Public Safety Committee on July 15th, 2019

I think that the number of federal partners you have had as witnesses today speaks to that.

The investments in the cyber centre were part of the first line of defence in strengthening the ability to prevent cyber incidents, and they are focused, as André Boucher spoke to, on the appropriate response to a cyber event. In this case there was a specific type of cyber event, a breach by an employee, so many of those defences that have been built by the cyber centre were not triggered in this case, but the resources of the cyber centre are complemented by new resources for the RCMP. You heard the RCMP speak about the national cybercrime centre and their efforts at the Canadian Anti-Fraud Centre.

We also realize that a cyber event or a data event does play out on the privacy side. Therefore, measures such as the new requirements for businesses to notify customers that there has been a breach are a key part of a citizen's ability to be vigilant about their own finances and to know that important information about them has been put into play. A monitoring service like Equifax is important because it helps put that person into the mix to know when something that's being done in their name is not right.

We're supposed to leave around 4:30, but maybe we can add—

Probably an hour would be okay.

Thank you very much.

Good afternoon, Mr. Chair and members of the Standing Committee on Public Safety and National Security. I'm joined this afternoon by Denis Berthiaume, Senior Executive Vice-President and Chief Operating Officer, and Bernard Brun, Vice-President, Government Relations, Desjardins Group.

First, I want to say that, at Desjardins, we were ambivalent about this exceptional committee meeting.

On the one hand, this meeting may seem premature, since we're in the process of managing this situation and the police investigations are ongoing. It's far too early to assess the situation. As such, we intend to tell you everything that we know, but in a way that won't interfere with the ongoing investigations.

On the other hand, we see this special meeting as an opportunity to inform legislators and the public about the security of personal information and the need to rethink the concept of digital identity in Canada. In my reflection process, this point prevailed.

First, I'll state the obvious. What happened at Desjardins has happened elsewhere and could happen again in any private company or public organization whose mission involves personal information management. We can think of several banks around the world, such as the American bank Chase, Sun Trust, the Korea Credit Bureau, or a number of government entities in Canada and the United States, to name a few, that have been the victims of malicious employees.

Desjardins is a leading financial institution and one of the largest cooperative financial groups in the world, with more than $300 billion in assets. In 2015, Bloomberg ranked the Desjardins Group as the strongest financial institution in North America, ahead of all Canadian banks. In other words, even the best aren't immune, and we believe that this message must be heard.

Personally, I've been working at the Desjardins Group for 27 years. I chose this organization at the start of my career because the financial institution has managed, after nearly 120 years, to successfully combine the economic and social aspects of our society.

The malicious actions of one employee led to this deplorable situation. That employee has now been dismissed. He violated all the rules of our cooperative. In this situation, we acted as quickly as possible and as transparently as possible, with the sole objective of protecting the interests of our members. That was our priority.

On June 20, a few days after learning of the extent of the situation, we went public and shared all the information available, in conjunction with the police forces. At that time, we also announced the measures implemented to address the privacy breach.

We've taken all the necessary measures to address the situation. We quickly implemented additional monitoring and protection measures to protect the personal and financial information of our members and clients. We informed all the relevant authorities, including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Autorité des marchés financiers, the Office of the Superintendent of Financial Institutions, and the Quebec and federal departments of finance.

We've implemented additional measures to confirm the identity of individuals when they contact us. We're constantly monitoring all our members' accounts. The procedures for confirming the identity of our members and clients when they call the Desjardins caisses, Desjardins Business centres and our AccèsD call centre have also been the focus of additional measures.

We contacted the affected members through the AccèsD private messaging system and by personalized letter, to inform them of the situation and of the steps that they needed to take.

We've also added extra measures to help with the activation of the Equifax monitoring package. The affected members can now register in four ways. They can register on the Equifax website, through the AccèsD telephone service, through the AccèsD web and mobile application, and directly in our Desjardins caisses by speaking with their advisor.

We're actively working with the different police forces. Lastly, we're working with external experts to continue to protect our members' personal information.

I can confirm that we acted diligently. After we received information from the Laval police service, we conducted an internal investigation and quickly traced the source of the breach to a single employee. The employee was suspended and then dismissed.

At this time, our main priority is to reassure, assist, support and protect each and every member affected by the situation.

Again this morning, we announced new protection measures for all our members. In this digital age, we at Desjardins believe that all our members must be protected.

As I was saying, Desjardins announced this morning that, from now on, all members of our cooperative will be protected from unauthorized financial transactions and identity theft. Membership is automatic and free of charge, regardless of whether they've been affected by the data breach. Since this morning, Desjardins has been protecting all its individual and corporate members. This sets a precedent in the financial services world in Canada. We're the first institution to take this step. In this situation, Desjardins is acting with rigour, a sense of duty and the willingness to honour its special relationship with its members.

We've entered an age where data is a resource on par with water, wood and the raw material needed to run entire sectors of our economy. Data is now the raw material for a whole innovative economy that will lead to tremendous productivity gains and make life easier for Canadians.

Canada is a few months away from the implementation of 5G mobile connectivity, which will increase the flow of data tenfold. According to experts, this ultra-fast connectivity will lead to futuristic applications related to artificial intelligence. Canada is already among the world leaders in this area with its three hubs, Montreal, Toronto and Edmonton. In addition, as we speak, the Department of Finance Canada is in the process of conducting a consultation on open banking, which would help open up the transactional sector. Several European countries have already made the shift.

I'll humbly ask you, the legislators, the following questions.

Is Canada currently well equipped to manage these promising technological developments, which also involve new risks? Should our identification systems be adapted to the digital age to ensure the protection of privacy and to better deal with cybercriminals? This issue is the whole notion of digital identity, which I referred to a few minutes ago.

I want to respectfully point out that these are real issues raised by the situation at Desjardins.

In closing, I want to make a proposal. I'd like to invite the committee to recommend to the Government of Canada the creation of an ad hoc multi-stakeholder working group to advise the government on how to regulate the management of personal data and digital identities. We believe that a group that listens to Canadians' concerns should at least include representatives of governments, the financial services and insurance sector, and the telecommunications sector, along with jurists and experts, or any other group that the government deems it appropriate to involve in the reflection process.

The mandate of this committee should consist of advising the government on legislation and regulations; ensuring the protection of the public; encouraging innovative technological development for the benefit of Canadians and communities; and ensuring the strategic monitoring of best practices around the world, so that Canada is always up to date.

I personally believe that Canada can't pursue excellence in digital technology and artificial intelligence without having the same ambition for data and personal information management. We must all learn from the current situation at the Desjardins Group.

Thank you.

To answer the first part of your question, we made the decision this morning to set up a protection program for all our individual and corporate members. The corporate component sometimes isn't covered by other institutions or even by Equifax. We've decided to offer this service free of charge to our members as long as they stay at Desjardins. We won't charge them anything. I want to quickly reiterate that the program covers all unauthorized financial transactions involving a person's account, deposits and money. If a transaction hasn't been authorized, we'll reimburse the person. That's one thing.

Second, if a person is unfortunately a victim of identity theft, we'll provide assistance, not a list of the steps to take. We'll call on our experts to provide assistance, and the experts may even participate in conference calls to help the person recover their identity.

Third, we'll provide coverage of up to $50,000 to reimburse members for expenses that they may have incurred, such as lost wages, child care costs or the cost of obtaining documents.

This concept of free service is extremely important to us. If you're a member of the cooperative, you have access to the program.

We humbly propose that a committee be established to, among other things, address the issue of whether privacy should be managed by third party companies. I think that the status quo isn't an option.

That's a relevant question. In Canada, Equifax is the firm with a market share of over 70% in data and information protection and management.

When the incident occurred, we decided to turn to the Canadian company that offered this service to Canadians. We worked with the company. However, in the days that followed, we noticed some issues. We quickly took our own steps to resolve the issues concerning member registration on the Equifax website. We went through this. We saw the need to improve the procedures and methods, and we took charge of the matter.

Now, should one, two or three private companies in Canada manage all this? We must think about it.

Basically, the thought process behind the new measure announced this morning is that we're in the digital age. There will be fewer and fewer paper transactions in the coming years. This data becomes raw material for our economy. Given the importance of the data, at Desjardins, we've taken on the responsibility of offering protection to all our members.

I said that there were three pillars. The first pillar is the financial aspect that you're referring to. If Desjardins members see an unauthorized transaction in their transactions accounts, Desjardins will fully reimburse them. This answers the first part of your question on the financial transactions aspect.

In terms of other types of identity theft involving credit card transactions made elsewhere, such as cellphone purchases or car rentals, people can contact Desjardins and they'll be taken care of. Second, if they need help with recovering their identity, not from a financial perspective, but in relation to other aspects of their private lives, Desjardins will support them. If we need to call government agencies or private firms, or help them prepare notarized documents or a presentation, we'll do so. We're no longer talking about the financial aspect. We'll help the people with the other steps that they may need to take.

There are two or three parts to my response. When this incident occurred, we contacted several federal and provincial government agencies. We spoke with the different departments of finance. I want to tell you that the departments were very helpful and supportive. Bernard Brun can confirm that very clear and open discussions were held.

I've noticed that both the federal and provincial government authorities want to reassure the public. You have no idea how important this is to us. Sometimes, we see what's being written and said. I understand that people have concerns and questions. As MPs, you must hear about many of them from the people in your constituencies.

I can see that the federal and provincial government officials want to reassure people and give them the proper information. This is very helpful to Desjardins. People must be told to contact us so that we can introduce them to the programs that we announced this morning. Whenever we meet with people in our caisses or client contact centres, we're in direct contact with them and we reassure them.

We don't want to trivialize the situation. However, according to several studies and several experts who are currently assisting us, there's a clear difference between a data breach and what happens in a real data theft. This isn't a “one-to-one” case. The proportions are very small.

By adding the protection that we announced this morning, we're telling all our members, including businesses, not to worry. If any issues arise, they should call Desjardins. We'll assist them.