Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.
A video is available from Parliament.
4:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Since the incident, you've offered the affected members a free five-year Equifax membership. Is the new protection announced this morning a lifetime membership, or is it new internal protection?
4:05 p.m.
President and Chief Executive Officer, Desjardins Group
Exactly. There's new internal protection. As I said, it's the first pillar. If people see an unauthorized transaction posted to their account, they must notify Desjardins. We'll then review the transaction with them and give them a full reimbursement. I must point out that there's no limit, whether the amount is $10,000 or $100,000.
Second, if they're victims of identity theft, they must contact us. We'll assist them and hold conference calls. We even offer a period of psychological support, through our life insurance companies, to people who are going through this highly emotional situation.
Third, it's the new $50,000 protection for people who must incur personal expenses to recover their identity. Desjardins will cover these expenses. This is extremely important.
I want to reiterate that people who are victims of the data breach must continue to actively register for Equifax services, since this gives them access to the alert service. The alert service could notify them of an unauthorized transaction in the following weeks or months, and this service isn't included in the Desjardins package. The Desjardins Group strongly recommends that members who are victims of the breach register for Equifax services.
4:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I'm a Desjardins member, but also a Royal Bank client—
4:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
The Royal Bank has a system that I didn't know about. I learned about it from an employee last weekend. The Royal Bank site has a link to the TransUnion site. When I click on the link, my credit report and credit rating appear. It's completely free.
Will Desjardins provide a similar service?
4:05 p.m.
President and Chief Executive Officer, Desjardins Group
I'll let Mr. Berthiaume answer that. He'll undoubtedly be very happy to do so.
4:05 p.m.
Denis Berthiaume Senior Executive Vice-President and Chief Operating Officer, Desjardins Group
We provide the same type of service with TransUnion. On the web and on mobile devices, you can access your credit rating in real time. With regard to the alert system, I think that we've explained it well. We work with Equifax, but we're also considering the possibility of providing an alert system with TransUnion.
4:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You've done an extraordinary job of putting all this in place. Congratulations.
I now want to talk about Canadians who are afraid that their data, which has been sent somewhere in the world, will be used to make transactions or for any other purpose. You can't be responsible for everyone. You have a responsibility to your members, and 90% of Quebecers are Desjardins members. However, you can't know whether data sent abroad comes from this particular breach.
In other words, if my stolen data is sent abroad, will you still cover me, even though the data could have been sent from another source?
4:05 p.m.
President and Chief Executive Officer, Desjardins Group
The current situation at Desjardins was not our only reason for making this morning's proposal, but we certainly sped up the process. At the beginning of each year, we do some planning. Based on security, our new products and our new offers, we consider what we should offer our members according to their needs.
4:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I'll interrupt you, because I made things unnecessarily complicated. What I meant was that even though a data breach occurred on your side, another organization may be sending my information elsewhere. In this case, wouldn't the government have some level of responsibility? You seem to be taking care of everyone's issues. At some point, shouldn't we suggest that the Government of Canada help all Canadians?
4:05 p.m.
Senior Executive Vice-President and Chief Operating Officer, Desjardins Group
Look, right now, the important thing is to reassure the members and to offer protection to everyone. We won't start determining whether data sent abroad comes from the data breach at Desjardins or from an information leak in another organization. We want to cover and reassure our members.
To answer your question, if fraud occurs in a Desjardins account, we'll cover the member concerned. As is the case with other financial institutions, in the event of attempted fraud, whether the account is a current transactions account, a credit card account or another type of account, we don't hold the members liable.
4:05 p.m.
Liberal
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
Mr. Cormier, Mr. Brun and Mr. Berthiaume, thank you for being here. You're welcome here. I think that you've fully understood our objective, which is to share information to restore the confidence of people who are extremely worried. You said it well. Like you, we're hearing from these people. This is all the more beneficial to us, since we've just completed a study. We've opened the door for members of the next Parliament with respect to cybersecurity in the financial sector. As such, we're particularly interested in this matter.
Since it hasn't been mentioned yet, I'd say that, as Quebec MPs, we're not here to conduct a witch hunt. Based on the number of activities that we're involved in, we can clearly see that Desjardins is a local partner in the community. We want to work together, and I think that your recommendation today reflects that. Thank you very much.
I want to touch on a few points, in the hope that you can answer some questions. I understand the constraints that you're operating under. The first thing is very simple. It seems silly, but it concerns Equifax's French services. A few people have reported difficulties with obtaining services in French. Have you worked with Equifax to ensure that your members, the vast majority of whom are French-speaking, receive service in French?
4:10 p.m.
Senior Executive Vice-President and Chief Operating Officer, Desjardins Group
Yes. First, we wanted to proceed quickly with Equifax, and I think that was the intent of the process. The people at Equifax have been very helpful. They've even adjusted their service offer to accommodate us in several ways. We've worked very well together.
Now, over time, we've learned about the limits of the French-language capacity at Equifax. As a result, we've introduced a number of additional measures. The president mentioned the four initiatives that have been implemented.
First, people can go online or use their cellphones to register directly for Equifax services. We'll take care of referring them to the services, establishing the link with Equifax and providing the authentication.
Second, people can obtain a French-language service by contacting our AccèsD call centres. Wait times are very reasonable. We act as a bridge, in a way, between our members and Equifax to improve the experience. We've been implementing this approach over the past few days and weeks. We believe that this approach has been successful.
4:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
It's not necessarily specific to what we want to review, and it doesn't fall within the mandate of the committee. However, you'll appreciate that I still wanted to get the facts straight. Thank you.
I want to focus on regulations. We heard a bit about them from the government officials who spoke before you. Are the regulations becoming cumbersome when it comes to achieving your objectives and ensuring the security of your members' data? In your particular situation, you're subject to both Quebec and federal government regulations. Compared to traditional financial institutions and large banks, you're in a somewhat unique situation. You'll forgive me for perhaps not using the correct terminology, but I think that you understand what I mean. Can this different situation cause problems?
Simply put, would it be in our interest to ensure a better alignment between the Quebec government and the federal government requirements, so that you don't need to turn left and right to comply with two different regulatory entities?
4:10 p.m.
Bernard Brun Vice-President, Government Relations, Desjardins Group
Thank you for your question.
It's extremely relevant because we operate in a bijurisdictional system. That said, overall, Desjardins is perfectly comfortable in the current framework. Obviously, with technological exchanges, the interconnectedness within the financial system is becoming more and more apparent. In this regard, we mustn't act in isolation.
Mr. Cormier pointed out earlier that we worked well together. We were able to speak with all the federal and provincial government stakeholders. We strongly encourage them to work together. We can see the collaborative efforts, but we urge the governments themselves to hold discussions.
With regard to the fact that an entity such as the Desjardins Group operates on both sides, I don't see this as an issue. However, we clearly need support in this area. We can feel it and we're focusing on it. This relates to our suggestion regarding the creation of a multi-stakeholder committee with people from different governments. This will enable us to move forward and adopt effective policies that will affect everyone.
4:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you.
It may be more difficult to answer my next question, as the police investigation is still ongoing.
Given the growing cyber security expertise, especially among people who work in that field, do you think it would be appropriate to recommend ongoing background or behaviour checks for employees who have access to sensitive information and can use the information belonging to other users, other employees?
I am not saying that you have failed in that area, but everyone is starting to recognize the existence of people whose expertise is growing. Their expertise is being used, but it can also have more harmful consequences.
4:15 p.m.
President and Chief Executive Officer, Desjardins Group
My colleague can talk about our practices, and then I will complement his comments based on my perspective.
4:15 p.m.
Senior Executive Vice-President and Chief Operating Officer, Desjardins Group
The first thing is that rigorous security investigations are constantly being conducted at Desjardins. Investigations are indeed related to the job level. That is an important element.
Regarding the situation before us, we could wonder whether anything could have been detected. I would like to point out that internal fraud by a malicious employee is the most difficult risk to protect against. That is recognized across industry, and there are many examples of it.
In addition to security investigations, security mechanisms were in place. Obviously, we are talking about a malicious employee who found a way to circumvent all the rules and used a scheme to extract data. That said, I want to reassure you that security mechanisms are in place.
4:15 p.m.
President and Chief Executive Officer, Desjardins Group
With time, will we be able to go further in terms of the situation we are going through? As I was saying, in the digital age, people handle personal data not only in financial institutions, but also in all kinds of businesses. Today, when someone wants to enrol their child in daycare, they must provide their social insurance number, and that number can remain on the table for five, 10 or 15 minutes, during the enrolment process. That is the reality in Canada.
I think that any business where employees handle personal information must ensure they have been screened.
4:15 p.m.
Liberal
The Chair Liberal John McKay
We're going to have to leave it there.
Thank you, Mr. Dubé.
Ms. Lapointe, go ahead.
4:15 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
Thank you very much, Mr. Chair. I will share my time.
Gentlemen, thank you very much for being here.
I have been a member of Desjardins since around 1980. Like my colleague was saying, Desjardins is omnipresent. My riding is Rivière-des-Mille-Îles, and it includes Deux-Montagnes, Saint-Eustache, Boisbriand and Rosemère. There is a caisse Desjardins in Deux-Montagnes and one in Thérèse-De Blainville. Those are two major institutions in the region. There are two RCMs and two caisses Desjardins.
4:15 p.m.
President and Chief Executive Officer, Desjardins Group
There is Mr. Bélanger.
4:15 p.m.
Liberal
Linda Lapointe Liberal Rivière-des-Mille-Îles, QC
Yes.
You said that internal fraud is the most difficult type of fraud to detect and protect against. Earlier today, officials from the Department of Finance and the Canada Revenue Agency talked to us.
How do things work internally at Desjardins? How could have supervisors detected that malicious employee? It is clear that he managed to get into the system. Are there access levels and screenshots? Does the system issue alerts when it identifies something unusual? Are your employees allowed to have their cellphone with them when they work with data?
I am sure you will re-evaluate the existing measures. You talked about a lone malicious employee, but what will you do to protect yourselves against other malicious employees? What are your rules? How does it work?
4:15 p.m.
President and Chief Executive Officer, Desjardins Group
Mr. Berthiaume, can you talk about operations?