:
Good morning. I will call the 47th meeting of our committee to order, please.
Committee members, I just want to advise you that your steering committee met late yesterday afternoon to discuss the work plan with respect to the motion that was passed on Thursday and one other matter. I want to let you know that the steering committee report will come to you for discussion and approval or not on Thursday morning as the first item of business.
We are going to try to set up some witnesses, and hopefully they'll be available and ready to go should the steering committee report be accepted. If not, then I'll excuse them, of course. But I just don't want to lose a day if I can avoid it.
So that's how we're going to proceed.
Today we're continuing our study on identity theft, and we have people who we've seen before on other issues.
Welcome.
We have Mr. John Lawford, counsel to the Canadian Consumer Initiative. And we have the executive director of the Canadian Internet Policy and Public Interest Clinic, Philippa Lawson, and along with her is Mr. Mark Hecht.
I take it that there will be two opening statements, will there? Yes, okay.
We'll go with Ms. Lawson first and then Mr. Lawford, and then we'll go with the questioning.
Bonjour. Good morning, honourable members.
Je vais parler en anglais ce matin.
Thank you very much for the opportunity to speak today about a very serious problem that is directly affecting an increasing number of Canadians and indirectly affecting all of us.
My name is Philippa Lawson. I'm director of CIPPIC, the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. It was my pleasure to testify before you back in December on PIPEDA, the Personal Information Protection and Electronic Documents Act.
With me today is Mark Hecht, who is a professor of law and CIPPIC's lead researcher on this identity theft project.
We've submitted a written brief to the clerk, which I understand will be translated and distributed to you.
CIPPIC is part of a multi-institution research project on identity theft that's funded by ORNEC, the Ontario Research Network for Electronic Commerce, a public-private partnership, including four major Canadian banks and four Ontario universities. A number of researchers at these universities have been looking into various issues involving the definition and measurement of ID theft, management approaches, and technical solutions to the problem.
We at CIPPIC and at the University of Ottawa are looking at legal and policy approaches to identity theft, and we've been engaged in a big comparative review of what other jurisdictions are doing in this area and where the Canadian law is at.
We've published a series of working papers on identity theft, on various aspects of the problem, most of which are posted on our website—www.cippic.ca—and a couple more will be published shortly.
As you know, we've published a white paper on security breach notification, and we were very gratified to see your recommendations on that in your recent report on PIPEDA.
We've also posted a web page on identity theft, with frequently asked questions and resources for the public.
Our intention, after further research and analysis this summer and fall, is to issue a white paper, with a broad set of recommendations for law and policy reform. And we intend to do that by the end of the year.
You've pre-empted us with these hearings, so we're making some recommendations now, but we will be making more detailed ones later, including in the criminal law area, which I understand you're not looking into in these hearings.
I understand I have about 10 minutes. Do I have less? Okay, great.
:
The term “identity theft” is somewhat misleading, insofar as the activity we're talking about covers not just the unauthorized collection or theft of information but the fraudulent use of it. You will find that many experts talk about identity fraud when they're talking about unauthorized use. It really is a two-stage crime. It involves both the unauthorized collection and the fraudulent use. We're using the term “identity theft” broadly as it is commonly used to refer to both stages here.
Identity thieves use a number of techniques to gather personal information. There are relatively unsophisticated methods such as dumpster diving, mail theft, bribing insiders of corporations, and pretexting, which is posing as someone who's authorized to obtain the information in order to get it. There are also much more sophisticated techniques such as skimming, “phishing”, “pharming”, keystroke logging, and hacking into large databases.
A single individual may be victimized many times before he or she knows it. Indeed, victims of identity theft are often unaware of it until they apply for credit from a lending institution and are refused or start getting calls from a debt collection agency. By that time their credit rating has been destroyed and they will likely experience great difficulty restoring it. The victims experience a myriad of difficulties restoring their reputations and recovering the losses suffered, often as a result of no negligence on their part.
I know you're interested in trends. One trend worth pointing out is the use by identity thieves of the Internet to gather and trade in stolen information. It's very easy to find websites right now offering credit card data for sale. Hard drives with personal information on them are being sold on eBay, for example. The Internet, as I'm sure you know, is also used to fool unsuspecting consumers into handing over their account information using techniques such as phishing and pharming. I can explain those later if you're interested.
Unfortunately there are few reliable statistics on identity theft in Canada. PhoneBusters publishes stats based on complaints it receives, but these represent only a fraction of the problem. There are some public opinion surveys that provide insight into the problem, but again it's not complete. We have little else to go on.
Our first recommendation is that we need a national strategy for gathering reliable, reasonably comprehensive data on the incidence, types, and costs of identity theft in Canada.
On identity theft prevention, our research suggests that identity thieves are benefiting as much if not more from unnecessary collection, storage, and trading of personal information by organizations as they are from deficiencies in criminal law enforcement or consumer credulity and carelessness. In many cases there's absolutely nothing the consumer could have done to protect themselves, short of not dealing with the organization that suffered the leak in the first place.
So if we're to attack this program successfully, efforts will be needed in four key areas: data protection law enforcement, prosecution of identity thieves, consumer rights and remedies, and public education.
We have a reasonably good data protection law here in the form of PIPEDA. The law prohibits organizations from collecting more information than they need, retaining it for longer than necessary, and using or disclosing it for purposes other than those for which the individual has consented. It also requires that organizations put in place reasonable security measures to protect against unauthorized access and identity theft.
The big problem with PIPEDA is not any particular substantive deficiency—many of which you have identified in your recent report on PIPEDA—but rather the fact that PIPEDA lacks an effective enforcement mechanism to encourage industry compliance. As a result, many organizations are collecting far more personal information than they need and holding onto it for longer than they should, thereby exposing individuals to a greater risk of identity theft. There are examples of this we can talk about.
Organizations are also failing to secure the personal information they hold through effective encryption, careful employee screening, and other measures. Our study last year of 64 online retailers, which we provided to you last December, confirms that there is widespread non-compliance with even the most basic requirements of the act.
A data breach notification requirement holds some promise for creating incentives for compliance, but only if such notification is made public and only if breaches are not so frequent and widespread as to diminish the reputational damage of publicity. But even so, breach notification rules need to be supplemented with an enforcement regime that creates a real risk of financial penalty for over-collection of personal data or other violations of PIPEDA that contribute to the ID theft problem.
In our submission last December to the committee we made a number of recommendations for strengthening PIPEDA's enforcement regime, including allowing for class actions against organizations that violate PIPEDA, removing financial disincentives for individuals to pursue lawsuits against organizations for breaches of PIPEDA, and punitive damages as a possible remedy for violation of PIPEDA.
We were disappointed that none of these recommendations was adopted or even mentioned by the committee in its report. Addressing this incentive problem, the most important deficiency of PIPEDA and a key factor in the growing problem of identity theft, in our view, is critical if we want to make headway on this problem.
Turning to the issue of public awareness, there are many excellent websites and brochures explaining ID theft schemes and offering tips to avoid identity theft, but there is still a problem. Individuals continue to fall prey to these social engineering schemes, such as phishing and pharming. Young people are posting detailed information about themselves on the Internet, without appreciating the risks.
We are recommending that the Financial Consumer Agency of Canada be mandated to undertake a national public education campaign on identity theft, in consultation with financial institutions, law enforcement agencies, and consumer organizations. The campaign should focus on the most common scams used by identity thieves to gather information directly from individuals and should use mass media, as well as inserts in government mailings, posters, and brochures in store-front offices.
On the issue of consumer protection, first, victims of identity theft usually have no way of knowing the theft occurred until the damage has been done. We think data breach notification will be very helpful in this regard.
Second, even the most educated and motivated victims encounter tremendously frustrating obstacles when they try to attempt to stop the damage and regain their reputations. If such obstacles were removed, victims would be able to mitigate the damage and take preventative action more quickly. In some cases, they could also assist the police in identifying and prosecuting criminals.
The brief mentions a number of specific consumer protection measures that we think are needed to empower consumers.
Our final recommendations are that all of the players in Canada, from law enforcement agencies to consumer protection agencies to financial institutions to consumer groups, work together to address the problem. We need to develop a national strategy for combatting identity theft, and I have seven recommendations.
First, as I mentioned, amend PIPEDA so as to create meaningful incentives for compliance.
Second, appoint a lead agency at the federal level responsible for gathering and reporting ID theft statistics and for coordinating efforts to combat identity theft across Canada.
Third, as I mentioned already, mandate the Financial Consumer Agency of Canada to undertake a national education campaign.
Fourth, establish a national ID theft victim assistance bureau, again with a mandate to gather statistics, analyze the problem, and make recommendations for legislative and policy reform.
Fifth, require credit-granting institutions to report on incidents of ID theft.
Sixth, provide consumers with rights that improve their ability to detect, prevent, and mitigate the effects of identity theft. Those rights should include allowing consumers access to the version of their credit report relied on by lending institutions, which right now is a problem because they are denied access to that, and allowing consumers the right to a credit freeze upon request to credit bureaus, which again is currently not permitted.
Finally, we need a thorough review of legislation governing credit bureaus, lending institutions, and police agencies, with a view to identifying other ways in which these agencies could assist in the prevention, detection, and mitigation of identity theft.
Thank you.
I'm here today on behalf of the Canadian Consumer Initiative, which is a group of six consumer organizations, including the Public Interest Advocacy Centre, where I work; Union des consommateurs; Option consommateurs, in Quebec; the Automobile Protection Association; and the Alberta Council on Aging. We are presenting to you today our common policy position on identity theft, which we came to agreement on in the last year.
The most important thing to take away from our presentation today is something we're going to echo Philippa's comments on; that is, we believe there's a large role to be played by business and government in attacking identity theft, which has not yet been done, and that consumers also need to be educated, but that the primary steps you can take as legislators would be to move government and business along to better protection of personal information, which will then lead to less identity theft.
I'll just give you a couple of statistics from PhoneBusters, which you probably already have from your researcher. Last year the total reported to PhoneBusters was $16 million in losses on 7,000 to 8,000 complaints, and this is approximately double the amount of money lost but half the number of victims from the year before. I'm not sure if this trend is going to continue, but it's a bit disturbing in the sense that identity theft may be becoming more profitable, and there are more ways to make money from the actual fraud related to it, to be honest.
We also wanted to underline for you that it doesn't have to be this way, because at the federal level, there's a bit of a vacuum in the sense that consumers don't know where to go. When someone gives us a call asking about identity theft, really, I have to take a deep breath and say, where should I send them first? Should I send them first to the police to get their police report? Should I send them to the credit bureau to get their credit report so they know how far this has gone? Should I send them to PhoneBusters to report it? Should I send them to their bank? The actual answer is all of those things, and yet there is no one place for someone to go to the federal government and see that this is the approach to take.
It's not so in the United States, because they have the Federal Trade Commission looking after consumer affairs, and they have taken quite a few steps at their Federal Trade Commission to provide a website that addresses both consumer and business concerns about identity theft.
Take, for example, the FTC's business guide. They have now a safeguard rule in the United States, where if you handle personal financial information you have to follow this rule. It's fairly simple, and it's a bit like PIPEDA, in fact. You have to know what information you have in your files, you have to reduce it to the minimum possible, you have to protect it with security measures that are adequate, you have to dispose of what you don't need, and you have to plan for a data breach.
We have the rule here as well under PIPEDA to do all that; it's just not being done. Our concern here, on behalf of the Consumer Initiative, is that the Office of the Privacy Commissioner of Canada has not been driving that forward, largely because the act itself requires individual complaints. The Privacy Commissioner could take steps to audit companies that seem to have a lot of leaks that might lead to identity theft but has not been terribly aggressive in doing so.
In that situation, it's difficult for us to make recommendations more than Philippa has, along the lines of giving the Privacy Commissioner more authority to act, to make orders, but that has not been suggested by the committee.
One thing we did want to get, and that was suggested in the PIPEDA report, was a breach notification rule. That will lead, we think, to a lot of identity theft being cut off at the knees, if you will, because with the amount of time it takes to actually perform identity theft, a lot of the losses occur in the first two, three, or four days. If something could be put out from the company in that timeframe, people could take some steps to lock down their accounts by calling their bank and getting their credit bureau involved.
One of the things that we suggested for legislation, besides that, was overuse of social insurance numbers, and it still continues today. Social insurance numbers are a key to getting new credit, and part of the identity theft phenomenon is opening new accounts in the victim's name, for which you usually need a social insurance number. The difficulty here is that businesses use social insurance numbers as a unique identifier of the person, and in our common position we called for business to be asked or told in legislation not to use social insurance numbers for that purpose any more and that they be restricted again to what they were originally intended for, which was employment purposes.
Now, we appreciate the difficulty of businesses coming up with a unique identifier and something they can use for credit granting. However, because of the actual nature of the social insurance number being so ubiquitous and used for so many other purposes, it is really a key to fraud. At the bottom line, our position is that we would like the government to look quite hard at the use of social insurance numbers by business and to reduce it to the minimum possible.
Another suggestion in our common position is that the provinces look at credit freezes, so that when you hear about a situation where your identity has been stolen, you can contact the credit bureau and actually disallow any new credit being granted without some extraordinary measures. That's not, perhaps, in your bailiwick, but it does lead to some questions about use of identity information by credit bureaus.
Lastly, you're not dealing with the criminal offences today, but just the mere possession of boxes and boxes of identity at the moment is not a crime, and we are supportive of the justice efforts to make that a crime.
The last thing we'd like to mention comes back to the same point about not having a one-stop shop for Canadians for identity theft. We also have no statistics that are really very detailed on this. We do rely on PhoneBusters, but again, they only take complaints from people who know they take identity theft complaints, so that cuts out a large portion right there, and many other people never actually complain to PhoneBusters.
I know there was an attempt at the RCMP to have a database called RECOL, and I'm not sure where that stands at the moment, but that seems to be an obvious place to try to start centralizing these statistics. An interesting idea that has come about in the United States is asking banks to report on identity theft so that when they get a complaint of identity theft—and they are usually advised by consumers when there's a problem—they could report that either to the RCMP or some other organization to collect statistics on that. We are supportive of that idea, although we haven't put it in our common policy position.
The last point we want to make is that, in this situation, we don't want the consumer to become further victimized, and we see two trends that are not happy ones. One is that financial institutions and others are now offering identity theft insurance, and we don't think that's a silver bullet or really a solution at all because it's not very good coverage. We've done a report on it at PIAC. It covers only your actual time off work to sort out your problems. It doesn't cover the actual identity theft fraud, the money you lose. It has a number of other very minor coverages, but at a more fundamental level, we think it's putting the burden and the cost of trying to deal with identity theft back on the consumer, and it runs counter to the incentive we'd like to give business, which is to protect information more fully.
Finally, we're concerned about the silver bullet, if you will, of biometrics or national identity cards, these sorts of schemes to try to identify a person absolutely. Because identity theft is more of a social crime involving factors like easy credit and lack of care on the part of individuals and over-collection of data, we don't think that having one unique identifier that is linked to everything will make it better. It may in fact make it worse.
So those are our submissions for the committee today, and I'm happy to take questions in English or French. Merci.
Thank you, witnesses, for coming again.
It becomes pretty apparent that this is a three-stool approach to a solution.
First of all, we need to make consumers aware, and I agree with your recommendation. I think that's prudent and that's something that needs to be done very soon, and we should take the initiative to do that.
Secondly, yes, I think there must be responsibility to corporations and those that handle credit information.
Thirdly, we mustn't forget one element that needs to be addressed, and continuously needs to be addressed in society, and that's the criminal element. There is a private member's bill, Bill . Are you familiar with that? Do you understand that it deals with phishing and it deals with I think the phone soliciting, the pretext. How do you feel about that? Are we heading off in the right direction? Are we pretty excited about that now?
:
Thank you for bringing that up. I'm sure we're not going to exhaust the clock, so let me deal with that. It's not a point of order, but it's a legitimate question. I was going to deal with it.
First of all, the committee decides what we do, not the steering committee. The steering committee makes recommendations. In fact, the steering committee did meet, and it has recommendations, which will be circulated.
The first item of business on Thursday will be the steering committee report. It will be up to the committee to decide whether it wishes to adopt that report, either as presented or as amended.
On the off chance that the committee will adopt that steering committee report, either as presented or as amended, we do have a confirmed witness—one so far—for Thursday. Mr. Jeff Esau is a freelance journalist, who sold his story to the Globe and Mail. He has made two access to information requests with respect to this matter.
Obviously he will be here so we don't lose the time. If we spend the entire meeting discussing the steering committee report, so be it. That's the decision of the committee. But he will be here in the event that the decision is relatively quick. If we don't get to him, he'll be available once the committee makes the final decision.
At the present time, the committee's decision is to proceed with identity theft. But because of the wording of “urgently consider”, I'm putting the steering committee's report as the number one item of business for Thursday morning at 9 a.m.
Does that answer your question?