:
Thank you, Mr. Chair. Good morning, committee members.
My name is John Russo. I am vice-president, legal counsel, and chief privacy officer for Equifax Canada. To my left is our Canadian president, Ms. Carol Gray, and to my right is Ms. Tara Zecevic, vice-president of decision solutions and fraud.
We would like to start by thanking the committee for the opportunity to speak in support of your study of the growing problem of identity theft and its economic impact. We'd also like to congratulate the government for taking such a positive and proactive step to help stem the growth of identity-related crimes in Canada. Canadians truly benefit from coordinated strategies that involve government, law enforcement, industry, and consumers, and this committee is an excellent example of that. Our approach to identity theft is not about individuals stealing from others. It's about broader, deeper ways of taking advantage of a vulnerable system, which are organized, focused, and definitely global in nature.
Think about that for a moment. Think about the ramifications.
With that in mind, we have three key thoughts we'd like to address before the committee.
First, with the rising number of data breaches, the increased use of electronic delivery channels and networks, and the influence of social media in our society, at Equifax we have seen identity-related crimes increasing steadily since 1998. In fact, the number of Canadian identity theft victims increased 14% in 2013, according to the Canadian Anti-Fraud Centre. Another pertinent example we'd like to highlight today is that we estimate today that synthetic or fictitious identity fraud schemes cost Canadians potentially $1 billion a year in losses. They are real numbers based on carefully calculated cost analysis.
Second, we would like to address the types of identity theft—real and synthetic—impacting both businesses and consumers. Finally, we'd like to point out why Canadian consumers and business should be concerned, and what steps they can take to prevent future financial losses and other hardships associated with identity theft.
Before an identity-related crime can be perpetrated, the theft of personal information needs to occur to set up and prepare for the crime. At Equifax we have noticed a substantial increase in the amount of personal information lost by or stolen from a variety of sources, such as rogue or careless employees and other unauthorized access at various institutions ranging from retailers, health care providers, financial institutions, and even, unfortunately, government. Also, keep in mind the increased identity thefts stemming from data breaches. For example, at our bureau, over the past 18 months, we have protected more than 1.5 million Canadian credit files with credit alerts or credit monitoring as a direct result of data breaches, and these numbers are steadily on the rise.
Recent statistics prove that the bulk of these threats to personal information are through malicious or criminal attacks on an organization's database. Data breaches are truly becoming a treasure trove for fraudsters. Key findings published in a recent Ponemon Institute study include the following. Forty-two per cent of incidents involved a malicious or criminal attack. Similarly, data breaches due to malicious attacks cost companies in North America approximately $246 per compromised record, significantly above the mean of $200. Finally, more consumers terminated their relationship with the company that had the breach; the average abnormal churn rate increased by 15% between 2013 and 2014.
When it comes to ID theft prevention, Canadian businesses have taken a number of steps to mitigate the effects of the crime, but the electronic transfer of personal information is critical when processing financial transactions, and there are only so many steps industry can take. Indeed, thousands of personal credit reports are electronically transmitted every day, which are acquired, secured, and used lawfully by our members. Furthermore, thousands of credit applications are also processed daily ranging from bank loans to car financing.
Yet, there have been numerous cases where rogue employees, or “foot soldiers” as we call them, will take credit application information from their place of employment, and much like any trafficker, sell the personal information on those applications to organized crime.
In many of those ID theft investigations, police services report that stolen personal information is frequently found during traffic stops and other lawful searches. Simply put, there is little to no legitimate reason for anyone to possess piles of consumer credit applications, financial information, or other identity-related documentation.
l'd like to provide a little more information on identity theft statistics and trends in Canada. Since 1998, Equifax has been documenting the exponential growth in identity-related crimes. Between 1998 and 2003, Canada experienced a 500% growth in identity theft reports, where applications were submitted and damage was incurred to a legitimate Canadian consumer. From 2004 to 2005, the growth rate levelled. In 2008, the numbers climbed back up to the highs of 2003 and fictitious, also known as synthetic, identity crimes started to blossom.
What are synthetic identity crimes? Synthetic, or fictitious, identity crime occurs when information is either stolen—where components of that information are used to create a non-existent person—or information about an identity is simply made up. The perpetrator often does this by taking the personal information, such as a SIN, of someone who is deceased or not yet part of the credit granting system, like a child, to build a non-existent identity. The perpetrator then monitors progress of the fictitious identity, by pulling credit reports and conducting hundreds of thousands of dollars in financial transactions, before abandoning the identity of the synthetic person they originally created and disappearing without a trace. More concerning is the fact that we commonly see tens, or even hundreds, of fictitious identities operated by the same group at the same time. Organized crime plays a big role in this, with the proceeds of these crimes being used to finance a wider range of other global activities, possibly even terrorism.
Recently, l participated in a CBC investigative report on synthetic identity, following Project Mouse by the Toronto Police Service. To some, this may seem like a faceless, victimless crime, but the consequences are chilling. Fake names on real credit cards, real driver licences, and real passports pose a real threat to national, if not our global security. I encourage you to watch this report by Rick MacInnes-Rae on CBC's The National.
Without question, fictitious identity creation is on the rise, and tens of millions of dollars are being siphoned by organized criminals each year. Correspondingly, Equifax sees, on average, 1,300 fictitious consumer files being created monthly from across the country by fraudsters and other organized criminals. The fact of the matter is that criminals will not stop evolving, and our laws, our security, and our prevention tactics must change with them. Thieves are stealing real IDs or building upon fictitious identities as we speak, and this problem isn't going away without a confluence of legislation, law enforcement, and solutions from organizations like Equifax. It's what we estimate to be a multi-billion dollar business in Canada.
The financial services and credit industries continue to do their part for victims of identity-related crimes by investing millions of dollars each year to detect identity fraud as quickly as possible. Identity-related crimes have grown to a level that affects all Canadians, either directly or indirectly. Unlike 15 years ago, I am hard-pressed to find a person today who hasn't been a victim of an identity crime, had a debit or credit card skimmed, worked with an employee who was terminated for dishonest behaviour, or had credit or other applications submitted using that person's identity. I'm sure many of them are your constituents.
Finally, combatting identity-related crime is a battle that transcends politics. It starts with education and awareness from each individual consumer and every household in Canada, especially, in light of recent data breach incidents, where it is not only individuals losing information, but corporations being hacked or maliciously attacked for your sensitive information; your confidential and personal information.
Hacktivism is on the rise. According to a recent study by ABI Research, hacktivism now represents 47% of all activity around various cyber-threat groups. These hacktivist activities may not seem connected on the surface, but the release of any personal information that can later be used to gather a synthetic or real identity has a real impact on consumers. The term “data breach” has become a household term.
A recent North American study by Javelin Strategy and Research reports that one in every three consumers affected by a breach becomes a true victim of identity theft. This is up from nearly one in four, in 2012. Consumers and businesses should be concerned.
What steps can they take to prevent or at least detect theft and mitigate future damages?
First off, we advise consumers to check their credit file at least once every quarter to spot any abnormalities or possible fraud on their file. Our consumer slogan at Equifax is “check to protect”. You can do so for free, 365 days per year, at any one of the Canadian credit bureaus.
Second, if you are a victim of a data breach incident, ask the organization, at their expense, of course, to provide you with credit monitoring services for at least the next 12 months. From our experience, 12 months is the time period that most identity theft crimes are committed.
Finally, be vigilant on what information you are providing to institutions. Do they really need your SIN or date of birth to conduct a simple retail or rental transaction?
Mr. Chair and committee members, on behalf of Equifax, we commend you for helping to address the growing problem of identity-related crimes in Canada, and for inviting us to speak on these very timely and critical issues.
Thank you.
:
Mr. Chair and members of the committee, thank you for having us,
I'd also like to recognize my associate, Bob Groves, who may advise me as we progress here, depending on your questions. I'd like to take a little different approach here today as both my colleagues at Equifax and TransUnion will focus on the macro level. I'd like to focus on a group that I think are particularly vulnerable and that would be first nations communities.
I'll give you a little background on Forrest Green. We're well versed in supporting public sector organizations. We have secret clearance. We've worked with the Assembly of First Nations and with AANDC.
Our position is that first nations communities are one of the most vulnerable to fraud and financial abuse. We submit that a lack of credit bureau data means they're more susceptible to fraud. In many cases, they don't understand the concept of how credit bureaus function. They rarely check their credit reports, and as a result, individuals I've spoken with are keenly monitored; they get a call from a collection agency....
A member of Parliament called me on Friday indicating they believed they were a victim of identity theft. They knew almost immediately because of the processes that take place. Individuals on reserve are difficult to find, and they rarely reach out and connect with credit bureaus.
On the next page I've provided some insight into a format. It's not a real credit report, and I would submit we were extremely generous when we indicated that less than 5% of first nations have viewed their personal credit report. I would submit that it's closer to 1%. Out of curiosity, can anyone on the committee who has viewed their credit report in the last year put up their hand? Okay, that's impressive. We see that close to half the members here have not viewed it, so imagine remote communities. I think they're particularly vulnerable in that regard.
We implement solutions for online authentication and we work with police services. The next page shows a screen print from the Hamilton Police Service. To avoid having to come in and show photo ID, we have a solution whereby we leverage credit bureau data to authenticate a person, so it's an anti-fraud solution. What's interesting is that when we're dealing with aboriginal communities in remote areas, many of them are low income and the challenge is that the people in remote communities should be the ones who are provided access to online services so they don't have to fly in or drive hundreds of kilometres to show photo ID. Ironically, because they don't have credit bureaus they are the ones who are forced to do these kinds of activities. I think it's important we understand that the ramifications of leveraging credit bureau data are quite profound.
The issue of identity verification is also interesting in the sense that when people are applying for low-wage jobs particularly, credit bureau data is often also used in employment searches and analytics. There's a certain irony that the people who are most vulnerable and who most require access to jobs could be discriminated against because they have poor credit ratings. I realize that's somewhat tangential, but I think there are some interesting relationships with lack of data or poor data, fraud, identity theft, and vulnerability.
I wanted to make some interesting references here to the Standing Committee on Aboriginal Affairs and Northern Development. I think when you look at some of the statistics below, it demonstrates a propensity for aboriginal communities not to trust organizations that gather data; 80% of family allotments are done outside the Indian Act, and 50% of band leasing is unregistered. This demonstrates that aboriginal communities do not trust or have not bought into the concept of sharing data.
I think if there was one theme we could have when we finish this dialogue, it would be that education needs to play a key role in what we're going to do to solve this. We need to talk and we can't just rely on leaders today. They haven't been educated. They can't tell their children how to formulate a good credit report because no one's told them, no one's educated them.
The last page is just further evidence supporting access to information and the challenges of not having identities, not having photo ID, not having credit bureau data. Not only does it lead to fraud, there was an interesting, a sad story, quite frankly, of a lady who had received a settlement for residential schools, had difficulty opening a bank account, cashed the cheque, brought the money home, and was robbed and murdered on reserve.
I think this demonstrates there is a vulnerability of these people, and we need to start examining some of the root causes. I don't think we should forget on this fraud issue that with a lack of documentation—this is my humble opinion—I think they are more vulnerable to fraud than people who can catch it within a week, as many Canadians do. Now, my colleagues here may debate that, in fact, it's much more rampant and difficult, but the people I know who are experiencing fraud are reacting very quickly.
Thank you very much for your time.
:
Mr. Chair and committee, thank you very much for having us attend today. My associate with me is Chantal Banfield, our legal counsel for TransUnion Canada.
A little about TransUnion, and then we'll talk about the issue of identity theft.
TransUnion, as a global leader in credit and information management, creates advantages for millions of people around the world by gathering, analyzing, and delivering information. For businesses, TransUnion helps improve efficiency, manage risk, reduce costs, and increase revenue by delivering comprehensive data and advanced analytics for decisioning. For consumers, we provide tools, resources, and education to help manage their credit health and achieve their financial goals. Through these offers, TransUnion is working to build a stronger economy worldwide, based in Toronto, with our global headquarters in Chicago.
TransUnion is regulated by consumer and privacy legislation. Our core business is consent based, and one needs to consent to obtain a credit file. We screen and audit process our members for prospective members and legitimate businesses. We process millions of pieces of data a month and update our database on a regular basis. We recognize the importance of safeguarding information, and we are pleased to announce we were the pioneers of fraud alerts in the early 1990s.
When you define the issue of ID theft, it really falls into three categories: a data breach or a compromise, the actual potential ID theft that happens as a result of that, and the fraud that occurs after that. Compromises or data breaches are when a hard drive is stolen, such as the student loan portfolio or theft that occurred at Revenue Canada.
We're aware of these compromises through consumers and through companies. One of the problems is that companies do not always report their compromises as recommended by the federal Privacy Commissioner in “Key Steps for Organizations in Responding to Privacy Breaches”.
When you look at the statistics as reported to TransUnion, there are a couple that stand out. The actual number of reported compromises in the last five years has decreased by 30%. What's alarming about that is the number of potential victims actually increased by 600%. Most would assume these data breaches happen at financial institutions, but contrary to that, that is not the case. The number of reported compromises is actually only 8% from financial institutions; 70% of the number of compromises come from the medical, service, or retail industry. If you look at other industries—government, insurance, and finance companies—the numbers are very small.
What are the implications? The implications are that the financial sector is acutely aware of the safeguarding obligations they have to their constituents. When these losses happen through breaches at financial sectors, they typically bear those costs. This is also driven in part by the OSFI requirements, no doubt.
TransUnion does servicing for many of these institutions. We are PCI compliant. We are in line with the ISO standards, and on a regular basis—
:
We are in line with the ISO standards, and on a regular basis, audit under SSAE 16 requirements.
Our data would seem to point to the lack of awareness in industries outside the financial sector and show that there's more need for education in this area, not only in the obligations emanating from a breach but also in awareness around security protocols to prevent a breach.
Awareness by breach notification where warranted will be useful. TransUnion is supportive of the efforts of the government on the part of Bill . While we do not want to inundate customers with notifications, where there is a material risk of harm, there are benefits to customers receiving notification.
Here are some stats on impacts for consumers and TransUnion. The number of potential victims has increased by 600% in the last five years. The number of confirmed fraud victims is up by 100%. Many of these consumers report these frauds to the Canadian Anti-Fraud Centre—PhoneBusters—and while there has been a 300% increase in the number of fraud alerts placed, we still have work to do.
These compromises have a short-term impact on TransUnion and Equifax, increasing call volumes to our centre and requests for alerts to consumer disclosures. We've invested in technology to make that process as effective as possible and to help contribute to that 300% increase in the number of fraud alerts placed on consumer bureaus. What we're doing is helping to reduce the numbers of frauds, and we're pleased that it's not increasing at the same rate of potential victims.
Who pays? The cost is borne entirely by the consumer unless the companies or government bodies that have caused the compromise are willing to step up and pay for the damages that are created. We believe that the burden and those costs should be borne by the companies that compromise the information of the consumer. Not all companies take on this responsibility and agree to pay for these solutions to reduce potential harm to the consumer in mitigating risk.
What should be done? First is notification to the Privacy Commissioner. TransUnion is supportive of the amendments under PIPEDA in this regard in Bill . Where a loss of sensitive financial data has been confirmed, both bureaus should be informed. Where a loss of sensitive financial data has been confirmed, fraud alerts should be placed on both bureaus—at a minimum—to reduce the likelihood of ID theft. As an example, we serve our clients differently, and if a breach has occurred and somebody notifies Equifax, that fraud could still be committed if they go to a financial institution that is serviced primarily through TransUnion. In many cases, both bureaus should be notified.
With respect to synthetic identity, my colleague John Russo talked about synthetic identity and its impact on the Canadian market. In defining the issue, it really is about recreating an identity to commit fraud. In the synthetic fraud, there is no one to complain. There is no constituent to talk to. It is a cost that is borne by many indirectly. In regard to public security, CBC has reported on a few stories, and John referred to the billion dollars in losses that Canadians absorb through different fees and costs. Every consumer pays for synthetic fraud.
How do we work towards a solution? We work with police authorities to report such suspected activities. We take this information, put it into our fraud database, and report it to financial institutions.
The prevention of these crimes requires better technology to ensure that identity cards are not easily replicated and that they cannot be authenticated. If we really want to attack this issue, it also requires the sharing of information between government agencies and the financial sector. The lack of sharing creates silos, and fraudsters take advantage of that.
Today, there's no automated method whereby the private sector can get confirmation as to whether or not a particular piece of ID has been issued by the government or whether that actual ID belongs to the individual who claims it's theirs. TransUnion and Equifax can help by being the conduit to financial institutions, as we already provide, for example, identity verification for AML or KYC. Both of these have been noted in the RCMP paper, the “National Identity Crime Strategy”.
In closing, TransUnion is supportive of the initiative to crack down on identity theft by, first, reporting of breaches through Bill and notification to both bureaus where a data breach of sensitive financial information has been confirmed, and second, ensuring that companies responsible for the breaches bear the burden and the cost for data breaches, not consumers. Third, on the lack of education and awareness outside of the financial sector in the area of data security and safeguarding, TransUnion is supportive of the data breach notification where circumstances warrant as a key to raising that awareness. Fourth, we are also supportive of a focus on and attention given to synthetic identification, allowing for the sharing of information from government to financial institutions for fraud and ID theft prevention, and investing in security measures for identification cards that are relied upon by the private sector for AML purposes and fraud prevention.
Mr. Chair and committee, thank you very much for having us here today.
:
I hear what you're saying, but it strikes me as a business that is just finding every excuse not to provide people with the information that they need. You're probably one of the only businesses ever to come before us and say they have to rely on the mail because more people have access to that.
Honestly, right here, I have access to this. Maybe I'm different, but most people have access to a cellphone. I'd hazard a guess that most people on reserve have access to a cellphone that can give them Internet access as well, and they can download the report for free if you would allow them to do it.
All I'm suggesting is that as things are changing, as identity theft has become more of a problem, there is nobody out there really to protect consumers. You work, obviously, for businesses and not necessarily for the consumer. When a consumer has a problem with what you have done, or the information that you have gathered, through no fault of your own, it is a hard job to change that and we have to pay if we want to change it immediately.
I would suggest that is one of the problems.
But is it another problem that more and more businesses are asking for credit reports? Part of your system of how you judge consumers is based on the number of reports that are being generated. If I want a cellphone, Rogers, Bell, or whatever, will pull a credit report on me, a soft inquiry or whatever they call it.
More and more businesses, for less and less significant matters, are asking you for your information, which impacts consumers in the sense that their credit scores are then impacted, and that's a score that you generate.
Would another answer not be, in order to avoid more people having access, to limit the amount of transactions businesses can ask you to pull a report for?
Although it may be surprising, I share many of the same concerns that my colleague across the way brought up. I also share his cynicism. There's just something bizarre about having to wrestle basic information about yourself that's held in companies who seem to want to render that somewhat inaccessible or difficult to get to. I know that there have been improvements.
At any rate, that won't be my line of questioning. I'd rather talk about the aboriginal situation.
I have two first nations in my riding. I'll be very quick, but maybe I'll illustrate my point with a story I was told by an Algonquin friend on Kitigan Zibi. He decided to buy a boat for his mother, because his mother went out every season to go fishing in a particular place that was quite far. He made a pretty good salary, and one day he came back and bought a boat. He presented it to his mother by surprise. She just kind of looked at him, clueless, so he said to her that this way she could get to her fishing hole quicker. She said, “Well, why would I want to be fast?”
I think the story illustrates that there is a certain headspace that we're all in around this committee, including yourselves, and we're dealing with a fundamentally different way of viewing the world. To integrate these individuals into a system that they may not, in fact, want to participate in.... I don't think we can simply say it's an issue of education. I think it's an issue of choice as well. I think there are individuals who very well know what this system represents and what it means. Communities and individuals are consciously deciding not to participate in it.
One of the reasons would be, well, what will be done with that data? Some of you are in the business of selling that data. Selling data on first nations people is a historical problem, because their data, whether it be cultural, linguistic, artistic, or otherwise, has basically been stolen and made into consumer goods in order to make profit for non-aboriginal companies.
I understand, though, the assumption on the basis that this is good, that this is something that needs to be done. That's why I applaud Mr. Rowe's references to the importance of deep consultation and deep conversations with aboriginal people about this and how that tool can actually be used by the communities by themselves, if they desire to, in order to develop their communities or what have you.
Having said that, Mr. Rowe, it's clear that you've done consultations. I'd like to know what themes come up, what concerns come up, from aboriginal communities about integrating themselves in the entire credit system.
:
That's a great question.
We were at a conference in Toronto recently with several chiefs, Chief Roxane, from Temagami, for example. We had an in-depth conversation. When we were chatting with them, they were initially very hesitant about working with us. It was funny, because when you talk about cultural differences, I was told not to show up in a suit, not to wear a tie. But I thought that was interesting, because my culture is to wear a suit and tie. I don't necessarily need them to change their culture, but I'm not changing my culture. If I always wear a tie, I'm not going to be false to who I am. I think that kind of honesty and those kinds of conversations and behaviours are needed.
We started off with and had very direct and sincere conversations with them. One of the conversations that came up was about Pic River, for example, where they have a huge demand for housing on the reservation. One lady ended up getting a personal loan for 24%. All the banks that were at the conference were pursuing the first nation communities, and they were saying, “We really want your business”. One of the chaps, Moses, who was the housing manager, went up and said, “What is this all about? How can you expect someone to pay a 24% interest rate?”
But, to be fair, the challenge to many of these institutions is that things like ministerial loan guarantees require incredible labour and reviews and bureaucracy in order to secure and in order to allow banks to feel comfortable with moving ahead. The interesting thing is that the number one comment I get is, “I want to be able to build wealth and help my children and grandchildren, and to pass that on”.
Diane Francis recently wrote a new book. It was about kind of a partnership between Canada and the U.S. I'm not so keen on that concept necessarily. But one of the things she talked about was how, in 1776, Congress, by removing lands from the crown and pushing it into allowing home ownership, really kicked off the greatest wealth-creation engine in the history of the world.
It's fascinating. People can look back. We're talking about something hundreds of years old: personal ownership of land. We see wealth in the United States certainly in non-native communities. I think, quite frankly, a lot of natives are sitting back and saying, “Why can't I own my land? Why can't I have financial independence? Why are we prevented from doing this?” But I think it's flipping now to understanding that, quite frankly, banks are global, and they're looking to process loans efficiently and to have reasonable risk.
I think if we can build the files, we can reduce fraud, which is part of the mandate of this committee, but in addition, we can unleash billions of dollars in mortgages for the financial institutions. But let's have it be competitive. Let's have it be at non-native financing rates. I think what's motivating the aboriginal communities is the thought of passing on to their grandchildren and their children property wealth, of having financial independence, and quite frankly, of having autonomy instead of getting a handout.
There's $14.1 billion flowing onto reserve. That's great, but I think a lot of reserves are moving towards financial independence and are looking at changing the paradigm.