I briefly mentioned that in my presentation and I thank you for giving me the opportunity to talk about it at greater length.
First, an information leak does not necessarily mean that fraud or identity theft has occurred. Second, we do not automatically change social insurance numbers after a leak like this because it doesn't really solve the problem or automatically remove all risk of fraud.
Let me explain that first point a little more. If you do not change the social insurance number linked to a certain credit number and if a credit agency uses the old credit number, the person involved will not necessarily be able to get credit. In addition, if a lender does not properly check the identity of that person, and a fraudster borrows money using his name, the lender could ask him to pay the debt. So there can be other cases of fraud if lenders do not correctly check people's identity.
The second reason is that it can create serious problems of access to benefits and services. As I said in my presentation, victims of data breaches must warn everyone, financial institutions, credit agencies, past and future employers, and the managers of pension schemes to which they belonged with their old social insurance numbers, and make the necessary changes. Often, people no longer remember those to whom they have given their social insurance number, especially at the beginning of their careers. That can prevent people from receiving a pension, for example, because it is no longer possible to establish a link between an individual and the benefits to which they are entitled.
At federal level, we would certainly advise the Canadian Revenue Agency and all organizations involved. But changes could be made manually and there may be errors. This could complicate the calculation of pensions or employment insurance benefits. If someone forgets an employer and makes errors, the calculation of employment insurance benefits or the old age pension could be wrong.