Information & Ethics committee  Yes, there's a meeting of bank personnel to identify what we call the flags, where something is unusual. There are also electronic triggers. When you see unusual transactions within an account, they will be pulled out. It's both by human factor and electronic monitoring.

Information & Ethics committee  There can be sharing that doesn't involve personal information. The banking industry has had a number of public-private partnerships over the years whereby we shared threat intelligence, so you can actually share the types of cyber-threats we're seeing. With the introduction of the Canadian Centre for Cyber Security, we see that as the hub that will then build on these types of initial partnerships and make them much broader, so sharing between the private sector and the government.

Information & Ethics committee  Absolutely. This is all about connecting the dots, so the more you can harness artificial intelligence to do the analytics to make those connections, the better.

Information & Ethics committee  On that point, if you're talking about where that transactional data information is housed—let's say for example it is housed in the U.S.—the only way that data could be accessed for the purpose of seeing whether or not you are meeting this question would be through a formalized warrant process under the Patriot Act.

Information & Ethics committee  Just to clarify that, we would have contractual protections to ensure they're not shared, although there would be the possibility that you could have a proper warrant served in that country. However, I can't anticipate that a warrant would be served in that context, because if it were something so significant as to come under the Patriot Act, I would imagine it to be something in the nature of a national crime, not an individual, one-on-one use.

Information & Ethics committee  I'll have Ms. Mandal speak to the actual data component of digital data, but in regard to the requirement that information be kept secure, as I said earlier, our privacy framework enables us to have data in Canada and outside Canada provided we have appropriate contractual and other measures to ensure the same level of safety.

Information & Ethics committee  Yes. There are different layers. There are cybersecurity types of measures, which are really to address if someone's actually trying to get into our systems and get access to information. There are other types of compromises that can happen on fraud that aren't really cyber-related.

Information & Ethics committee  We would not be part of that.

Information & Ethics committee  Having data outside Canada and internationally is common not just across the financial institutions, but across a full range of companies. The Privacy Commissioner has addressed this in guidance. It's so commonplace that you deal with it in a variety of ways. First of all, our federal privacy legislation requires that if data is to be housed outside of Canada, it must, through contractual and other measures, be kept as secure as if it were in Canada.

Information & Ethics committee  If you're talking about the potential for that data to be accessed in a lawful manner, it could be accessed through it, but that would of course require a warrant approach.

Information & Ethics committee  Yes, we provide disclosure where that data may be outside of Canada, and we explain the implications of that.

Information & Ethics committee  I would say a significant part of it is education. We educate and let consumers know the risks out there. Also, it's a sharing of information to find technological ways to block certain types of communications. With the recent launch of the Canadian Centre for Cyber Security, Scott Jones, who was recently at our cyber security summit, was chatting with us about ways in which we could from a technology perspective block those types of communications.

Information & Ethics committee  I can't speak to the specifics of the breach. What I can say is that we have been leaders in the cyber security space. We have had an excellent record. It was a rare incident, and I can assure you that banks took measures to ensure that their customers were whole financially and to provide other assistance to them.

Finance committee  At this time, while the formal reviews were conducted over the last two years, there will be continued work in this area. Our understanding is that there will be further revisions, one through the budget implementation act, and supplementary amendments that could be done through that.

Finance committee  That should not be a concern, not with the robust privacy framework that we have with PIPEDA and with the provincial legislation, and also just our approach with engaging with fintechs. The banks take the privacy of our customers very seriously. If we were to have any situation where a consumer is referred to a fintech company, it would done with so clarity about what information is being collected and with full and transparent consent.