age, regulatory parameters must be put in place to protect citizens in this regard. That's my message, as a citizen.

This is also why, despite the fact that we found this meeting premature, we still made the decision to be present. We feel that this situation is sounding the alarm and that there is an awareness and a real willingness on the part of elected officials to address this issue. We wanted to provide our point of view on this subject.

4:40 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Clarke.

We'll go to Mr. Dubé for three minutes and then Mr. Fortin for three minutes.

4:40 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Thank you, Mr. Chair.

I have a question that is somewhat similar to what Mr. Graham was saying about Internet and telephone access. Seniors have special needs.

Are we also looking at that?

4:40 p.m.

Senior Executive Vice-President and Chief Operating Officer, Desjardins Group

Denis Berthiaume

That's what I was saying. Often, seniors do not necessarily have an Internet connection or an email address. We take care of them. These people can call us. We will take charge of the situation from that moment on and act as intermediaries with Equifax regarding the alert system and what these people will receive as a message.

4:40 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

There is an interesting article in La Presse, in today's issue, if I'm not mistaken. It talks about how credit watch agencies, companies like Equifax, are regulated and that this regulation focuses more on consumer issues.

It may be too much speculation for what you are comfortable talking about today, but given the somewhat symbiotic relationship they have with financial institutions and the breach Equifax has experienced, do you think it would be relevant in the digital age to review how these agencies are regulated?

This has become more important than consumer protection; they now have a responsibility to protect data. We see that there are important consequences.

Should we review this in the context of all these changes you alluded to?

4:40 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

I told you a few minutes ago: I think the status quo is not an option. That's why we're here today. Desjardins will be very honoured to participate in the discussions, if they are held.

I think we need to bring together the stakeholders who work in the data field in Canada to think about how we want to change the situation. Sometimes it could be about regulation, sometimes it could be about business processes, sometimes it could be about working together. I think the status quo is not an option.

4:40 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

I have one minute left. In closing, I would like to say that we are pleased to have you here. We understand that this is a difficult situation. I appreciate the fact that you understand why we have a duty to do this.

Citizens are calling us. It affects them, they are worried. Our objective is not only to reassure them in this case, but also to ensure that they and other citizens who are clients of other financial institutions do not experience the same thing. You are sharing your experience, which is very useful not only today, but also for the future Parliament. We still want to put in place a roadmap in this rapidly evolving area.

4:40 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

That is why we accepted the invitation.

4:40 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Your presence is very much appreciated, thank you.

4:40 p.m.

Liberal

The Chair Liberal John McKay

Mr. Fortin, you have three minutes, please.

4:40 p.m.

Bloc

Rhéal Fortin Bloc Rivière-du-Nord, QC

Thank you, Mr. Chair.

Mr. Cormier, Mr. Brun and Mr. Berthiaume, I too will begin by congratulating you. I must admit that when I arrived here this morning, I had questions and concerns, which you answered. I think that your statement this morning is very beneficial to Desjardins. I too am affected by what happened at Desjardins, and I appreciate the measures you have taken.

About two or three weeks ago, the Bank of Canada established the Financial Sector Resiliency Group to address IT threats. As far as I know, Desjardins Group has not been invited to join this group. Chartered banks, among others, and systemically important banks were invited.

First, can you confirm that Desjardins Group has not been invited? Then, do you consider it would be appropriate for it to participate in such a working group?

4:40 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

Mr. Brun, I know you've talked to this group. Can you give us the true story on that?

4:40 p.m.

Vice-President, Government Relations, Desjardins Group

Bernard Brun

Thank you for this very relevant question.

The Bank of Canada obviously has an extremely important role to play in ensuring financial stability. Recently, it announced the creation of a committee to develop supervision and review oversight by discussing matters with all kinds of partners. Naturally, it turned to the big banks and the regulator. We have had discussions with people at the Bank of Canada and we feel that they have an opportunity to explore this.

As already mentioned, the financial system is extremely interconnected. All the players in this sector have issues, regulations and regulators, but they must be able to work together, go beyond that and discuss matters. We certainly have a great interest in participating in all of this. We felt that there was an opening in this direction and we are waiting to see what form this will take.

Desjardins Group is certainly a Canadian and Quebec financial institution of systemic importance. If there are discussions, we should be involved.

4:45 p.m.

Bloc

Rhéal Fortin Bloc Rivière-du-Nord, QC

You have the support of the Bloc Québécois on this. I hope my colleagues across the way will follow up on this and propose that the Bank of Canada invite you.

Presently, there are discussions on the establishment of a national identity validation system. Previously, the social insurance number was used in the relationship between the employer and employees and the government. Now we see that it is used in almost every way. It is no longer clear how to behave in this regard, but it is clear that the simple social insurance number is no longer sufficient to ensure a certain level of security for citizens.

In your opinion, would an identity validation system, which would include a PIN, fingerprint or whatever, be useful in a situation like the one you have experienced?

4:45 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

That is why we humbly submit a recommendation to the committee today.

In Canada, 30, 40 or 50 years ago, we put in place certain mechanisms, which today are no longer used for what they were created for. It is time for industry players to sit down together to rethink all of this, and try to draw inspiration from best practices around the world; this reflection, as I can see very well, has already begun.

4:45 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Monsieur Fortin.

I want to thank the witnesses for their appearance here. I'm happy to note that your announcement of your package coincided with your appearance here. That's quite fortunate. There are four or five members of this committee who are uniquely vulnerable as members of your association. I'm wondering whether their unique vulnerabilities as public figures is covered by your announcement today.

4:45 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

All of the information, per the announcement we made this morning, of all of the people who were on the list of the members who have been affected by this leak will be taken care of by this program. With this protection program, if it's their financial activities in their accounts, if it's having access to assistance for recovery of their identity, or if there are problems with some fees they have to pay regarding the recovery of their identity, they will be allowed to go under this program.

4:45 p.m.

Liberal

The Chair Liberal John McKay

I have taken note of that, as you mentioned it earlier. However, what I'm talking about is the unique vulnerability of public officials. If that vulnerability arises, will it be addressed by this particular package?

4:45 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

This is something that we are looking at right now in our files. Among these 2.7 million people, we are looking right now if there are some more sensitive people. You probably read about policemen, judges, people like officials. This is something that we're looking at right now. Our priority was to send the letters to make contact with the people. Now we're looking what may be other sensitivity that we should be more careful—

4:45 p.m.

Liberal

The Chair Liberal John McKay

So in the initial thrust, not necessarily.

4:45 p.m.

President and Chief Executive Officer, Desjardins Group

Guy Cormier

Yes. We will look at it.

4:45 p.m.

Liberal

The Chair Liberal John McKay

My question is that we've been doing this for awhile now and one of, if you will, the gold standards of protection is what's called “zero trust”, which was brought up by a previous witness, who said, “identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.”

Do you feel that Desjardins adhered to the zero trust principle that seems to be the gold standard for protection of data?

4:45 p.m.

Senior Executive Vice-President and Chief Operating Officer, Desjardins Group

Denis Berthiaume

When we say “zero trust”, we need to identify what we are talking about. Zero trust, we have people who have access to data. They need it to actually do their work. With zero trust, clearly we want to make sure that we have security mechanisms in place that aim at the zero trust principle. However, when you put it in practical terms, sometimes there's a difference between the theory and what you can really do practically. The objective is there to make sure that the data given to us by our customers, by our clients, is fully secure. That's our goal.

4:50 p.m.

Liberal

The Chair Liberal John McKay

That's the goal.

With that I want to thank you again for your appearance here. We will suspend for a couple of minutes and re-empanel with the officials and finish our questioning with them. Thank you.