//www.ourcommons.ca/Parliamentarians/en/members/957JohnMcKayHon.John-McKayScarborough—GuildwoodLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/McKayJohn_Lib.jpgInterventionThe Chair (Hon. John McKay (Scarborough—Guildwood, Lib.)): (1325)[English] Folks, we're trying to get back on our timeline here. We are waiting for our other witness, but in the meantime, we will proceed with RCMP captain Mark Flynn.You will make your presentation, and if the folks from the Communications Security Establishment come, we'll make arrangements for them to speak as well.The meeting is now public, by the way.For those who are presenters, the real issue here is that the members wish to ask questions. Therefore, shorter presentations are preferable to longer ones.With that, Superintendent Flynn, I'll ask you to make your presentation. Computer crimeDesjardins GroupFinancial service industriesMeeting requested by four members of the CommitteePrivacy and data protection60130236013024601302560130266013027MarkFlynnMarkFlynnMark-FlynnInterventionChief Superintendent Mark Flynn (Director General, Financial Crime and Cybercrime, Federal Policing Criminal Operations, Royal Canadian Mounted Police): (1325)[English]You'll be happy to hear, as I understand the committee was informed, that I won't be making any opening remarks. I am present here today simply to address any questions you may have. As this, on its surface, does relate to an ongoing criminal investigative matter, it would be inappropriate for me to provide details of an investigation, particularly an investigation that is not being undertaken by the RCMP.I welcome all questions. I am here to provide whatever assistance I can.Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police60130286013029JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham (Laurentides—Labelle, Lib.): (1325)[English]It's a little harder to ask questions without an opening to work off. The first question I have is this. If somebody calls the RCMP with a suspicion of data theft complaint, how does the RCMP treat that from the get-go?Computer crimeCrime reportingDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police60130316013032JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1330)[English]That will depend on the jurisdiction where it occurs. In the jurisdiction where we are, the police have jurisdiction, so they have the provincial and municipal responsibility. It would be forwarded to our intake process there, whether it be our telecoms office, the front desk of a detachment or a particular investigative unit that's identified for that. In cases where we are not the police of jurisdiction, like in Ontario and Quebec where we are the federal police, we will become aware of these instances through our collaboration with our provincial and municipal partners. We will look at the information and determine whether or not there are any connections to other investigations that we have ongoing, and offer our assistance to the police of jurisdiction should they require it, although on many occasions this type of incident is very well handled. We have very competent provincial and municipal police forces that are able to handle these on their own.Computer crimeCrime reportingCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police60130336013034David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1330)[English]At what point does something become federal? If something is provincial jurisdiction but affects multiple provinces, does each province have to deal with it separately or is the RCMP able to step in at that point?Computer crimeCriminal investigations and hearingsDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protectionRoyal Canadian Mounted Police6013035MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1330)[English]The RCMP doesn't automatically step in solely because it crosses multiple provinces. As occurs with traditional crimes, whether a theft ring on a border between two provinces, or homicides, the police forces in those jurisdictions are used to collaborating and do so very well.When there's an incident that occurs from a cyber perspective, if it's going to have an impact on a Government of Canada system, a critical infrastructure operator or there are national security considerations to it, or if it's connected to a transnational, serious and organized crime group that already falls within the priority areas we're investigating, then that matter will be something we will step into. From a cyber perspective, we have ongoing relationships and regular communication with most of the provinces and municipalities that have cyber capabilities within their investigative areas. We know that many of these incidents occur in multiple jurisdictions, whether they be domestic or international, so coordination and collaboration are really important. That's why the national cybercrime coordination unit is being stood up as a national police service to aid in that collaboration, but prior to that being implemented, one of the responsibilities of my team in our headquarters unit is to have regular engagement, whether regular telephone conference calls or formal meetings where we discuss things that are happening in multiple jurisdictions to ensure that collaboration and deconfliction occurs, or on an ad hoc basis. When a significant incident occurs, our staff in the multiple police forces will be on the phone speaking to each other and identifying and ensuring that an appropriate and non-duplicating response is provided.Computer crimeCriminal investigations and hearingsDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protectionRoyal Canadian Mounted Police6013036601303760130386013039David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1330)[English] In the case of the incident we're here to discuss, which is obviously a major incident, is the RCMP being kept apprised of what's happening, even if it's not their investigation? Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protection6013040MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1330)[English]I'd like to stay away from discussing this particular investigation, but I can tell you that investigations of this nature absolutely will lead to discussions occurring. That happens as a consequence of the fact that we do have those regular meetings, whether it be in cyber or other types of crime that are going on in different jurisdictions. These, obviously, on a scale of this nature, would lead to discussions.I am not involved involved in any of those discussions at this time. It is not something I have knowledge about. Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protection60130416013042David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin (Glengarry—Prescott—Russell, Lib.): (1330)[English]Thank you, Mr. Chair.Mr. Flynn, thank you for being here. I know that you will not comment on the ongoing investigation, but as a member of Parliament who represents a lot of members who have been impacted—I have been impacted as well—I am looking more at the potential impacts of fraud. I know that many Canadians get fraudulent calls from CRA. I myself called back somebody who pretended they were you guys. They wanted to collect some money for a particular person. They were demanding. They were really adamant. They gave a callback number, and I provided that callback number to the police. Is that something you would advise Canadians to do where obviously the RCMP, or your local police force, is the first point of contact? Allegations of fraud and fraudComputer crimeCrime reportingDesjardins GroupPrivacy and data protection601304660130476013048JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1335)[English]Absolutely. We actually have a program at the Canadian Anti-Fraud Centre and a close relationship with telecommunications service providers, who have been very helpful in addressing some of the challenges we've had around telemarketing and the mass fraud committed over the telephone. As we learn about numbers that are utilized for fraud, we are validating that, and the telecoms industry is blocking those numbers to reduce the victimization. We have adapted some of our practices to ensure that this occurs at a much more timely rate than it has historically.Allegations of fraud and fraudComputer crimeCrime reportingDesjardins GroupPrivacy and data protection6013049FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1335)[English]Just from your experience, and learning from cases of fraud, we know that some of them may have my social insurance number. They may have my email address, as well as my civic address. It could be a very convincing case for them to pretend that they're either a government official or from some type of financial institution. What would you advise Canadians on the best way to protect themselves?Allegations of fraud and fraudComputer crimeCrime preventionDesjardins GroupPrivacy and data protection6013050MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1335)[English]With any mass fraud campaign, whether it be tied to an instance like this or just in general, people need to have a strong sense of skepticism and take action to protect themselves. There are many resources under the Government of Canada, with such organizations as the Canadian Anti-Fraud Centre and Get Cyber Safe, that provide a list of advice for Canadians. It simply comes down to protecting your information and having a good sense of doubt when somebody is calling you. If it's a bank calling, call your local branch and use your local number. Don't respond to the number they provide and don't immediately call back the number they provide. Go with your trusted sources to validate any questions that are coming in. I have experienced calls similar to yours. I had a very convincing call from my own bank. I contacted my bank and they gave me the advice that it was not legitimate. It was interesting, because in the end it turned out to be legitimate, but we all felt very safe in the fact that the appropriate steps were taken. I would rather risk not getting a service than compromising my identity or my financial information. Allegations of fraud and fraudComputer crimeCrime preventionDesjardins GroupPrivacy and data protection60130516013052FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus (Charlesbourg—Haute-Saint-Charles, CPC): (1335)[Translation]Thank you, Mr. Chair.Thank you, Mr. Flynn. I'll come back to you in a few moments.The leader of the Conservative Party of Canada, Andrew Scheer, asked me to contact my fellow committee members to convene this meeting. He sent an open letter to the media on July 12, and I'd like to paraphrase a few paragraphs.Like the vast majority of Quebecers and all Canadians, I am worried about the the security of our information technology systems, identity theft and privacy protection.This is a very serious situation, and I understand the fear and anxiety of the victims, whose personal information, including their social insurance number, was stolen. They are worried about how this will affect them in the future. They will have to spend considerable time and energy dealing with this.It is reassuring to see that the leadership at Desjardins Group is taking the matter seriously and working hard to protect and reassure members. The federal government, too, has a responsibility and duty to support all victims of identity theft by learning from the past and strengthening cybersecurity in partnership with all stakeholders across the industry.… I want the victims of this data breach, as well as all Canadians, to know that we stand with them and that a future Conservative government would be committed to tackling the privacy challenges confronting Canadians.Computer crimeCorrespondence and lettersDesjardins GroupPrivacy and data protectionReferences to membersScheer, Andrew6013056601305760130586013059601306060130616013062JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1335)[Translation]We want to be very clear about what an important and serious issue this is—so important, in fact, that we felt it was necessary for the committee to meet on this sunny July 15.Mr. Flynn, you answered the questions of my Liberal colleagues, but I find the RCMP's response to the situation rather weak. Allow me to explain. Some 2.9 million Desjardins account holders are very worried right now. About 2.5 million are Quebecers, and 300,000 are in Ontario and other parts of the country. For the past three weeks, constituents have been contacting our offices non-stop, and the government has yet to respond. The reason for today's emergency meeting is to figure out what the federal government can do to help affected Canadians.You said the RCMP isn't really involved, but can't it do something given that it has its own cybersecurity unit, works with organizations like Interpol and has access to other resources? I don't want to interfere in a police investigation, but we heard that people's personal information was being sold abroad. Isn't there technology or techniques the RCMP can use to detect potential fraud?Computer crimeCriminal investigations and hearingsDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police601306460130656013066JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1340)[English]The RCMP's role, as I explained earlier, in many of these situations is to work with our provincial and municipal partners. It's important to recognize that our provincial and municipal partners are very skilled at responding to many of these incidents. It's not always the case that the RCMP has additional powers, authorities or capabilities to the ones they have when dealing with an incident that is singular in nature, where an individual is involved in a single event, as opposed to a broader one.However, there's always a standing offer from the RCMP to our provincial and municipal partners, that should they require technical assistance, advice or guidance, we are available to them for that. It would be inappropriate for the RCMP to inject itself into the jurisdiction of another police force to run the investigation they are operating. Computer crimeCriminal investigations and hearingsDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police60130676013068PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1340)[Translation]I understand what you're saying about the investigation probably being conducted by the Sûreté du Québec, but what the Conservatives and NDP want to know is this. What can the RCMP do about the personal information of 2.9 million people that was handed over to criminals? I don't want to discuss the investigation; I want to know whether you have resources. If you don't, we want to know. That's why we are here today. If personal data was sold on the international market, neither the Quebec provincial police nor Laval police is going to deal with it. I think it falls under RCMP jurisdiction. Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police6013069MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1340)[English]Again, outside the scope of this particular investigation, cybercriminals do commit the majority of their crimes to gain access to personal or financial information for the purposes of gaining access to financial institutions and the money that's housed in those locations. The RCMP work continuously with the international community to identify and pursue the individuals who are committing a great number of these crimes. The RCMP are working closely right now with those international partners, as well as many of the large financial institutions in Canada and the Canadian Bankers Association, to ensure that we are targeting the individuals who are causing the most significant harm. Our federal policing prevention and engagement team has hosted sessions with both the financial institutions and the cybersecurity industry. We have a new advisory group that's helping us target those individuals.As far as knowledge goes, it's only in the hands of those cybersecurity and financial institutions. We're trying to ensure that as we are putting the resources we have into investigations, we are targeting those individuals who are causing the most harm. We do that, as well, internationally. As incidents occur, we speak to our international law enforcement partners. We identify the behaviours we have in our cases or in our Canadian law enforcement partners' cases, so that if there are connections or individuals who are in those other jurisdictions, we're using the mutual legal assistance treaty, and we're using police-to-police collaborative efforts that we have to ensure that, internationally, all of those efforts are put towards a problem.Now, I want to stay away again—and I apologize for doing that—from this exact incident. I cannot express what is or is not being done in this particular incident.Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police60130706013071601307260130736013074PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1340)[Translation]Since the problem came to light, has the RCMP set up a special unit to help deal with it?Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police6013075MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1340)[English] I am unable to speak about this particular incident. It would be inappropriate for me to do so.Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protectionRoyal Canadian Mounted Police6013076PierrePaul-HusCharlesbourg—Haute-Saint-CharlesJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé (Beloeil—Chambly, NDP): (1340)[Translation]Thank you, Mr. Chair.Thank you for being here today, Mr. Flynn.It's important that we talk about this situation because, as my colleague pointed out, people are worried. It's essential that we find out more about the federal government's capacity to take action and the means we have at our disposal, especially since the committee just wrapped up a study on cybersecurity in the financial sector before Parliament rose in June. I'll touch on some of the things the committee looked at in its study because they pertain to the matter at hand.I'd like to follow up on some of your answers. First of all, it is rumoured that personal data was sold to criminal organizations outside Quebec and Canada. I know you can't comment on this case specifically, but at what point does the RCMP step in to assist the highly competent people at such organizations as the Sûreté du Québec when a case involves a criminal organization operating outside Canada that the RCMP is already monitoring?Computer crimeDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police6013079601308060130816013082JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1345)[English]We have formal, regular engagement with our policing partners across the country. That occurs on a monthly basis in the cyber area, as well as biweekly in some other areas. However, when there are incidents such as this, as you described, there are immediate calls that go out to ensure that collaboration is occurring and that any of our international partners' information that's relevant could be utilized to aid in those investigations.Computer crimeDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police6013083MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1345)[Translation]Thank you.You said local police forces, the Sûreté du Québec and the Ontario Provincial Police were very competent when it came to dealing with cybersecurity issues and had significant powers. Does the RCMP have special expertise or information that could help them?The reason I ask is that the government touted the consolidation of the cybersecurity capacity of the Communications Security Establishment, or CSE, the RCMP and all the other agencies concerned as a way to ensure information was shared and everyone was on the same page. I'll be asking Mr. Boucher, of the Canadian Centre for Cyber Security, about this as well when we hear from him.Do you engage municipal or provincial police, as the case may be, in the same way?Computer crimeDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police6013084601308560130866013087MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1345)[English]Yes, we do. We work very closely, as I've stated, with our provincial and municipal police agencies. In fact, I take great pride in the fact that at some of those meetings that I described, where our federal policing prevention and engagement team brought together the private sector, financial institutions and cybersecurity, one of those policing partners actually stood up at the front of the room and thanked the RCMP for the collaboration they are seeing in the area of cyber, which is far better than anything they've ever seen in their career. I take great pride in that because that has been a priority for me, my staff and our engagement folks, to ensure that we are not being competitive but are being collaborative and, in that collaboration, we are supporting each other. We are not superseding other police forces' authorities, but we're also ensuring that we can assist the others in that.Computer crimeDesjardins GroupInterdepartmental relationsPrivacy and data protectionRoyal Canadian Mounted Police60130886013089MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1345)[Translation]Thank you. I don't mean to cut you off, but I have a limited amount of time.When the committee was studying cybersecurity in the financial sector, we talked about the fact that people tend to think of state actors as being the threat. I won't name them, but I'm sure everyone has an idea of the countries that could pose a threat to Canada's cybersecurity.I realize you can't talk about it, but in this particular case, we are dealing with an individual—an individual who poses a threat because the stolen data can be sold and could end up in the hands of state actors. One of the things the committee heard was that individuals represent the greatest threat. Is that always the case? Does a lone criminal wanting to steal data pose a greater threat than certain countries we would tend to suspect?Computer crimeDesjardins GroupPrivacy and data protection601309060130916013092MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1350)[English] The threat comes from multiple directions, and I can't say which is greater, because, in our experience, we have seen a significant number of organized groups or individuals perpetrating the crimes across the Internet. The Internet is an enabler as much as it's a tool for us to use in leveraging and utilizing all the fantastic services that are out there.Computer crimeDesjardins GroupPrivacy and data protection6013093MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1350)[Translation]I have to cut you off because I'm almost out of time.Has the presence of organized groups or countries with ill intentions seeking to buy personal data created some sort of marketplace? Do individuals like the alleged perpetrator in this case have an incentive, albeit a malicious one, to steal information and sell it to interested parties? Does the existence of these groups incentivize individuals who have the expertise to do things they wouldn't normally do?Computer crimeDesjardins GroupOrganized crimePrivacy and data protection60130946013095MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1350)[English]Yes, absolutely. We have seen a rise in what we refer to as cybercrime as a service to aid others who are less skilled at committing cyber offences, whether they are creating the malware, operating the infrastructure, or creating the processes by which somebody can monetize the information that is stolen. That is a key target area for the RCMP under our federal policing mandate, and we are targeting those key enabling services so that we can have the most significant impact on the individual crimes that are occurring, as opposed to chasing each individual crime.Computer crimeDesjardins GroupOrganized crimePrivacy and data protection6013096MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—ChamblyAndréBoucherAndré-BoucherInterventionMr. André Boucher (Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment): (1350)[Translation]Thank you, Mr. Chair. As requested, I'll keep my presentation on the shorter side.Mr. Chair and honourable members of the committee, my name is André Boucher, and I am the associate deputy minister of operations at the Canadian Centre for Cyber Security.Thank you for the opportunity to appear before you this afternoon.Let me begin with a brief overview of who we are.The Canadian Centre for Cyber Security was launched on October 1, 2018 as part of the Communications Security Establishment. We are Canada's national authority on cybersecurity and we lead the government's response to cybersecurity events.As Canada's national computer security incident response team, the cyber centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response.The cyber centre's partnerships with industry are key to this mission. Our goal is to promote the integration of cyber defence into the business model of industry partners to help strengthen Canada's overall resiliency to cyber threats. Despite these efforts and those of Canada's industry, cyber incidents do still happen.This brings me to the topic we are here to discuss today. The cyber centre is not in a position to provide any details on this incident and does not comment on the cybersecurity practices of specific businesses or individuals. Any cyber breach, not just this specific instance, can be taken as an opportunity to revisit best practices and to refine systems, processes and safeguards.In this case, media reporting and public statements indicate that the disclosure of personal information occurred as a result of the actions of an individual within the company—what is termed insider threat.[English] In our recent introduction to the cyber-threat environment, the cyber centre described the insider threat as individuals working within an organization who are particularly dangerous because of their access to internal networks that are protected by security parameters. For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly, what this incident underscores is the human element of cybersecurity. The insider threat is only one example of this. Cybercriminals have proven especially adept at exploiting human behaviour through social engineering to deceive targets into handing over valuable information. Fundamentally, the security of our systems depends on humans—users, administrators and security teams. What can we do in a world of increasing cyber-threats? At the enterprise level, adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cybersecurity practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.Then we need to invest in knowing and empowering our people. Training and awareness for individuals and businesses are very important. Only with awareness can we continue to develop and instill good security practices, a fundamental step in securing Canada's cybe systems.As well, we always need to identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond. At the cyber centre, we'll continue to work with industry and to publish cybersecurity advice and guidance on our website. We regularly issue alerts and advisories on potential, imminent or actual cyber-threats, vulnerabilities or incidents affecting Canada's critical infrastructure. Under, we hope, different circumstances, we'll continue to participate in conversations like this one, which help to keep the spotlight on these issues. Ultimately, there is no silver bullet when it comes to cybersecurity. We cannot be complacent; there is too much at stake. While long-promised advances in technology may make the task easier, the need for skilled and trustworthy individuals will remain a constant. Thank you, and I look forward to answering your questions. Allegations of fraud and fraudCommunications Security EstablishmentComputer crimeDesjardins GroupFinancial service industriesInformation disseminationPrivacy and data protectionRisk management601310760131086013109601311060131116013112601311360131146013115601311660131176013118601311960131206013121601312260131236013124JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard (Montarville, Lib.): (1355)[Translation]I would like to preface my remarks by pointing out that the incident we are discussing today falls entirely within the parameters of the study we began in January on cybersecurity and financial crime. As suggested by my fellow Liberal members, I put forward a motion that we study the issue. That shows how deeply concerned we are about cybersecurity in financial institutions. I'm delighted that Mr. Scheer commended our efforts in relation to the study. He fully supports my motion, and I'm glad that his party is joining the Liberal Party in its efforts to address the issue of cybersecurity in financial institutions, so thank you.Mr. Flynn, I think it's important to speak to Canadians today to help people manage their expectations when something as serious as identity theft occurs.The public wants the police to conduct a criminal investigation. Generally, people want something done about the loss of their personal information. They want their identity to be restored, without having to worry that five, 10 or 15 years down the road, they will once again be targeted. In terms of a criminal investigation, what are people's expectations?Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protection6013127601312860131296013130JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1355)[English]From a policing perspective, I believe that the public expectation is that police are going to pursue the person and anyone associated with that person who is involved in either the theft or the monetization of information—whether through cyber-threat, cyber-compromise, insider threat, or so on—and hold them to account and bring them into the judicial process to ensure that there are consequences, and that steps are taken to prevent this type of incident from occurring. Computer crimeCriminal investigations and hearingsDesjardins GroupPrivacy and data protection6013131MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1355)[Translation]It's very hard for people to understand just how difficult it is to prove that you are the person you say you are. How are people supposed to prove their identity? It's extremely challenging when three different people are out there using the same name and social insurance number.Allegations of fraud and fraudComputer crimeDesjardins GroupPrivacy and data protection6013132MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1400)[English] It's not an area of expertise for me, as a police officer, to confirm identity. I would go back to my earlier statement about using your local resources, whether it be financial institutions or other types of service. If you're able to use a local service to confirm it, that is your best way to deal with those companies when there are questions about your identity.Allegations of fraud and fraudComputer crimeDesjardins GroupPrivacy and data protection6013133MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1400)[Translation]To a certain extent, the criminal investigation is a way to ensure justice is served, provided that it leads to the perpetrators being nabbed, the evidence being used to successfully prosecute them and their being punished, mainly sent to prison.That said, data on the black market represent virtual assets, ones that aren't housed in a physical location. Data can be located in many places. I'm not trying to alarm people, but it's important for them to understand that, even if the perpetrators are arrested, it doesn't necessarily mean that their data are no longer vulnerable and their identity can be restored.Allegations of fraud and fraudComputer crimeDesjardins GroupPrivacy and data protection60131346013135MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1400)[English]That is correct. It's important to point out that the only measure of success is not necessarily prosecution. In fact, in the cyber area many of those prosecutions will occur in other jurisdictions as we work collaboratively. One of the approaches in the RCMP, and I know in some of our other police forces as well, is that we are bringing financial institutions and cybersecurity experts into our investigations. That is different from what we traditionally have done in our criminal investigative efforts. That has already borne fruit. It has already provided significant advantages. Those “partners”, as I refer to them, are able to see information that we as police officers might not know is important and we may not independently be able to identify that this could be used to provide protection for their customers. I know of at least one incident in a major investigation we've been undertaking where several financial institutions, through that collaboration, were able to identify and reduce potential harm to accounts that through that sharing were identified as compromised. So I think the approach we are taking is providing benefits that are not solely measured by arrest and prosecutions. Allegations of fraud and fraudComputer crimeDesjardins GroupPrivacy and data protection601313660131376013138MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1400)[Translation]Mr. Boucher, your centre provides advice to other organizations. How can a business protect itself from its own staff? What advice do you have for businesses in that regard?As we saw this winter, there is every reason to believe that banks, financial institutions and financial service companies have the best possible technology to protect their data from outside threats. What concerns us are threats from the inside. I don't think any software out there can protect against that risk. How do you advise organizations to safeguard against the human element when it comes to fraud?Computer crimeDesjardins GroupPrivacy and data protectionRisk management60131396013140MarkFlynnAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1400)[Translation]Thank you for your question.That ties in with my opening statement. A few tools are available, but what works best is going back to the basics—in other words, taking a holistic approach to security.First, that means a well-established internal security regime for staff. It is important to understand exactly where the information that needs protecting resides, to know the individuals the organization works with and to constantly update the security regime. An individual's personal situation can easily change after they've been interviewed, so an organization should have those kinds of conversations with staff members on a regular basis. For individuals, a clear training and education program should be in place, one that includes refreshers, and the underlying processes should be clear.IT teams have access to data loss prevention tools that can help to detect fraud. By the time fraudulent activity is detected, however, it's often too late. It is therefore important that organizations invest as early as possible in measures that build trust and confidence and that they work with reliable people.Computer crimeDesjardins GroupPrivacy and data protectionRisk management6013141601314260131436013144MichelPicardMontarvilleJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz (Medicine Hat—Cardston—Warner, CPC): (1400)[English]Thank you, Chair.Thank you, witnesses, for being here. Mr. Boucher, I was intrigued by your opening comments on the Canadian Centre for Cyber Security being the national authority on cybersecurity and leading the government's response to cybersecurity events:As Canada's national...security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses, and international partners to prepare for, respond to, mitigate, and recover from cyber incidents.That's fantastic. It also leads to this question by me: What standards or measures do we have in place now? We consider banking in Canada to be a critical infrastructure in this country. What standards are in place at this moment to ensure that those are met? Do we have incentives? Do we have penalties? Do we have anything in the way of ensuring that we have a uniform approach across the industry to make sure that Canadians are safe? It's Canadians we are here for and are serving in that capacity. I'm curious to know if we have a mandatory baseline that everybody needs to operate at. If we don't, how come? And how can we?Computer crimeDesjardins GroupPrivacy and data protectionSetting of standards60131476013148601314960131506013151JohnMcKayHon.Scarborough—GuildwoodAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1405)[English] Thank you for your question. It's a vast question. I think you will have testimony this afternoon from experts from that specific sector of financial institutions. I would say that from a cybersecurity perspective, the financial sector is quite mature, where we have both regulators in place and best practices that are part of the community. As cybersecurity-focused experts, we put a lot of effort into that collaboration in those best practices. We leave it to the regulators who are sector-specific to put in those minimum standards and guidelines that need to be in place, enforced and reviewed. We in fact appeal to the best and try to tease that up as much as possible for entire sectors, in this case the financial sector. The financial sector is one that's very mature. It's one where collaboration is established. It is where reputational risks are measured at their true value. Significant investments are made in that regard.From a Canadian perspective, I would feel quite reassured that as a sector, there are both minimum standards and applications through the regulators that are in place and teams that are working at bringing the best out of enterprises so that they perform as well as possible.Computer crimeDesjardins GroupPrivacy and data protectionSetting of standards601315260131536013154GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1405)[English]Approximately 2.9 million entities, individuals and Canadian businesses, are impacted by this particular occurrence, but millions of others across this country have also been victims of having their identities and credit card information stolen. They may not find solace in that particular statement that we have a mature banking industry in this country, because they continue to be victimized. I'm curious to know whether we are as vigorous in that way as we could or should be in pursuing the financial security of those institutions and of the people who put their trust in them.Computer crimeDesjardins GroupFinancial service industriesPrivacy and data protection6013155AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1405)[English]I can assure you that we're quite vigorous in taking all the measures at our disposal, whether they be best practices in collaboration or measures that are enforced and in place. The sad or unfortunate reality that we all have to compose with is that, as was pointed out earlier, when data gets lost and gets in the wild, we never get to recover it. It is not like a tangible asset that you can go and purge and bring home. It is a new reality for clients, it is a new reality for customers and it is a new reality for enterprises. I would go back to the comment I made earlier that it just puts more fuel into the need to invest early, with early investments in having programs, in choosing our employees better, and in making sure we have a holistic approach to security to make sure we don't find ourselves trying to recover our losses.Computer crimeDesjardins GroupFinancial service industriesPrivacy and data protection601315660131576013158GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1405)[English]Okay. Thank you.Chief Superintendent Flynn, as we've learned from this circumstance and from others, data is the hottest commodity on the dark web. We know that. People's names, addresses, dates of birth, social insurance numbers, IP addresses, email addresses—all those sorts of things are commodities that are traded at will on the web. I guess a couple of things come to mind for me. Can you help the Canadian public understand, number one, how that information is used by the criminal element, and number two, how they can then be vigilant? You answered Mr. Drouin partially with a response, but as the law enforcement agency in this country, what red flags or alarms could you make the Canadian public aware of that they need to be vigilant about if they've been compromised, and even before they become compromised?Computer crimeDesjardins GroupPrivacy and data protection60131596013160AndréBoucherJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88994JulieDabrusinJulie-DabrusinToronto—DanforthLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DabrusinJulie_Lib.jpgInterventionMs. Julie Dabrusin (Toronto—Danforth, Lib.): (1410)[Translation]Thank you.When we did our study on financial institutions and cybersecurity, we heard that banks had extensive security measures in place—something people may be questioning now. We also heard people being talked about as though they were cardboard boxes.What can people do to better protect themselves? Can you give us any helpful information or details? Is there a place where members of the public can turn for information on how to better protect themselves—a website or a telephone line, perhaps? Is there anything you can tell us, Mr. Boucher?Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection601316360131646013165JohnMcKayHon.Scarborough—GuildwoodAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1410)[Translation]Thank you for your question.We have an extensive program. On our website, cyber.gc.ca, people can find information on how to protect themselves. Of course, people have to be aware when they are online. That is the most basic rule of cybersecurity. People have to know not only how to use the Internet, but also what they are sharing with others online. We are constantly running campaigns to educate people on using their devices securely and being smart about who they choose to share confidential information with.Having the best protection and keeping it up to date is the first step, but making smart choices is another. People should visit only the sites of companies they consider to be reliable and reputable. Once they've done those two things, people need to choose what information they agree to share with the company. It's a three-step approach, and it is all available in the information and guidance we provide to people.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection601316660131676013168JulieDabrusinToronto—DanforthJulieDabrusinToronto—Danforth//www.ourcommons.ca/Parliamentarians/en/members/88994JulieDabrusinJulie-DabrusinToronto—DanforthLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DabrusinJulie_Lib.jpgInterventionMs. Julie Dabrusin: (1410)[Translation]I see.I also saw a lot of information about passwords. For instance, it mentioned people who use the same password for all of their online accounts.Can you share some things people can do to protect themselves when it comes to their passwords? That's an important element.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection601316960131706013171AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1410)[Translation]Yes. I always look for opportunities to promote our website, so on our website, we talk specifically about how long and complex passwords should be. We also provide some tips. I encourage people to explore our website for themselves. It is often said that people should change their passwords regularly, but the problem with that is having to memorize a bunch of ever-changing passwords. The guideline has evolved over time. Nowadays, it is recommended that people choose at least one strong password, using certain parameters, which are available online, based on password length and/or complexity, depending on the available options. If it's possible to have a password containing up to 15 characters, people should try to choose a password that uses all 15 characters. If the password can have only eight characters, that's pretty bad, but people should at least choose a more complex password.Constantly changing one's passwords is of minimal benefit if it means people have to write them down somewhere or use the same one for many different sites. What we want people to do is be diligent about choosing their passwords: choose something that is unique and as strong as the provider's parameters allow. People can use the same password, but if a data breach occurs, they have to act fast, changing their password and taking additional security measures. It's important to do a combination of things.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection60131726013173JulieDabrusinToronto—DanforthJulieDabrusinToronto—Danforth//www.ourcommons.ca/Parliamentarians/en/members/88994JulieDabrusinJulie-DabrusinToronto—DanforthLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DabrusinJulie_Lib.jpgInterventionMs. Julie Dabrusin: (1410)[Translation]The other problem is that once people have a password that works well, they use it for all their online accounts. Some sites tell users that their passwords have to be longer, more complex or what have you, but they never remind people not to use the same password all the time or to use a different password than they do for other accounts. Would you mind talking about that as well?Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection6013174AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1410)[Translation]Now you're asking me to be very pragmatic.Ms. Julie Dabrusin: Yes, but this is pragmatic stuff.Mr. André Boucher: What I would advise people, other than being very pragmatic, is to base their passwords on their level of uncertainty when it comes to the various online services they are using. For instance, for online banking, people should use a number of distinct passwords that are as complex as possible. However, for their online account with their local curling club, say, people may wish to be a little less rigorous and use the same password a few times, even though that isn't what I would recommend.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection601317560131766013177JulieDabrusinToronto—DanforthJulieDabrusinToronto—Danforth//www.ourcommons.ca/Parliamentarians/en/members/88994JulieDabrusinJulie-DabrusinToronto—DanforthLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DabrusinJulie_Lib.jpgInterventionMs. Julie Dabrusin: (1410)[Translation]What can banks do to better educate the people using their services?Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection6013178AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1410)[Translation]I believe most, if not all, banks require a minimum level of sophistication when it comes to the passwords they accept. They already have a certain standard in place to protect themselves from clients who are less diligent than they should be in selecting a password.Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection6013179JulieDabrusinToronto—DanforthJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke (Beauport—Limoilou, CPC): (1410)[Translation] Thank you, Mr. Chair. I'm very pleased to be here today.Thank you, gentlemen, for being here and giving up your time to reassure Canadians and answer our questions.One of the cornerstones of the social contract that exists across this land is the protection of citizens, not just the protection they offer one another, but also the protection provided to them by the government. For the past three weeks, constituents in all of our ridings have been profoundly concerned. Two days after the data breach was made public, people started coming to my office. When I would knock on people's doors, that's all they would talk about. That tells me people are genuinely concerned and feel that the government has done nothing in response.The question my constituents want you to answer, Mr. Boucher, is very simple. Can the Canadian Centre for Cyber Security indeed ensure the 2.9 million Canadians affected by this data breach are properly protected, yes or no?Does your centre have the tools to respond to the situation and ensure the victims of identity theft are protected?Computer crimeDesjardins GroupIdentity theftPrivacy and data protection60131826013183601318460131856013186JohnMcKayHon.Scarborough—GuildwoodAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1415)[Translation]It's fair to say that the Canadian Centre for Cyber Security has the resources to deal with all aspects of cybersecurity. The case we are talking about today involves an insider threat and stolen information. Strictly speaking, it's not a cybersecurity issue.Desjardins GroupIdentity theftPrivacy and data protection6013187AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1415)[Translation]I'm not talking about what's already happened. I'm talking about what's going to happen next. That's what worries people. I want to know whether the Canadian Centre for Cyber Security has the capacity to deal with international or national fraudsters who send text messages or whatever it may be.Does your centre have the capacity to deal with that?Desjardins Groupe-SecurityPrivacy and data protection60131886013189AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1415)[Translation]I'm not trying to evade the question, but the issue actually comes down to legislation or fraud. It's not a cybersecurity problem. That's not to say, however, that, if we see something happening, we aren't going to respond.The first thing we do every day is talk to our partners, including the RCMP, to share what we know and update them on anything new. We make sure that whoever is responsible for the matter does something with the information we provide. The national team is the best there is and won't let anything fall by the wayside. The members of the team endeavour to fix any problems and do everything they can to keep Canadians' information safe.Desjardins Groupe-SecurityPrivacy and data protection60131906013191AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1415)[Translation]I'm going to take advantage of your cybersecurity expertise.Is Canada's current social insurance number regime appropriate in a modern age dominated by the Internet? We are at the point now where people shop on their cell phones and pay for their purchases at the cash in mere seconds. Is our system of social insurance numbers adequate in the world we live in?Desjardins Groupe-SecurityPrivacy and data protection60131926013193AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1415)[Translation]Thank you for your question. You don't ask easy ones, Mr. Clarke.I'm not an expert in social insurance numbers or their use, but I can talk about identifiers. No matter what identifiers are used, whether they involve complex or simple cryptology, information management is always an issue and the potential for data theft always exists. It's a very complex issue, and I'm going to let the experts in social insurance numbers speak to your specific question.The bigger problem, as I see it, is how identifiers are managed. They are key pieces of information, and learning how to manage them properly in the large security systems I was talking about earlier is crucial.Desjardins Groupe-SecurityPrivacy and data protection601319460131956013196AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1415)[Translation]Superintendent, my next question is along the same lines as that of my fellow member, Mr. Motz.Whether they've approached me on the street, come to my office or answered the door when I was canvassing, everyone has asked me the same question. They want to know what crimes these fraudsters are going to commit down the road. They want to know what to expect. What crimes will the 2.9 million victims of this massive data breach be the target of in the future?In addition, how long will it be before those crimes are committed? The media are reporting all kinds of things. We are hearing that it will take five or 10 years before the fraudsters do anything—that they'll wait until the dust has settled.Desjardins GroupElectronic data protectionPrivacy and data protection601319760131986013199AndréBoucherJohnMcKayHon.Scarborough—GuildwoodMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1415)[English]The reality is that whenever personal information, passwords, etc., are released on the Internet, they are there forever. People need to be cautious and vigilant about that, and use the services that are available, like credit monitoring, etc., to ensure that triggers are put in place to notify them when someone's trying to use that information, to help prevent an actual fraud from occurring. I'm trying to respect the timeline.Desjardins GroupElectronic data protectionPrivacy and data protection60132016013202JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1420)[Translation]About 15 years ago, I was in an IRC channel—I'm not sure whether you're familiar with that forum—and someone was selling credit card numbers, along with the three-digit code on the back and the billing address. Everything was ready to go. The person was offering to sell them to people. I felt that was wrong and I wanted to call the police or some other authority, but no one replied or knew what to do.If someone saw something similar happening on the Internet today, is there someplace they could call to report it?Computer crimeDesjardins GroupPrivacy and data protection60132056013206JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1420)[English]The RCMP operates the Canadian Anti-Fraud Centre in partnership with the Ontario Provincial Police and the Competition Bureau. That is one of your best places to go to report fraudulent activity, whether it be the telephone numbers that people are calling from, or an individual identity theft or fraud that occurred. They collate that information. They share that information. Police investigations are launched based on the collation of that. That would be the first place you should call, as well as your local police force.Local police forces—whether they be the RCMP or, in Ontario and Quebec, another police force—need to hear about the crimes that are occurring. There are connections between organized crime involved in fraud and other criminal activities.Computer crimeDesjardins GroupPrivacy and data protection60132076013208David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1420)[Translation]What powers does the Canadian Centre for Cyber Security have? What can the centre do?Canadian Centre for Cyber SecurityComputer crimeDesjardins Groupe-SecurityPrivacy and data protection6013209MarkFlynnAndréBoucher//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1420)[Translation]I mean generally. At the centre, do you accept comments from people on the outside, or do you work only with businesses? Explain how it works, if you don't mind.Canadian Centre for Cyber SecurityComputer crimeDesjardins Groupe-SecurityPrivacy and data protection6013211AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1420)[Translation]As I explained earlier, the Canadian Centre for Cyber Security is responsible for providing advice. It prepares and protects information of national interest. It is responsible for incident management and response, including mitigation strategies. Every step is undertaken in coordination with the centre's partners, as per its mandate. When a fraud-related issue arises, the national team is called in. It is made up of centres that have already been appointed. We make sure all stakeholders have access to the available information so we can move forward. Work on the case continues, and if more information becomes available, it is shared with the person responsible.Here's where the value of this business model lies. If something changes while the case is under way—for instance, if it ceases to be an investigation—the Canadian Centre for Cyber Security takes over until the victim receives or, rather, until the case is closed.Canadian Centre for Cyber SecurityComputer crimeDesjardins Groupe-SecurityPrivacy and data protection60132126013213David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1420)[Translation]Earlier, we were talking about passwords. Nowadays, we see two-factor authentication being used a lot more for bank accounts. Could the same thing be done for social insurance numbers?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013214AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1420)[Translation]I'm going to say the same thing I did earlier. I'm not an expert in social insurance numbers, but we strongly advise people to use two factors whenever possible. It's not perfect, but it improves the security of their information.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013215David de BurghGrahamLaurentides—LabelleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1420)[Translation]I'd like to revisit the issue of a unique identifier.Other models exist. On other committees, we've talked about the popular Estonian model, I believe. It's a system that's in line with our discussions on open banking. All the information is centralized and people can access it using a unique identification number.At the end of the day, no matter what you call it, a social insurance number is a unique identification number, so it's important to understand the system's limitations. It's all well and good to have the ultimate ultra-modern system, but if a single unique identifier is assigned to an individual, the information will always be vulnerable if someone gets a hold of it.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601321660132176013218AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1420)[Translation]Absolutely. I can't name them today, but a number of countries around the world have endeavoured to adopt a system that relies on a national unique identification number. Some have been successful, and others, less so. As you said, the number becomes an essential piece of information and the slightest vulnerability puts the data at risk.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013219MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1420)[Translation]Does your centre manage its employees' personal information itself?Computer crimeDesjardins GroupPrivacy and data protection6013220AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1420)[Translation]Yes, absolutely, using all the measures I mentioned earlier.Computer crimeDesjardins GroupPrivacy and data protection6013221MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1420)[Translation]How do you protect against an employee who wakes up in a foul mood one day and decides to help the other side?Computer crimeDesjardins GroupHuman resourcesPrivacy and data protectionRisk management6013222AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1420)[Translation]We have an extensive security program in place from the get-go, starting with the selection of personnel. Of course, a culture of security prevails throughout the organization, one that encompasses personnel security, physical security and computer system security.The processes are in place. The system is evergreen, meaning that it's constantly updated. We don't rest on our laurels, so to speak. We review the system on a regular basis. It's an extensive and complex process, but the investment is worth it.Computer crimeDesjardins GroupHuman resourcesPrivacy and data protectionRisk management60132236013224MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1425)[Translation]Is your approach used elsewhere in the market? Has another organization established a culture of security similar to yours?Computer crimeDesjardins GroupHuman resourcesPrivacy and data protectionRisk management6013225AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1425)[Translation]Our approach is modern, but we don't have a monopoly on security programs. Documentation is available. Public Safety Canada put out a publication on developing appropriate security programs. It's an excellent reference that refers to the same models we use.Computer crimeDesjardins GroupHuman resourcesPrivacy and data protectionRisk management6013226MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1425)[Translation]Thank you, Mr. Chair.Mr. Boucher, I didn't get a chance to ask you questions earlier.My first question is about something your colleague Scott Jones said when he appeared before the committee as part of the other study we've been referring to a lot today. He said it was important that institutions and businesses report data breaches and thefts that affect them.In its recommendation, the committee remained rather vague. Should it be mandatory to report such breaches to police in order to minimize the impact on the public and catch those responsible?That brings me to two other questions. They're for you, Mr. Flynn.Since the information remains online forever, should police treat these threats in the same way they do physical ones? If a murderer or someone else poses a physical threat, I imagine police investigations are conducted with a certain level of urgency. Should the same apply to cyberthreats? Desjardins contacted Quebec provincial police in December, if I'm not mistaken.My last question is about background checks and ongoing security checks. Given how savvy individuals are these days, should these checks become the norm?You can have the rest of my time to answer.Computer crimeDesjardins GroupPrivacy and data protection60132336013234601323560132366013237601323860132396013240JohnMcKayHon.Scarborough—GuildwoodAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1425)[Translation]Regarding your question about reporting incidents, I would just point out that we recommend organizations invest before an incident occurs. The organization has to have a security program in place, one that can detect threats and so forth. We always recommend that people report incidents and share them with their community because there are usually commonalities that everyone can learn from.As the country's cybersecurity centre, we work to gather that information across all communities and to find commonalities in order to issue advice and guidance that could lead to enhanced security nationally. Yes, incidents should definitely be reported.Computer crimeDesjardins GroupPrivacy and data protection60132416013242MatthewDubéBeloeil—ChamblyMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1425)[English] With respect to the physical versus the cyber harm, I agree with you. It's a very difficult thing to understand. We struggle in policing to determine where we are going to apply our resources, because we always look at where we're going to be able to have the most significant impact in reducing harm.If you look at fraud, fraud is a very large and significant threat in Canada and globally. It is difficult to measure $400,000 worth of fraud or $2 million worth of fraud against a physical threat or a homicide, or an assault against an individual. We struggle with that, but I can tell you that we're aware of it and are examining how we measure that risk and how we prioritize. Computer crimeDesjardins GroupPrivacy and data protection60132436013244AndréBoucherMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1425)[Translation]Wouldn't it be appropriate to acknowledge that this kind of incident has a lifelong impact on a person and to respond with that in mind?Computer crimeDesjardins GroupPrivacy and data protection6013245MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1425)[English]Yes, it's absolutely a consideration. Computer crimeDesjardins GroupPrivacy and data protection6013246MatthewDubéBeloeil—ChamblyJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1425)[Translation]I have a quick question for Mr. Flynn. I say quick, because I have just two minutes and I also have a question for Mr. Boucher.Two years ago, 19 million Canadians were the victims of fraud as a result of a data breach at Equifax. Similar data were stolen in that case. Last year, some 90,000 CIBC and BMO customers were targeted. This year, it's Desjardins members.Can you tell us whether, further to these events, crime involving the use of the stolen data has increased?Computer crimeDesjardins GroupPrivacy and data protection601324960132506013251JohnMcKayHon.Scarborough—GuildwoodMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1430)[English]We are seeing fraudsters utilizing information that is compromised in operations. The RCMP had a successful investigation into Leakedsource.com, which was reselling some of the information from the large compromises that were made public. There was a guilty plea in that case.It is not an unusual circumstance that somebody is reselling that. We are seeing that occur. Computer crimeDesjardins GroupPrivacy and data protection60132546013255RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1430)[Translation]All right, but has there been an increase in crime involving data stolen as a result of these breaches? Has the crime rate gone up?Computer crimeDesjardins GroupPrivacy and data protection6013256MarkFlynnMarkFlynnMarkFlynnMark-FlynnInterventionC/Supt Mark Flynn: (1430)[English]I haven't taken note specifically of the rate of crime, but it is certainly a type of crime that we are seeing.Computer crimeDesjardins GroupPrivacy and data protection6013257RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1430)[Translation]I see.My second question is for Mr. Boucher.Mr. Boucher, in your brief, you give three recommendations to deal with increasing cyberthreats. The second is to invest in training and awareness so that people have the tools to respond. Has the federal government earmarked funding to work with the Quebec government to improve the security of Quebecers' information?Computer crimeDesjardins GroupPrivacy and data protection601325860132596013260MarkFlynnAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1430)[Translation]I can speak for my organization. We have a national responsibility, and that includes working with our Quebec partners. We invest in education and training, and we also make our services available to Quebec businesses.Computer crimeDesjardins GroupPrivacy and data protection6013261RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1430)[Translation]Sorry, I don't mean to rush you, but as you know, two minutes isn't much time.Are any investments planned, and if so, how much? Has the federal government made so many millions available to work with Quebec on a training program or other cybercrime initiative, for example?Computer crimeDesjardins Groupe-SecurityIndustrial trainingPrivacy and data protection60132626013263AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1430)[Translation]I don't have that information with me today.Computer crimeDesjardins Groupe-SecurityIndustrial trainingPrivacy and data protection6013264RhéalFortinRivière-du-NordRhéalFortinRivière-du-NordAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1430)[English]I think every large enterprise has to measure its own key assets and the value of those assets and make a risk-based decision on how much they're going to invest to protect those assets. Starting from a position of zero trust is the reality of the complex environment we live in today. Don't assume your system is going to work on its own. It takes a holistic investment in a security program—in the right people, the right processes and the right technology. The sum of these things will....Computer crimeDesjardins Groupe-SecurityIndustrial trainingPrivacy and data protection6013270JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/957JohnMcKayHon.John-McKayScarborough—GuildwoodLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/McKayJohn_Lib.jpgInterventionThe Chair: (1430)[English]That's a consensus standard among the cyber community, if your will, your point number three—zero trust.Computer crimeDesjardins Groupe-SecurityIndustrial trainingPrivacy and data protection6013271AndréBoucherAndréBoucherAndréBoucherAndré-BoucherInterventionMr. André Boucher: (1430)[English]It is a consensus that you have to invest in all of these aspects. Computer crimeDesjardins Groupe-SecurityIndustrial trainingPrivacy and data protection6013272JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—GuildwoodAnnetteRyanAnnette-RyanInterventionMs. Annette Ryan (Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance): (1435)[English] Thank you, Mr. Chair. I will go first, if that's all right.[Translation]My name is Annette Ryan. I am the associate assistant deputy minister of the financial sector policy branch within the Department of Finance. I am joined by Robert Sample, director general of the financial stability and capital markets division, as well as Judy Cameron, managing director of the Office of the Superintendent of Financial Institutions Canada, and her colleague. We are pleased to appear before you today.(1440)[English]My remarks today will address two areas that, I believe, are pertinent to the issues before you. Specifically I will clarify the roles of government departments and agencies and private sector actors within the federal financial sector framework and update the committee on efforts being undertaken by the Department of Finance, federal regulatory agencies and banks in support of cybersecurity and data protection.Protecting the privacy and security of Canadians' personal and financial data is an objective shared by both levels of government and the private sector, and it is one that's crucial for maintaining continued trust in Canada's banking system. I'll address the roles within the federal government and then discuss provincial government and private sector roles.The Department of Finance along with federal financial sector oversight agencies has responsibility for the laws and regulations that govern Canada's federally regulated banking system. We collectively set expectations and oversee implementation to ensure that operational risks related to cybersecurity and privacy are properly managed by the financial institutions that we regulate. The Minister of Finance has overarching responsibility for the stability and integrity of Canada's financial system. Cybersecurity is a primary aspect of financial cyber-stability as it ensures the sector remains resilient in the face of cyber-threats and attacksIn turn, Public Safety has recognized the financial services industry as being a critically important sector within its wider national critical infrastructure strategy. The Department of Finance works closely with a range of partners responsible for financial regulation and cybersecurity both domestically and internationally to ensure that the sector is adopting appropriate cyber-resiliency and data protection practices and that the specific needs of the financial sector are considered within economy-wide policies and statutes that relate to cybersecurity and data security.I'll describe the general responsibilities among financial regulators. The Office of the Superintendent of Financial Institutions is the prudential regulator of federally regulated financial institutions, including banks. OSFI develops standards and rules for managing cyber-risks as is consistent with its wider oversight of operational risks that institutions must manage. The Bank of Canada monitors financial market infrastructures, such as payment systems, to enhance resilience to cyber-threats, and the bank coordinates sector-wide responses to systemic-level operational incidents. Other federal agencies have responsibilities for laws of general application in respect of privacy. The Office of the Privacy Commissioner of Canada oversees the banks' compliance with Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, known as PIPEDA. PIPEDA sets out requirements that businesses must follow when collecting, using or disclosing personal data in the course of commercial activities. These include putting in place appropriate security safeguards to protect personal data against loss, theft or unauthorized disclosure. The Department of Innovation, Science and Economic Development has overall policy responsibility for PIPEDA. In November of 2018 the Government of Canada implemented amendments to PIPEDA related to data breach reporting requirements and associated monetary penalties for failing to report. As you've just heard, other federal departments and agencies, including Public Safety, the Canadian Centre for Cyber Security and the RCMP, share responsibilities with respect to broader Government of Canada cybersecurity initiatives. [Translation]It is important to note that supervisory responsibility for the financial sector in Canada is divided between federal and provincial governments. Provinces are responsible for the supervision of securities dealers, mutual fund and investment advisers, provincial credit unions and provincially incorporated trust, loan and insurance companies.Accordingly, federal and provincial financial sector authorities have protocols in place for information sharing, particularly where matters of financial stability are concerned. Financial institutions, themselves, of course, are most immediately responsible for maintaining cyber and data security on a day-to-day basis, directly managing operational risks through an extensive series of protective and preventative measures, both individually and through industry-level co-operation.These are supported by policies and standards that are continually updated to address the evolving threat landscape and remain in line with industry best practices.(1445)[English] Cyber-attacks are a serious and ongoing threat. I will focus on some of the steps being taken by the Government of Canada, the financial sector, regulatory agencies and the banks to ensure cybersecurity in the financial sector.In budget 2018, the federal government invested over half a billion dollars in cybersecurity, and in October of 2018, it established the Canadian Centre for Cyber Security, which serves as a single window of technical expertise and advice to Canadians, governments and businesses. The centre defends against cyber-threat actors that target Canadian businesses, including federally or provincially regulated financial institutions, for their customer data, financial information and payment systems. Efforts to address cybercrime have been further bolstered by the newly created national cybercrime coordination unit within the RCMP, which provides a national cybercrime reporting mechanism for Canadians, including incidents related to data breaches or financial fraud. More recently, in budget 2019, the government proposed legislation and funding to protect critical cyber systems in the Canadian financial, telecommunications, energy and transport sectors.[Translation]Our colleagues at the Treasury Board Secretariat continue their work with provincial governments, financial institutions and federal partners toward a pan-Canadian trust framework for digital identity with the goal of strengthening digital ID protection in the context of cyberthreats.[English]On the regulatory side, earlier this year OSFI published new expectations on technology and cybersecurity breach reporting via the technology and cybersecurity incident reporting advisory. This is intended to help OSFI identify areas where banks can take steps to proactively prevent cyber incidents, or in cases where incidents have occurred, to improve their cyber-resiliency.While the first objective is to prevent data breaches, the reality is that these events happen and are not localized to the financial sector. Having said this, when cyber events occur at a federally regulated financial institution, control and oversight mechanisms are in place to manage them.To summarize, cybersecurity is an area of critical importance for the Department of Finance. We are actively working with partners across government and in the private sector to ensure that Canadians are well-protected from cyber incidents and that when incidents do occur, they're managed in a way that mitigates the impact on consumers and the financial sector as a whole.Thank you for your time. I'm happy to take questions.Computer crimeCrime reportingDepartment of FinanceDesjardins GroupDigital identityFederal-provincial-territorial relationsFinancial service industriesInformation collectionInformation disseminationPersonal Information Protection and Electronic Documents ActPrivacy and data protection6013279601328060132816013282601328360132846013285601328660132876013288601328960132906013291601329260132936013294601329560132966013297601329860132996013300601330160133026013303JohnMcKayHon.Scarborough—GuildwoodPierrePaul-HusCharlesbourg—Haute-Saint-CharlesEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly (Assistant Deputy Minister, Integrity Services Branch, Department of Employment and Social Development): (1445)[Translation]Thank you very much, Mr. Chair.My name is Elise Boisjoly, and I am the assistant deputy minister of the integrity services branch at Employment and Social Development Canada. I am joined by Anik Dupont, who is responsible for the social insurance number program.Thank you for the opportunity to join you today. My remarks will focus on the social insurance number, or SIN, program. Specifically, I will clarify what the social insurance number is and provide information on its issuance and use; inform the committee on privacy protection related to the SIN; and provide information on our approach in the case of data breach.What is the SIN? The SIN is a file identifier used by the Government of Canada to coordinate the administration of federal benefits and services and the revenue system. The SIN is required for every person working in insurable or pensionable employment in Canada and to file income tax returns.It is issued prior to your first job, when you first arrive in Canada or even at birth. During the last fiscal year, over 1.6 million SINs were issued.The SIN is used, among other things, to deliver over $120 billion in benefits and collect over $300 billion in taxes. It facilitates information sharing to enable the provision of benefits and services to Canadians throughout their life such as child care benefits, student loans, employment insurance, pensions and even death benefits. As such, the SIN is assigned to an individual for life.The SIN is not a national identifier and cannot be used to obtain identification. In fact, it is not even used by all programs and services within the federal government; only a certain number use it. The SIN alone is never sufficient to access a government program or benefit or to obtain credit or services in the private sector. Additional information is always required.(1450)[English] While data breaches are becoming increasingly commonplace, the Government of Canada follows strong and established procedures to protect the personal information of individuals. My colleague mentioned the Privacy Act and the Personal Information Protection and Electronic Documents Act, which is being administered by Innovation, Science and Economic Development Canada. They provide the legal framework for the collection, retention, use, disclosure and disposition of personal information in the administration of programs by government institutions and the private sector, respectively.As my colleague mentioned, on November 1, 2018, a new amendment to the Personal Information Protection and Electronic Documents Act came into force, which requires organizations that experience a data breach and that have reason to believe there's a real risk of significant harm to notify the Office of the Privacy Commissioner, the affected individuals and associated organizations as soon as it's feasible. Violating this provision may result in a fine of up to $100,000 per offence.At Employment and Social Development Canada, we have internal monitoring strategies, privacy policies, directives and information tools for privacy management, as well as a departmental code of conduct and mandatory training for employees on protecting personal information. We believe that any security breach affecting social insurance numbers is very serious and, in fact, we ourselves are not immune to such a situation. For example, in 2012, the personal information of Canada student loan borrowers was potentially compromised. The breach was a catalyst for further improvements to information management practices within the department. Preventing social insurance number fraud starts with education and awareness. This is why our website and communication materials include information that can help Canadians better understand the steps they should take to protect their social insurance numbers. Canadians can visit the department websites, call us or visit us at one of our Service Canada centres to learn how best to protect themselves. It is important to note that protecting the information of Canadians is a shared responsibility among the government, the private sector and individuals. We strongly discourage Canadians from giving out their social insurance numbers unless they are sure that doing so is legally required or necessary. Canadians should also actively monitor their financial information, including by contacting Canada's credit bureau.[Translation]A loss of a social insurance number does not necessarily mean that a fraud has occurred or will occur.However, should Canadians notice any fraudulent activity related to their social insurance number, they must act quickly to minimize the potential impact by reporting any incidents to the police, contacting the Privacy Commissioner and the Canadian Anti-Fraud Centre, and informing Service Canada. In cases where there is evidence of the social insurance number being used for fraudulent purposes, Service Canada works closely with those affected.Despite ever larger data breaches, the number of Canadians who have had their social insurance number replaced by Service Canada due to fraud has remained consistent at approximately 60 per year since 2014.That being said, we understand that many Canadians have signed a petition asking Service Canada to issue new social insurance numbers for those impacted by this data breach. The main reason we do not automatically issue a new social insurance number in these circumstances is simple: getting a new social insurance number will not protect individuals from fraud. The former social insurance number continues to exist and is linked to the individual. If a fraudster uses someone else's former social insurance number and their identity is not fully verified, credit lenders may still ask the victim of fraud to pay the debts.In addition, it would be the individual's responsibility to provide their new social insurance number to each of their financial institutions, creditors, pension providers, employers—current and past—and any other organizations. Failing to properly do so could put individuals at risk of not receiving benefits or leave the door open to subsequent fraud or identity theft.It would also mean doubling the monitoring. Individuals would still need to monitor their accounts and credit reports for both social insurance numbers on a regular and ongoing basis. Having multiple social insurance numbers increases the risk of potential fraud.Active monitoring through credit bureaus as well as regular reviewing of banking and credit card statements remain the best protection against fraud.In closing, protecting the integrity of the social insurance number is critical to us, and I can assure you that we will continue to take all necessary action to do so, including reading this committee's report and considering advice from this committee and others on how to best improve.Thank you for your time. I'd be happy to answer your questions.Computer crimeCrime preventionCrime reportingDepartment of Employment and Social DevelopmentDesjardins GroupInformation disseminationPrivacy and data protectionSocial insurance numbers60133066013307601330860133096013310601331160133126013313601331460133156013316601331760133186013319601332060133216013322601332360133246013325PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-CharlesMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette (Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency): (1455)[Translation]Thank you, Mr. Chair.Good afternoon to all committee members.[English] My name is Maxime Guénette. I'm assistant commissioner of the public affairs branch and chief privacy officer at the Canada Revenue Agency. With me today is my colleague Gillian Pranke, deputy assistant commissioner of the assessment, benefit and service branch at the CRA.The CRA is an organization that touches the lives of virtually all Canadians. We're one of the largest holders of personal information at the Government of Canada. We process more than 28 million individual income tax returns annually. It's therefore critical that the CRA has an extensive privacy framework in place to manage and protect personal information for all Canadians.[Translation]Integrity in the workplace is the cornerstone of agency culture. The agency supports its people in doing the right thing by providing clear guidelines and tools to ensure privacy, security and the protection of personal information, our programs and our data.The agency is subject to the Privacy Act and associated Treasury Board policies and directives for the management and protection of Canadians' personal information. Section 241 of the Income Tax Act also imposes confidentiality requirements on its employees and others with access to taxpayer information.The agency also adheres to the policy on government security and direction provided by lead security agencies like the Communications Security Establishment and the Canadian Centre for Cyber Security.In April 2013, the agency appointed its first chief privacy officer, who is also responsible for the access to information and privacy functions within the agency.[English]Part of my role as the chief privacy officer is to ensure that the CRA's respect for the privacy of the information it holds is reinforced and strengthened by overseeing decisions related to privacy, including assessing the privacy impacts of our programs; championing privacy rights within the agency, including managing internal privacy breaches when they occur; and reporting to CRA senior management on the state of privacy management at the agency. Our responsibility for sound privacy management goes beyond appointing a chief privacy officer, though. It's a responsibility that all employees share. Protecting the CRA's integrity includes ensuring that we have the proper systems in place to safeguard sensitive information from external threats. Agency networks and workstations are equipped with malware and virus detection and removal software, which are updated daily and protect the CRA environment from the increasing threat of malicious code and viruses.[Translation]At the agency employee level, computers are secured with a suite of security products ranging from anti-virus software to host intrusion software.External services are conducted on secure platforms and protected by firewalls and intrusion prevention tools to detect and prevent unauthorized access to agency systems.During online transactions we ensure that all sensitive information is encrypted when it is transmitted between a taxpayer's computer and our Web servers. Regardless of how Canadians choose to interact with the agency, they must complete a two-step authentication process before gaining access to their account.These steps are crucial to making sure that access to personal information is only available to authorized individuals. The process includes validation of a number of personal and confidential data points, including a person's social insurance number, their month and year of birth, and information from the previous year's income tax return.[English] The CRA will shortly also be implementing a new personal identification number for taxpayers who choose to use it when calling the individual inquiries line. In addition, the CRA is currently examining additional security procedures to safeguard the information of taxpayers. As cybercrime and phishing scams become more sophisticated and commonplace, the CRA is being proactive in warning the public about fraudulent communications claiming to be from the CRA.One very simple way in which taxpayers can safeguard against fraudulent activity is to sign up for My Account, or for businesses to sign up for My Business Account, so that they can use the CRA's secure portals to access and manage their tax affairs easily and securely. When an individual is signed up for My Account, they can also sign up for online mail in order to receive account alerts informing them of possible scams or other fraudulent activity that may affect them.CRA is proud of its reputation as a leading-edge organization committed to excellence in administering Canada's tax system. However, inappropriate fraudulent activity can occur in the workplace. CRA has incorporated a broad array of checks and balances to ensure that those who access taxpayer information are strictly limited to employees required to do so as part of their job and to detect misconduct when it does occur.(1500)[Translation]Monitoring of employees' access to taxpayer information is centralized, ensuring an independent process that enables the agency to detect and, if necessary, address any suspect transactions in our systems. This provides assurance that authorized users are accessing only the applications and data they are allowed to access based on strict business rules.[English]In 2017 the CRA implemented a new enterprise fraud management solution, which complements existing security controls and further reduces the risk of unauthorized access and privacy breaches. This solution enables proactive monitoring and detection of unauthorized access by CRA employees. Any allegations or suspicions of employee misconduct are taken very seriously and are thoroughly investigated. When wrongdoing or misconduct is founded, appropriate measures are taken, up to and including termination of employment. If criminal activity is suspected, the matter is referred to the proper authorities.[Translation]Upon hire, agency employees are required to read and acknowledge the agency's code of integrity and professional conduct and the values and ethics code for the public sector.The code clearly outlines the expected standard of conduct, including the obligation to protect taxpayer information in accordance with section 241 of the Income Tax Act. Unauthorized access to taxpayer information is considered to be serious misconduct, as reflected in the agency's directive on discipline.[English]The code ensures that current and former employees are aware that the obligation to protect taxpayer information continues even after they leave the CRA. All employees are asked to review and affirm their obligations under the CRA's code of integrity every year.In the event a privacy breach does occur, it is assessed in accordance with TBS policy and procedures to document and evaluate all potential risks to the affected individual. In such a case, the CRA offers support to the affected individual through a dedicated agency representative so that the client has the opportunity to ask questions and find information as well as, on a case-by-case basis, get access to free credit protection services.On the rare occasion when a taxpayer's information is confirmed to have been compromised, the CRA will act to resolve all outstanding issues. This includes reviewing all fraudulent activity that may have occurred in the account, including fraudulent refund payments.[Translation]We at the agency are deeply committed to safeguarding the trust Canadians place in our organization, and to meeting their expectations that we have the right checks and balances in place to secure the information entrusted to us. We have worked hard to earn the public's trust, because it is the foundation of our self-assessment tax system.[English]A good reputation takes years to establish. We safeguard it by remaining vigilant in our efforts to protect taxpayers from security breaches and to protect Canada's tax administration system from misconduct and criminal wrongdoing.Thank you, Mr. Chairman. I'd be pleased to answer any questions you may have.Allegations of fraud and fraudCanada Revenue AgencyComputer crimeDesjardins GroupInformation disseminationPrivacy and data protectionWeb sites6013329601333060133316013332601333360133346013335601333660133376013338601333960133406013341601334260133436013344601334560133466013347601334860133496013350601335160133526013353601335460133556013356PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1500)[Translation]Thank you very much, Mr. Chair.I thank all witnesses for appearing before the committee on short notice.I should mention that I am one of the victims of the data breach at Desjardins, as are many of my constituents.Ms. Boisjoly, you referred to the online petition asking that the social insurance numbers of those affected be changed. Can you explain to the committee why that would not be done and why it would only complicate things without providing better security for Canadians?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013360601336160133626013363PierrePaul-HusCharlesbourg—Haute-Saint-CharlesEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1500)[Translation]I briefly mentioned that in my presentation and I thank you for giving me the opportunity to talk about it at greater length.First, an information leak does not necessarily mean that fraud or identity theft has occurred. Second, we do not automatically change social insurance numbers after a leak like this because it doesn't really solve the problem or automatically remove all risk of fraud.Let me explain that first point a little more. If you do not change the social insurance number linked to a certain credit number and if a credit agency uses the old credit number, the person involved will not necessarily be able to get credit. In addition, if a lender does not properly check the identity of that person, and a fraudster borrows money using his name, the lender could ask him to pay the debt. So there can be other cases of fraud if lenders do not correctly check people's identity.The second reason is that it can create serious problems of access to benefits and services. As I said in my presentation, victims of data breaches must warn everyone, financial institutions, credit agencies, past and future employers, and the managers of pension schemes to which they belonged with their old social insurance numbers, and make the necessary changes. Often, people no longer remember those to whom they have given their social insurance number, especially at the beginning of their careers. That can prevent people from receiving a pension, for example, because it is no longer possible to establish a link between an individual and the benefits to which they are entitled.At federal level, we would certainly advise the Canadian Revenue Agency and all organizations involved. But changes could be made manually and there may be errors. This could complicate the calculation of pensions or employment insurance benefits. If someone forgets an employer and makes errors, the calculation of employment insurance benefits or the old age pension could be wrong.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60133646013365601336660133676013368FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1505)[Translation]In other words, changing our social insurance number does not necessarily protect our personal information.Why is another social insurance number issued in cases where fraud has been proven?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60133696013370EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1505)[Translation]When fraud has been proven, we look at the type of fraud and discuss the matter with the person involved. Often people decide not to change their social insurance numbers. They register, or have someone register them, at a credit checking agency. By so doing, they will be better protected than they would be if they changed their social insurance number. Often, having been informed, people decide not to change their social insurance number. In a very small number of cases, 60 per year since 2014, people insist on making a change when fraud has been confirmed. At that point, we allow a new social insurance number to be issued, but we will also explain that it will not necessarily solve the problem.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013371FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1505)[Translation]Here is a more practical question.Like everyone in the same situation as myself, I see a risk of fraud. How then can I advise the authorities, whether at Revenue Canada or Service Canada, that my social insurance number may perhaps be used fraudulently? Can I call Service Canada to advise them of that? Is there an internal process that allows the public to do that?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60133726013373EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1505)[Translation]Absolutely. Let me make two points about that.First, since this leak was made public, we have received between 1,400 and 1,500 requests directly from members of the public. They have called us to find out how to better protect their personal data and we have given them a lot of information about doing so. They will often take the steps that we advise them to take, such as looking at the credit agency reports and checking their bank transactions.Second, if they notice a suspicious activity, they must follow the very clear procedures to give us that information. If suspicious transactions are detected, we ask them to contact Service Canada, which will be able to take the steps needed to help them.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601337460133756013376FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1505)[Translation]Okay.The website lists 29 cases in which Canadians are allowed to give out their social insurance numbers. To banking institutions and other entities, for example.What does Service Canada do so that Canadians know when they should give out their social insurance number and when they should not? What recourse is possible when an organization asks for a social insurance number when it should not do so?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601337760133786013379EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1510)[Translation]Our website, our call centres and the Service Canada centres tell Canadians who they may give their social insurance numbers to. When we issue social insurance numbers, we actually tell people who they should and should not give it to. A certain number of organizations are authorized to ask for social insurance numbers, for example when a bank or creditor pays interest, which the Canada Revenue Agency needs to know.If someone not on that list asks for a social insurance number, people can refuse and ask to provide another form of information. For example, a long time ago, landlords often asked tenants for social insurance numbers in order to check their credit. They can simply provide a credit report rather than give out their social insurance number. The person asking the question must—Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60133806013381FrancisDrouinGlengarry—Prescott—RussellJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1510)[Translation]Thank you, Mr. Chair.My thanks to you all for being here today.Listening to you is like being in The Twelve Tasks of Asterix. Let us put ourselves in people's shoes. Their concern is that they have no real idea of what will happen. We asked to meet with you so that we could have some information on the subject. We know that the social insurance number is one measure but is there anything else that should be done in the future to change the system? Could we do as other countries have done, such as providing more digital identification, whether it is by means of fingerprints or something else?Ms. Boisjoly, you say that there about 60 cases per year, but look, 2.9 million people had their data stolen. Are you expecting a major increase in the number of requested changes of social insurance numbers following these identity thefts?I also have a question for you, Mr. Guénette.The people following what is currently happening want to know what is being done. You proposed a good solution, and solutions are what people need. You mentioned people going on the Government of Canada site and opening their financial records. If I understand correctly, by opening your records, you can receive alerts or warnings.It has now been three weeks. We are here today as the result of an emergency request. Why was there no communication with the public, immediately or within a week following the thefts, to let people know what the Government of Canada can do to help? That's what we need to know.I am all ears, Ms. Boisjoly.Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection60133876013388601338960133906013391601339260133936013394JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1510)[Translation]Thank you.To answer your first question on new measures, every situation like this gives us the opportunity to review our security and privacy protection measures. All of our colleagues and myself certainly focus on that when there are incidents of this kind. The colleagues who have gone before us spoke a lot about the evolution of cybersecurity. They said that we always have to be ready. We are certainly always focused on that.My colleague mentioned the Treasury Board, whose mandate includes identity management. They are focusing on ways in which we can better solve the problems associated with digital identity, specifically by conducting pilot projects with the provinces. We participate in those forums, and we are thinking of ways to move the discussion on digital identity forward.Second, in terms of the number of identity thefts, we have been advised of many in the last 14 or 15 years. Probably millions of people have already been affected and, despite that, the number asking for a new social insurance number remains rather low. So I cannot answer your question, because I am not aware of the future, but I can say that there have been a lot of thefts and that the number seems constant, around 60 per year.Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection6013395601339660133976013398PierrePaul-HusCharlesbourg—Haute-Saint-CharlesMaximeGuénetteMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette: (1510)[Translation]Thank you for the question, Mr. Paul-Hus.As Ms. Boisjoly said, there is never a bad time to remind people about the things they can do. At tax time, we conducted advertising campaigns and communication initiatives online and on social media to remind people about the services at their disposal. However, more can always be done. We are always looking for opportunities to communicate more in this respect. So—Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection60133996013400EliseBoisjolyPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1515)[Translation]Okay, but the case before us is about managing a crisis. We are here to find out whether a federal organization can lend a hand to Desjardins, who are taking their own steps to rectify the situation as best they can. Currently, I see some inter-agency measures but really no proactive measures to help Canadians, aside from a message that has already been sent out.In your opinion, why does the government seem to be so passive? Why is it saying nothing? Is it because nothing can be done? Is there no solution?We are looking for solutions because people are concerned. If you are telling us that current agencies do not have the means or the tools to help them, we are going to look for other solutions.Are solutions like the one Desjardins proposed, the Equifax services, quite effective in your experience and as you assess this situation? We are looking to reassure people with things that are true. We don’t want to say just anything.Computer crimeDesjardins GroupPrivacy and data protection6013401601340260134036013404MaximeGuénetteMaximeGuénetteMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette: (1515)[Translation]Currently, because the investigation is still in progress, there is a lot of information…Computer crimeDesjardins GroupPrivacy and data protection6013405PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1515)[Translation]The investigation has nothing to do with it because we know how the data breach happened. We also have an idea of where the data was sent, but, at the moment, that is not what we are interested in. We know that someone, somewhere on the planet, has our information and is in a position to harm us by stealing our identity. So we want to know whether our agencies can become proactively involved or, if not, what can be done.You have a solution in my case, so that is already something that the public could be told about. It is important to do that quickly because people are not in a very good mood during their holidays. Then we will have to see if something else can be done.The issue of the social insurance number has come up everywhere. A number of suggestions have been made. You are responsible for that file and you are saying that nothing can be done, at least not in that way. These are the answers that people need to hear. But the fact remains that we have to leave here telling people what the government can do to help, first Desjardins and second, the 2.9 million people who have been affected. We are hearing a lot about internal protocols, but, for the Canadians listening to us, that does not mean a lot. This is why I want to hear clear answers. I know that you are giving them when you can, but basically, when we leave here, we will need to know what can be done. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601340660134076013408MaximeGuénetteMaximeGuénetteMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette: (1515)[Translation]I can assure you that very proactive discussions are going on between the various departments involved.As far as the revenue agency is concerned, as I said in my remarks, the social insurance number, the address and the date of birth are some of the pieces of information people need in order to identify themselves to the agency. We also need information on tax returns from previous years, which was not in the information stolen from Desjardins, according to the discussions we have had. However, once again, the investigation is still in progress. So these questions—Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60134096013410PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1515)[Translation]What is the first thing people should do if their identity is stolen? Call the police? Computer crimeDesjardins GroupIdentity theftPrivacy and data protection6013414JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1515)[Translation]Yes.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection6013415PierrePaul-HusCharlesbourg—Haute-Saint-CharlesMaximeGuénetteMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette: (1515)[Translation]Certainly.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection6013416EliseBoisjolyJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1515)[Translation]Thank you, Mr. Chair.Thank you all for taking the time to come here today.Ms. Boisjoly, I was struck by one point in your reply to Mr. Drouin. You said that a personal data breach does not lead to identity theft. That is basically what brings us here today. Canadians want to avoid identity theft, of course; it’s their main concern. I have some questions about it.You said that people should report suspicious activities associated with a social insurance number. I am a federal lawmaker and I don’t know what a suspicious activity associated with a social insurance number is. I have never been a victim of fraud, thank heavens, and the same goes for the people around me, touch wood. However, I do know people who have been victims. They find out when they receive a bill for a cellphone they do not have, or for a Canadian Tire credit card that they never applied for. They end up with debts and obligations that are not theirs. Can you tell me exactly what a suspicious activity associated with a social insurance number is?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60134196013420601342160134226013423JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1515)[Translation]Thank you for your question.You have certainly identified some suspicious activities, as you say. We ask people to protect themselves as best they can by working with a credit bureau so that transactions are monitored as closely as possible. They should look at their bank and credit card transactions. If they see actions in their name that they did not make, we asked them to contact the bureau—Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60134246013425MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1520)[Translation]I am sorry for interrupting you, but my time is limited and I only have one round.The suspicious activities or problematic transactions that we may be able to see on our credit card statements can be associated with all kinds of things. It may be someone who has stolen our mail and obtained our address. That is information that is probably easier to obtain. You rightly mentioned that, in terms of the situation we are discussing today, the person has complementary information. In principle, with all the information that has been stolen, that person could easily call Revenue Canada and obtain a new password. If you have someone’s entire file, you have all the information you need.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection60134266013427EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1520)[Translation]Yes, and that is the most important point. We are talking about a number of identifiers. Each one of the organizations is responsible for checking people’s identity.My colleague said that there must also be a line from the tax return. With employment insurance, there is an access code and you are asked to provide the two figures in that access code. When we are checking identities, we must make sure that we ask questions about identities that are secret and shared only with the people we know. That allows us to better verify people’s identity and to provide them with the service. For example, you would not be able to call Service Canada and obtain employment insurance benefits with the information that has been made public at the moment.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection60134286013429MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1520)[Translation]As for getting a new social insurance number, I have a little difficulty understanding. Basically, the argument is that it becomes complicated for people. In principle, a social insurance number is issued for reasons of efficiency. A unique identifier makes transactions with government agencies easier.Forgive me if this analogy may not be an exact one. If I see a problem with my credit card today, the bank or the company that issued it is still able to transfer a balance or to link the legitimate transactions on my credit card that has been used fraudulently and the new one it sent to me.Why would a financial institution be able to do that, while you are not able to say that someone’s social insurance number has been compromised and to give them a new number? A former employer, for example, might have to take care of questions about that person’s pension. Knowing that is the same person, why are you not able to link the previous social insurance number to a new one? You may perhaps have to do some additional checking, given that the number has been compromised. But I am still having a little difficulty understanding why you can’t do it. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601343060134316013432EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1520)[Translation]When you started, you said that the first reason we do not automatically give out social insurance numbers is that it can make life difficult for people. The first reason is actually that it would not really prevent fraud. This is a very important point. People have to continue to check their previous social insurance number because there are still—Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013433MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1520)[Translation]I am sorry to interrupt you, but, if I lose my credit card, it does not necessarily mean that it has been stolen. It may have fallen down a sewer somewhere, meaning that it will never be seen or used again. I would still call my bank, Visa or whomever, to ask them to cancel the card. I would still keep checking and I would have some peace of mind, knowing that I am protected.Why not use the same logic for victims of breaches of personal data, especially ones that are all over the news? To make sure they are protected, people want to dot all the i's and cross all the t's that they can. They change their credit cards and everything, as they do when they lose their wallets. Why not proceed in the same way?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60134346013435EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1520)[Translation]A social insurance number is not like a credit card, which is a bank's only way of identifying that person. It is an identifier used by employers for as long as people are in the workforce. It is also used for various programs and services.At the moment, no computer system links all those systems so that social insurance numbers can be updated by employers and by the various groups and programs. That task would be done manually. That is why we do not know all the employers. In the federal government, it would be done manually. As I said, we have only done it a few times. There is a risk of errors. I am just mentioning this to the committee.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60134366013437MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1525)[Translation]I have less than a minute left.At the risk of tangling ourselves up in technical details, I would like to understand this better. If an employer wants to use a social insurance number, how does that work? Surely, things come together in some way when you move up the ladder.I have one final question, which goes back to what Mr. Paul-Hus rightly said.Let me take Quebec as an example. When there is flooding, police forces and the Government of Quebec hold public consultations on the spot so that people can attend.Mr. Guénette, I respect what you said, but perhaps advertising campaigns or posts on social media are not enough.Given the extent of this theft, this breach, have you considered organizing consultations in person in the key places in Québec, the major centres of Longueuil, Montreal and elsewhere?Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection601343860134396013440601344160134426013443EliseBoisjolyJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe (Rivière-des-Mille-Îles, Lib.): (1525)[Translation]Thank you very much, Mr. Chair.Good afternoon to you all and thank you for joining us.I do not normally sit on this committee, but I gladly agreed to replace one of its permanent members.I have had discussions with a number of my constituents in Rivière-des-Mille-Îles, which is to the north of Montreal and includes Deux-Montagnes, Saint-Eustache, Boisbriand and Rosemère. They are very concerned. This is something that has come up all the time since the House adjourned on June 21. That is why I agreed to be here today without hesitation, even though I am not familiar with all the studies that this committee has done.Ms. Ryan, earlier, you began by saying that the Department of Finance establishes the legislation and regulations that govern the Canadian banking system. You then said that oversight of the Canadian financial sector is shared between the federal and provincial governments.Let us look specifically at Quebec. The provinces are responsible for real estate brokers, and mutual funds and investment representatives, and so on. Desjardins is a provincial cooperative institution. Just now, I mentioned my constituents, but my entire family and myself are also among the 2.9 million people affected. This concerns us a great deal and we are wondering what will be the future impact of this theft on our lives.Have you had any requests from Desjardins? Mr. Guénette said that there are ongoing discussions between departments, but have people from Desjardins been in communication with you to get additional information?Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protection6013447601344860134496013450601345160134526013453JohnMcKayHon.Scarborough—GuildwoodAnnetteRyanAnnetteRyanAnnette-RyanInterventionMs. Annette Ryan: (1525)[English]To the extent that Desjardins is largely provincially regulated, their first point of contact with a government regulator would be with the Autorité des marchés financiers in Quebec. When I spoke of the system of banking rules and regulations in place federally, that applies to the institutions that have elected to be federally regulated.To the extent that Desjardins is largely provincially regulated, many of the operational requirements put in place in advance of this incident would have been worked through with the Autorité des marchés financiers. My colleague from OSFI can speak to how that is put in place at the federal level. In this incident the institution stepped forward and took a number of responsible measures very quickly to be transparent about the leak. That is consistent with both provincial law and federal law in terms of privacy, and the federal and provincial privacy commissioners have struck a joint investigation to look into this incident, but many of the provisions for not just the conduct of the financial regulation of Desjardins but also the consumer protections are provincial in this case. We can speak to the federal system, but I would direct many of the questions you may have to those responsible at the provincial level. Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protection601345460134556013456LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1530)[Translation]I have one other question. Are credit bureaus in federal jurisdiction?Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protection6013457AnnetteRyanAnnetteRyanAnnetteRyanAnnette-RyanInterventionMs. Annette Ryan: (1530)[English]It's largely provincial, and in this case it is provincial. Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protection6013458LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1530)[Translation]Okay.Have people from Equifax been in communication with you?Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60134596013460AnnetteRyanAnnetteRyanAnnetteRyanAnnette-RyanInterventionMs. Annette Ryan: (1530)[English]Equifax would not be in touch with us or the department, and they are largely regulated for consumer issues at the provincial level for this.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013461LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1530)[Translation]Thank you. I have used half of my time and so I am now going to turn to you, Mr. Guénette.You talked earlier about the external rules on preventing identity theft, but you have not spoken a lot about the internal rules. I would like to know about the internal rules in the Canada Revenue Agency. After all, we are here today because data was stolen from the inside. How do things work at the Canada Revenue Agency? Do the employees have to be at certain levels in order to have access to the systems? You talked about centralizing or detecting problems by intervening if necessary. You said that there are strict rules and I would like you to tell me a little more about them. Can people work with their own electronic equipment when they are in front of Canada Revenue Agency screens? I would like to know more about that.Canada Revenue AgencyComputer crimeDesjardins GroupPrivacy and data protection6013462601346360134646013465AnnetteRyanMaximeGuénetteMaximeGuénetteMaxime-GuénetteInterventionMr. Maxime Guénette: (1530)[Translation]Thank you for your question.Of course, we have security rules at several levels. First, we screen the staff that we hire. People with more specific access have “Secret” security clearance instead of a lower level of clearance. A whole host of physical security measures are in place. People working in call centres, who have access to screens showing taxpayer information, may not have their personal phones with them. We have measures in that regard. As for access to taxpayers' data, those data are on separate servers that are not connected to the Internet. There is a mechanism by which the employees' access to the data is reviewed annually, or each time they change jobs. Managers verify the access those employees have on a regular basis.As for the workload, in my introductory remarks, I talked about the administrative rules. When we give employees their workload, our business fraud management system checks by using algorithms in real time. The system applies several dozen rules. For example, if employees check their own tax accounts, an alert is automatically issued and the system sees it immediately. If employees work on tasks that they have not been assigned, the system will immediately send an alert to the manager, who would then be able to ask an employee what he or she was doing in the system. Screen shots are captured per minute, which allows us to see which pages employees are consulting or which changes they have made. The system was implemented in 2017 and it is very advanced. It allows us to have controls in place. In terms of preventing data breaches, employees are unable to copy information onto CDs, DVDs or USB keys. The system does not allow it.Canada Revenue AgencyComputer crimeDesjardins GroupPrivacy and data protection60134666013467601346860134696013470LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1530)[English]Thank you, Chair. Again, thank you to the departmental officials for being here.I have just two quick questions for the Department of Finance. You say that your first objective is to prevent data breaches. We know the reality is that these happen and are not localized to the financial sector. Ms. Ryan, you said that when cybe events occur at a federally regulated institution, which is what we're talking about, control and oversight mechanisms are in place to manage them. Can you explain to Canadians in practical terms what that actually means when you play that out?Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection6013474601347560134766013477JohnMcKayHon.Scarborough—GuildwoodJudyCameronJudyCameronJudy-CameronInterventionMs. Judy Cameron (Senior Director, Regulatory Affairs and Strategic Policy, Office of the Superintendent of Financial Institutions): (1535)[English] I'll take that question. I represent the Office of the Superintendent of Financial Institutions. Our mandate is to supervise financial institutions and set rules for them so as to protect the interests of depositors and creditors. Broadly speaking we're looking at safety and soundness, but we also make sure they comply with all federal rules. For example, we expect them to have systems in place to comply with privacy laws.We set expectations around what institutions should be doing, such as complying with privacy laws. We also expect them to do cyber self-assessments to assess their own internal protections against cyber events. Then we supervise them to make sure they are complying with the expectations we have set out to make sure that they have good compliance management systems in place.Computer crimeDesjardins Groupe-SecurityFederal institutionsOffice of the Superintendent of Financial InstitutionsPrivacy and data protection601347860134796013480GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1535)[English]Basically, it's just oversight. Now, in this particular circumstance, it's oversight of what's happened to make sure that—Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection6013481JudyCameronJudyCameronJudyCameronJudy-CameronInterventionMs. Judy Cameron: (1535)[English]It's oversight of their systems to prevent this, really.Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection6013482GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1535)[English]Okay, so that's one question. The other question is for Ms. Ryan, or whoever might.... I'm just going to read the summary that you gave. You said that “cybersecurity is an area of critical importance for the Department of Finance. We are actively working with partners across government and the private sector to ensure that Canadians are well-protected from cybe -incidents and that when incidents do occur, they're managed in a way that mitigates the impact on consumers and the financial sector as a whole.”What does that actually look like to impacted consumers, to consumers at large, to the financial institution, to the banking industry, to various government departments? You can say that, but what does it actually look like?Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection601348360134846013485JudyCameronAnnetteRyanAnnetteRyanAnnette-RyanInterventionMs. Annette Ryan: (1535)[English] I think that the number of federal partners you have had as witnesses today speaks to that. The investments in the cyber centre were part of the first line of defence in strengthening the ability to prevent cyber incidents, and they are focused, as André Boucher spoke to, on the appropriate response to a cyber event. In this case there was a specific type of cyber event, a breach by an employee, so many of those defences that have been built by the cyber centre were not triggered in this case, but the resources of the cyber centre are complemented by new resources for the RCMP. You heard the RCMP speak about the national cybercrime centre and their efforts at the Canadian Anti-Fraud Centre.We also realize that a cyber event or a data event does play out on the privacy side. Therefore, measures such as the new requirements for businesses to notify customers that there has been a breach are a key part of a citizen's ability to be vigilant about their own finances and to know that important information about them has been put into play. A monitoring service like Equifax is important because it helps put that person into the mix to know when something that's being done in their name is not right. Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection601348660134876013488GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1535)[English] I have just one quick follow-up question to that. If I were one of the 2.9 million Canadians impacted by this circumstance, or one of the millions in this country who have already been impacted by data breaches of various varieties, I would want assistance in getting my life back, like them. Right now there is a lot of talk about what that looks like, but in practical terms, Canadians want to know how to get their lives back. They want to mitigate the risks and the impacts that a breach like this has on their personal lives, on their financial futures and on those of their families. I'm curious; it seems that the Department of Finance has a role to play in having a location from which Canadians can find the information they need, follow a template, call numbers, or whatever it may be to help get their lives in order, because this is, and will be, devastating to those whom these criminals are going to take advantage of.As government, we have a responsibility to ensure that we protect Canadians as well as we can. This is not going to go away.Computer crimeDesjardins Groupe-SecurityFederal institutionsPrivacy and data protection601348960134906013491AnnetteRyanJohnMcKayHon.Scarborough—GuildwoodGuyCormierGuy-CormierInterventionMr. Guy Cormier (President and Chief Executive Officer, Desjardins Group): (1540)[English] We're supposed to leave around 4:30, but maybe we can add—Computer crimeDesjardins GroupPrivacy and data protection6013505JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—GuildwoodGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1545)[English]Thank you very much. [Translation]Good afternoon, Mr. Chair and members of the Standing Committee on Public Safety and National Security. I'm joined this afternoon by Denis Berthiaume, Senior Executive Vice-President and Chief Operating Officer, and Bernard Brun, Vice-President, Government Relations, Desjardins Group.First, I want to say that, at Desjardins, we were ambivalent about this exceptional committee meeting.On the one hand, this meeting may seem premature, since we're in the process of managing this situation and the police investigations are ongoing. It's far too early to assess the situation. As such, we intend to tell you everything that we know, but in a way that won't interfere with the ongoing investigations.On the other hand, we see this special meeting as an opportunity to inform legislators and the public about the security of personal information and the need to rethink the concept of digital identity in Canada. In my reflection process, this point prevailed.First, I'll state the obvious. What happened at Desjardins has happened elsewhere and could happen again in any private company or public organization whose mission involves personal information management. We can think of several banks around the world, such as the American bank Chase, Sun Trust, the Korea Credit Bureau, or a number of government entities in Canada and the United States, to name a few, that have been the victims of malicious employees.Desjardins is a leading financial institution and one of the largest cooperative financial groups in the world, with more than $300 billion in assets. In 2015, Bloomberg ranked the Desjardins Group as the strongest financial institution in North America, ahead of all Canadian banks. In other words, even the best aren't immune, and we believe that this message must be heard.Personally, I've been working at the Desjardins Group for 27 years. I chose this organization at the start of my career because the financial institution has managed, after nearly 120 years, to successfully combine the economic and social aspects of our society.The malicious actions of one employee led to this deplorable situation. That employee has now been dismissed. He violated all the rules of our cooperative. In this situation, we acted as quickly as possible and as transparently as possible, with the sole objective of protecting the interests of our members. That was our priority. On June 20, a few days after learning of the extent of the situation, we went public and shared all the information available, in conjunction with the police forces. At that time, we also announced the measures implemented to address the privacy breach.We've taken all the necessary measures to address the situation. We quickly implemented additional monitoring and protection measures to protect the personal and financial information of our members and clients. We informed all the relevant authorities, including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Autorité des marchés financiers, the Office of the Superintendent of Financial Institutions, and the Quebec and federal departments of finance.We've implemented additional measures to confirm the identity of individuals when they contact us. We're constantly monitoring all our members' accounts. The procedures for confirming the identity of our members and clients when they call the Desjardins caisses, Desjardins Business centres and our AccèsD call centre have also been the focus of additional measures.We contacted the affected members through the AccèsD private messaging system and by personalized letter, to inform them of the situation and of the steps that they needed to take.We've also added extra measures to help with the activation of the Equifax monitoring package. The affected members can now register in four ways. They can register on the Equifax website, through the AccèsD telephone service, through the AccèsD web and mobile application, and directly in our Desjardins caisses by speaking with their advisor.We're actively working with the different police forces. Lastly, we're working with external experts to continue to protect our members' personal information. I can confirm that we acted diligently. After we received information from the Laval police service, we conducted an internal investigation and quickly traced the source of the breach to a single employee. The employee was suspended and then dismissed.At this time, our main priority is to reassure, assist, support and protect each and every member affected by the situation.(1550)Again this morning, we announced new protection measures for all our members. In this digital age, we at Desjardins believe that all our members must be protected.As I was saying, Desjardins announced this morning that, from now on, all members of our cooperative will be protected from unauthorized financial transactions and identity theft. Membership is automatic and free of charge, regardless of whether they've been affected by the data breach. Since this morning, Desjardins has been protecting all its individual and corporate members. This sets a precedent in the financial services world in Canada. We're the first institution to take this step. In this situation, Desjardins is acting with rigour, a sense of duty and the willingness to honour its special relationship with its members.We've entered an age where data is a resource on par with water, wood and the raw material needed to run entire sectors of our economy. Data is now the raw material for a whole innovative economy that will lead to tremendous productivity gains and make life easier for Canadians. Canada is a few months away from the implementation of 5G mobile connectivity, which will increase the flow of data tenfold. According to experts, this ultra-fast connectivity will lead to futuristic applications related to artificial intelligence. Canada is already among the world leaders in this area with its three hubs, Montreal, Toronto and Edmonton. In addition, as we speak, the Department of Finance Canada is in the process of conducting a consultation on open banking, which would help open up the transactional sector. Several European countries have already made the shift.I'll humbly ask you, the legislators, the following questions.Is Canada currently well equipped to manage these promising technological developments, which also involve new risks? Should our identification systems be adapted to the digital age to ensure the protection of privacy and to better deal with cybercriminals? This issue is the whole notion of digital identity, which I referred to a few minutes ago.I want to respectfully point out that these are real issues raised by the situation at Desjardins.In closing, I want to make a proposal. I'd like to invite the committee to recommend to the Government of Canada the creation of an ad hoc multi-stakeholder working group to advise the government on how to regulate the management of personal data and digital identities. We believe that a group that listens to Canadians' concerns should at least include representatives of governments, the financial services and insurance sector, and the telecommunications sector, along with jurists and experts, or any other group that the government deems it appropriate to involve in the reflection process.The mandate of this committee should consist of advising the government on legislation and regulations; ensuring the protection of the public; encouraging innovative technological development for the benefit of Canadians and communities; and ensuring the strategic monitoring of best practices around the world, so that Canada is always up to date.I personally believe that Canada can't pursue excellence in digital technology and artificial intelligence without having the same ambition for data and personal information management. We must all learn from the current situation at the Desjardins Group.Thank you.Computer crimeConsumers and consumer protectionCriminal investigations and hearingsDesjardins GroupDigital identityFinancial service industriesInformation disseminationPrivacy and data protectionPublic consultation6013511601351260135136013514601351560135166013517601351860135196013520601352160135226013523601352460135256013526601352760135286013529601353060135316013532601353360135346013535601353660135376013538JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1550)[Translation]Welcome, Mr. Brun, Mr. Cormier and Mr. Berthiaume. Thank you for participating in this exercise. Your presence is greatly appreciated.Mr. Cormier, I'll start by reassuring you that, last January or even earlier, the Standing Committee on Public Safety and National Security and the Standing Committee on Access to Information, Privacy and Ethics began to address issues related to the unique identifier. We looked at models from abroad, including Estonia's model, which raises a number of other issues. Before I ask you some more practical questions, I want to point out that the unique identifier is one of the cybersecurity issues. When someone gets their hands on the unique identifier, we'll be faced with the same issue.I'm pleased to hear that you're offering protection to all your members. However, financial institutions tend to charge their clients to protect the clients' data from identity theft. The financial institutions themselves make the offer. Do you have the same philosophy?To have my salary deposited into my bank account and to make transactions, automatic withdrawals and Interac payments, I must give my name, address and social insurance number to the institution that I'm dealing with. However, I must use a third party to protect this information. Why do I need to rely on someone other than the entity to which I give the information?Computer crimeDesjardins GroupPrivacy and data protection60135416013542601354360135446013545JohnMcKayHon.Scarborough—GuildwoodGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1555)[Translation]To answer the first part of your question, we made the decision this morning to set up a protection program for all our individual and corporate members. The corporate component sometimes isn't covered by other institutions or even by Equifax. We've decided to offer this service free of charge to our members as long as they stay at Desjardins. We won't charge them anything. I want to quickly reiterate that the program covers all unauthorized financial transactions involving a person's account, deposits and money. If a transaction hasn't been authorized, we'll reimburse the person. That's one thing.Second, if a person is unfortunately a victim of identity theft, we'll provide assistance, not a list of the steps to take. We'll call on our experts to provide assistance, and the experts may even participate in conference calls to help the person recover their identity.Third, we'll provide coverage of up to $50,000 to reimburse members for expenses that they may have incurred, such as lost wages, child care costs or the cost of obtaining documents.This concept of free service is extremely important to us. If you're a member of the cooperative, you have access to the program. We humbly propose that a committee be established to, among other things, address the issue of whether privacy should be managed by third party companies. I think that the status quo isn't an option.Computer crimeDesjardins GroupPrivacy and data protection60135466013547601354860135496013550MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1555)[Translation]There are two issues involved in what I consider the temporary solution of dealing with a third party. You're asking people to deal with a third party to protect their personal information. Two years ago, this third party was also the victim of hacking. We conducted a study on the matter here.How liable would you be if your clients' personal information were hacked from the entity that you trust, such as Equifax? Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection60135516013552GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1555)[Translation]That's a relevant question. In Canada, Equifax is the firm with a market share of over 70% in data and information protection and management.When the incident occurred, we decided to turn to the Canadian company that offered this service to Canadians. We worked with the company. However, in the days that followed, we noticed some issues. We quickly took our own steps to resolve the issues concerning member registration on the Equifax website. We went through this. We saw the need to improve the procedures and methods, and we took charge of the matter.Now, should one, two or three private companies in Canada manage all this? We must think about it.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection601355360135546013555MichelPicardMontarvilleMichelPicardMontarville//www.ourcommons.ca/Parliamentarians/en/members/71529MichelPicardMichel-PicardMontarvilleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/PicardMichel_Lib.jpgInterventionMr. Michel Picard: (1555)[Translation]Identity theft is unique in that the data is active and will always remain on the market, unless the person using it dies. The data is virtually present all over the world. It can be used on the black market after 24 hours, as in cases of debit or credit card fraud.The identity theft issue isn't about the security of the client's data at their own financial institution. I'm sure that your systems are up to date in terms of protection from external hacking and that you're fulfilling your responsibility to your clients by meeting the expectations of Quebecers and Canadians. If an issue arises in the account, you'll reimburse the criminally misappropriated money.The identity theft issue is as follows. Let's say that a person goes to a bank tomorrow morning. The person says that his name is Guy Cormier and that he needs a mortgage to purchase a house. The mortgage would be at the other bank and not at Desjardins.Identity theft causes damage in other areas. One example is the real estate flips in Saint-Lambert, in the South Shore, where people took out fake mortgages under fake identities. There were a baker's dozen, and that was only in Quebec. After that, it will be Canada and Europe. Identity theft has an impact, and it isn't limited to the Desjardins Group financial system.The protection that you're offering is appreciated and necessary. However, if I may say so, the protection is limited to the client's financial situation within their institution.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection60135566013557601355860135596013560GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1600)[Translation]Basically, the thought process behind the new measure announced this morning is that we're in the digital age. There will be fewer and fewer paper transactions in the coming years. This data becomes raw material for our economy. Given the importance of the data, at Desjardins, we've taken on the responsibility of offering protection to all our members.I said that there were three pillars. The first pillar is the financial aspect that you're referring to. If Desjardins members see an unauthorized transaction in their transactions accounts, Desjardins will fully reimburse them. This answers the first part of your question on the financial transactions aspect.In terms of other types of identity theft involving credit card transactions made elsewhere, such as cellphone purchases or car rentals, people can contact Desjardins and they'll be taken care of. Second, if they need help with recovering their identity, not from a financial perspective, but in relation to other aspects of their private lives, Desjardins will support them. If we need to call government agencies or private firms, or help them prepare notarized documents or a presentation, we'll do so. We're no longer talking about the financial aspect. We'll help the people with the other steps that they may need to take.Computer crimeDesjardins GroupIdentity theftPrivacy and data protection601356160135626013563MichelPicardMontarvilleJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1600)[Translation]Thank you, Mr. Chair.Thank you for joining us, Mr. Cormier.We fully understand that this situation is very emotional and complicated for Desjardins. Mr. Cormier, you said that it was premature to hold a committee meeting. I want to point out to everyone again that the Conservatives requested this meeting, with the NDP's support, to see how the federal government could help Desjardins and the nearly three million affected members.The objective isn't to investigate the situation or to find out how the data was stolen. The police are in charge of that aspect. For my part, I hope that the individual will be punished to the full extent of the law. I hope that the law is strong enough to send him to prison for a long time, but that's another matter.We've met with officials from various departments, including the Department of Finance and the Canada Revenue Agency. These are large departments. However, it's difficult to know whether the Government of Canada can be useful in this situation.I want to know whether you've received effective support from the government. If not, what could the government do to help you?Computer crimeDesjardins GroupFederal institutionsPrivacy and data protection601356660135676013568601356960135706013571JohnMcKayHon.Scarborough—GuildwoodGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1600)[Translation]There are two or three parts to my response. When this incident occurred, we contacted several federal and provincial government agencies. We spoke with the different departments of finance. I want to tell you that the departments were very helpful and supportive. Bernard Brun can confirm that very clear and open discussions were held.I've noticed that both the federal and provincial government authorities want to reassure the public. You have no idea how important this is to us. Sometimes, we see what's being written and said. I understand that people have concerns and questions. As MPs, you must hear about many of them from the people in your constituencies.I can see that the federal and provincial government officials want to reassure people and give them the proper information. This is very helpful to Desjardins. People must be told to contact us so that we can introduce them to the programs that we announced this morning. Whenever we meet with people in our caisses or client contact centres, we're in direct contact with them and we reassure them.We don't want to trivialize the situation. However, according to several studies and several experts who are currently assisting us, there's a clear difference between a data breach and what happens in a real data theft. This isn't a “one-to-one” case. The proportions are very small.By adding the protection that we announced this morning, we're telling all our members, including businesses, not to worry. If any issues arise, they should call Desjardins. We'll assist them.Computer crimeDesjardins GroupFederal institutionsPrivacy and data protection60135726013573601357460135756013576PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1605)[Translation]Since the incident, you've offered the affected members a free five-year Equifax membership. Is the new protection announced this morning a lifetime membership, or is it new internal protection?Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013577GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1605)[Translation]Exactly. There's new internal protection. As I said, it's the first pillar. If people see an unauthorized transaction posted to their account, they must notify Desjardins. We'll then review the transaction with them and give them a full reimbursement. I must point out that there's no limit, whether the amount is $10,000 or $100,000.Second, if they're victims of identity theft, they must contact us. We'll assist them and hold conference calls. We even offer a period of psychological support, through our life insurance companies, to people who are going through this highly emotional situation.Third, it's the new $50,000 protection for people who must incur personal expenses to recover their identity. Desjardins will cover these expenses. This is extremely important.I want to reiterate that people who are victims of the data breach must continue to actively register for Equifax services, since this gives them access to the alert service. The alert service could notify them of an unauthorized transaction in the following weeks or months, and this service isn't included in the Desjardins package. The Desjardins Group strongly recommends that members who are victims of the breach register for Equifax services.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013578601357960135806013581PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1605)[Translation]I'm a Desjardins member, but also a Royal Bank client—Mr. Guy Cormier: Thank you.Mr. Pierre Paul-Hus: The Royal Bank has a system that I didn't know about. I learned about it from an employee last weekend. The Royal Bank site has a link to the TransUnion site. When I click on the link, my credit report and credit rating appear. It's completely free.Will Desjardins provide a similar service?Computer crimeCredit ratingDesjardins GroupPrivacy and data protectionTransUnion Canada6013582601358360135846013585GuyCormierGuyCormierDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume (Senior Executive Vice-President and Chief Operating Officer, Desjardins Group): (1605)[Translation]We provide the same type of service with TransUnion. On the web and on mobile devices, you can access your credit rating in real time. With regard to the alert system, I think that we've explained it well. We work with Equifax, but we're also considering the possibility of providing an alert system with TransUnion.Computer crimeCredit ratingDesjardins GroupPrivacy and data protectionTransUnion Canada6013587GuyCormierPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1605)[Translation]You've done an extraordinary job of putting all this in place. Congratulations. I now want to talk about Canadians who are afraid that their data, which has been sent somewhere in the world, will be used to make transactions or for any other purpose. You can't be responsible for everyone. You have a responsibility to your members, and 90% of Quebecers are Desjardins members. However, you can't know whether data sent abroad comes from this particular breach.In other words, if my stolen data is sent abroad, will you still cover me, even though the data could have been sent from another source?Computer crimeDesjardins GroupPrivacy and data protection601358860135896013590DenisBerthiaumeGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1605)[Translation]The current situation at Desjardins was not our only reason for making this morning's proposal, but we certainly sped up the process. At the beginning of each year, we do some planning. Based on security, our new products and our new offers, we consider what we should offer our members according to their needs.Computer crimeDesjardins GroupPrivacy and data protection6013591PierrePaul-HusCharlesbourg—Haute-Saint-CharlesPierrePaul-HusCharlesbourg—Haute-Saint-Charles//www.ourcommons.ca/Parliamentarians/en/members/71454PierrePaul-HusPierre-Paul-HusCharlesbourg—Haute-Saint-CharlesConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/PaulHusPierre_CPC.jpgInterventionMr. Pierre Paul-Hus: (1605)[Translation]I'll interrupt you, because I made things unnecessarily complicated. What I meant was that even though a data breach occurred on your side, another organization may be sending my information elsewhere. In this case, wouldn't the government have some level of responsibility? You seem to be taking care of everyone's issues. At some point, shouldn't we suggest that the Government of Canada help all Canadians?Computer crimeDesjardins GroupPrivacy and data protection6013592GuyCormierDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1605)[Translation]Look, right now, the important thing is to reassure the members and to offer protection to everyone. We won't start determining whether data sent abroad comes from the data breach at Desjardins or from an information leak in another organization. We want to cover and reassure our members.To answer your question, if fraud occurs in a Desjardins account, we'll cover the member concerned. As is the case with other financial institutions, in the event of attempted fraud, whether the account is a current transactions account, a credit card account or another type of account, we don't hold the members liable.Computer crimeDesjardins GroupPrivacy and data protection60135936013594PierrePaul-HusCharlesbourg—Haute-Saint-CharlesJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1605)[Translation]Thank you, Mr. Chair.Mr. Cormier, Mr. Brun and Mr. Berthiaume, thank you for being here. You're welcome here. I think that you've fully understood our objective, which is to share information to restore the confidence of people who are extremely worried. You said it well. Like you, we're hearing from these people. This is all the more beneficial to us, since we've just completed a study. We've opened the door for members of the next Parliament with respect to cybersecurity in the financial sector. As such, we're particularly interested in this matter.Since it hasn't been mentioned yet, I'd say that, as Quebec MPs, we're not here to conduct a witch hunt. Based on the number of activities that we're involved in, we can clearly see that Desjardins is a local partner in the community. We want to work together, and I think that your recommendation today reflects that. Thank you very much. I want to touch on a few points, in the hope that you can answer some questions. I understand the constraints that you're operating under. The first thing is very simple. It seems silly, but it concerns Equifax's French services. A few people have reported difficulties with obtaining services in French. Have you worked with Equifax to ensure that your members, the vast majority of whom are French-speaking, receive service in French?Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013597601359860135996013600JohnMcKayHon.Scarborough—GuildwoodDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1610)[Translation]Yes. First, we wanted to proceed quickly with Equifax, and I think that was the intent of the process. The people at Equifax have been very helpful. They've even adjusted their service offer to accommodate us in several ways. We've worked very well together.Now, over time, we've learned about the limits of the French-language capacity at Equifax. As a result, we've introduced a number of additional measures. The president mentioned the four initiatives that have been implemented.First, people can go online or use their cellphones to register directly for Equifax services. We'll take care of referring them to the services, establishing the link with Equifax and providing the authentication. Second, people can obtain a French-language service by contacting our AccèsD call centres. Wait times are very reasonable. We act as a bridge, in a way, between our members and Equifax to improve the experience. We've been implementing this approach over the past few days and weeks. We believe that this approach has been successful.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013601601360260136036013604MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1610)[Translation]It's not necessarily specific to what we want to review, and it doesn't fall within the mandate of the committee. However, you'll appreciate that I still wanted to get the facts straight. Thank you.I want to focus on regulations. We heard a bit about them from the government officials who spoke before you. Are the regulations becoming cumbersome when it comes to achieving your objectives and ensuring the security of your members' data? In your particular situation, you're subject to both Quebec and federal government regulations. Compared to traditional financial institutions and large banks, you're in a somewhat unique situation. You'll forgive me for perhaps not using the correct terminology, but I think that you understand what I mean. Can this different situation cause problems?Simply put, would it be in our interest to ensure a better alignment between the Quebec government and the federal government requirements, so that you don't need to turn left and right to comply with two different regulatory entities?Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protectionRegulation601360560136066013607DenisBerthiaumeBernardBrunBernardBrunBernard-BrunInterventionMr. Bernard Brun (Vice-President, Government Relations, Desjardins Group): (1610)[Translation]Thank you for your question.It's extremely relevant because we operate in a bijurisdictional system. That said, overall, Desjardins is perfectly comfortable in the current framework. Obviously, with technological exchanges, the interconnectedness within the financial system is becoming more and more apparent. In this regard, we mustn't act in isolation.Mr. Cormier pointed out earlier that we worked well together. We were able to speak with all the federal and provincial government stakeholders. We strongly encourage them to work together. We can see the collaborative efforts, but we urge the governments themselves to hold discussions.With regard to the fact that an entity such as the Desjardins Group operates on both sides, I don't see this as an issue. However, we clearly need support in this area. We can feel it and we're focusing on it. This relates to our suggestion regarding the creation of a multi-stakeholder committee with people from different governments. This will enable us to move forward and adopt effective policies that will affect everyone.Computer crimeDesjardins GroupFederal-provincial-territorial relationsPrivacy and data protectionRegulation6013608601360960136106013611MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1610)[Translation]Thank you.It may be more difficult to answer my next question, as the police investigation is still ongoing.Given the growing cyber security expertise, especially among people who work in that field, do you think it would be appropriate to recommend ongoing background or behaviour checks for employees who have access to sensitive information and can use the information belonging to other users, other employees?I am not saying that you have failed in that area, but everyone is starting to recognize the existence of people whose expertise is growing. Their expertise is being used, but it can also have more harmful consequences. Computer crimeDesjardins GroupPrivacy and data protection6013612601361360136146013615BernardBrunGuyCormierDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1615)[Translation]The first thing is that rigorous security investigations are constantly being conducted at Desjardins. Investigations are indeed related to the job level. That is an important element.Regarding the situation before us, we could wonder whether anything could have been detected. I would like to point out that internal fraud by a malicious employee is the most difficult risk to protect against. That is recognized across industry, and there are many examples of it.In addition to security investigations, security mechanisms were in place. Obviously, we are talking about a malicious employee who found a way to circumvent all the rules and used a scheme to extract data. That said, I want to reassure you that security mechanisms are in place.Computer crimeDesjardins GroupPrivacy and data protection601361760136186013619GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1615)[Translation]With time, will we be able to go further in terms of the situation we are going through? As I was saying, in the digital age, people handle personal data not only in financial institutions, but also in all kinds of businesses. Today, when someone wants to enrol their child in daycare, they must provide their social insurance number, and that number can remain on the table for five, 10 or 15 minutes, during the enrolment process. That is the reality in Canada.I think that any business where employees handle personal information must ensure they have been screened.Computer crimeDesjardins GroupPrivacy and data protection60136206013621DenisBerthiaumeJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1615)[Translation]Thank you very much, Mr. Chair. I will share my time.Gentlemen, thank you very much for being here.I have been a member of Desjardins since around 1980. Like my colleague was saying, Desjardins is omnipresent. My riding is Rivière-des-Mille-Îles, and it includes Deux-Montagnes, Saint-Eustache, Boisbriand and Rosemère. There is a caisse Desjardins in Deux-Montagnes and one in Thérèse-De Blainville. Those are two major institutions in the region. There are two RCMs and two caisses Desjardins.Computer crimeDesjardins GroupPrivacy and data protection601362560136266013627JohnMcKayHon.Scarborough—GuildwoodGuyCormier//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1615)[Translation]Yes.You said that internal fraud is the most difficult type of fraud to detect and protect against. Earlier today, officials from the Department of Finance and the Canada Revenue Agency talked to us.How do things work internally at Desjardins? How could have supervisors detected that malicious employee? It is clear that he managed to get into the system. Are there access levels and screenshots? Does the system issue alerts when it identifies something unusual? Are your employees allowed to have their cellphone with them when they work with data?I am sure you will re-evaluate the existing measures. You talked about a lone malicious employee, but what will you do to protect yourselves against other malicious employees? What are your rules? How does it work?Business managementComputer crimeDesjardins GroupPrivacy and data protection6013629601363060136316013632GuyCormierGuyCormierDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1615)[Translation]Yes.Regarding operations, I first want to say that no one, when they turn on their computer in the morning, has access to all the data. That is not how things work. At Desjardins, jobs are categorized according to the data required to do the work. That's the first thing.Moreover, our organization has implemented a number of internal security and control mechanisms, but we do not want to discuss those publicly, as even our employees are unaware of those mechanisms. So I cannot describe them in any great detail.Concerning this particular situation, a police investigation is under way, and that makes the issue highly sensitive. Quite frankly, we don't want to hinder the ongoing police investigation in any way.As I just said, we cannot provide details on our security mechanisms, as they are important for helping us prevent this from happening again. The situation involves a single employee, but I can tell you that our security mechanisms detect external or other elements of fraud. I want to reiterate that it is extremely difficult to completely protect against a malicious employee. Business managementComputer crimeDesjardins GroupPrivacy and data protection60136346013635601363660136376013638GuyCormierLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1620)[Translation]Will you review your internal rules?Business managementComputer crimeDesjardins GroupPrivacy and data protection6013639DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1620)[Translation]Concerning the security measures, we are constantly evolving. In any given year, Desjardins invests $70 million in security, and data and personal information protection. We are constantly improving in order to adapt to new technologies that create new fraud possibilities. People try to create new schemes, and we are constantly evolving to be able to identify them.Business managementComputer crimeDesjardins GroupPrivacy and data protection6013640LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1620)[Translation]Thank you very much.I am glad you talked about the four procedures you have implemented. My parents are seniors and have no Internet. They went to their caisse Desjardins in person to get someone to assist them, and it did not work very well.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60136416013642DenisBerthiaumeGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1620)[Translation]In the early days, Equifax enrolment was a challenge for us.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013643LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88601LindaLapointeLinda-LapointeRivière-des-Mille-ÎlesLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/LapointeLinda_Lib.jpgInterventionMs. Linda Lapointe: (1620)[Translation]People without Internet access cannot sign up for it.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013644GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1620)[Translation]So we made the decision to provide a service to people without Internet access. As of today, people who want to could still obtain the alert service. That service will be taken over by Desjardins, which will be able to communicate with them afterwards. We have innovated when it comes to Equifax to find a solution for those people.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013645LindaLapointeRivière-des-Mille-ÎlesLindaLapointeRivière-des-Mille-Îles//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1620)[Translation]Thank you very much, Mr. Chair.Mr. Cormier, you and I, like Mr. Lapointe, are victims of the leak. I understand perfectly that it is difficult to fully control a malicious employee. It is virtually impossible.That said, the leak will have various repercussions on Desjardins members. For some, nothing will come of it, while others will be victims of fraud at some point in the future. My constituents have asked me why you are offering the Equifax service free of charge for five years and not for 10, 15 or 20 years.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection601364760136486013649LindaLapointeRivière-des-Mille-ÎlesGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1620)[Translation]Mr. Berthiaume, you can answer the question on the five-year period, and then we will come back to the answer from this morning. That is a question we have already been asked.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013650FrancisDrouinGlengarry—Prescott—RussellDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1620)[Translation]First, we wanted to respond quickly by providing five years of protection. As we were unhappy with that protection period, we decided to extend it. The president announced this morning that Desjardins was committing to provide protection for life. We did not settle for a five-year protection period. We have a partnership with Equifax to provide that protection, which is important in two ways. We are noting a strong increase in the number of Equifax enrolments, but we are not satisfied with that number. Judging from the current trend, we fear that, at the end of the day, only 20% or 25% of our members will sign up for Equifax. That still leaves people without coverage who choose not to use the alert system for their own reasons. However, we do not want to leave 75% or 80% of our members without any protection. We want to provide them with an assistance service in case something happens. That is what led to this morning's announcement. We want to go beyond the Equifax protection and provide our members with umbrella-type coverage.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60136516013652GuyCormierFrancisDrouinGlengarry—Prescott—Russell//www.ourcommons.ca/Parliamentarians/en/members/88756FrancisDrouinFrancis-DrouinGlengarry—Prescott—RussellLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/DrouinFrancis_Lib.jpgInterventionMr. Francis Drouin: (1620)[Translation]Yesterday, I experienced something while communicating with Equifax. Its website was down, and I called the company. Finally, between 45 minutes and one hour later, I could sign up.In eastern Ontario, the Desjardins Group caisses are very popular and very represented in communities. Employees are trained to help seniors who cannot go online to enrol. I am lucky to go online and to check my credit report daily, but what about my grandmother, for instance? Will someone from Desjardins let her know that there has been movement in her credit report?Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60136536013654DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1620)[Translation]Yes, that is the new solution we just launched. We will get organized to ensure that people can sign up for Equifax. Then, instead of Equifax contacting the individual by email, Desjardins will liaise between Equifax and the person. We will receive alerts and make sure they are real, and then we will contact the affected members, like your grandmother, in a way that suits them. That is what we are implementing. Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013655FrancisDrouinGlengarry—Prescott—RussellFrancisDrouinGlengarry—Prescott—RussellGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1620)[Translation]I would like to briefly point out what the key message is. The Desjardins Group quickly decided to be transparent and to provide the information on June 20. When we looked at the data of 2.7 million people, we realized that some people did not have Internet access. There were also estate accounts. Situations arose, and we saw that we had to innovate and find solutions to them. So far, for all those cases, we are collaborating well with the Equifax people. They are helping us find a different solution, including for people like your grandmother.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013657FrancisDrouinGlengarry—Prescott—RussellJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]Thank you, Chair.Thank you for being here, gentlemen.If we're to believe the information that we received, approximately 200,000 Canadians outside of Quebec have been impacted by this particular situation. Do you know about how many in each province were impacted?Computer crimeDesjardins GroupPrivacy and data protection601366060136616013662JohnMcKayHon.Scarborough—GuildwoodDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[Translation]The affected members are primarily in Quebec. There are some affected members in Ontario and very few in other provinces. We are talking about people who no doubt moved to other provinces and are members of Desjardins. That is an important aspect. They are affected Desjardins members.Clients of State Farm or Patrimoine Aviso, which are our partners, are unaffected. We are talking about only caisse members who may have moved to other provinces or members of our caisses in Ontario. Computer crimeDesjardins GroupPrivacy and data protection60136636013664GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]Okay.You mentioned that you purchased State Farm in 2015. You're saying that none of them are impacted.Computer crimeDesjardins GroupPrivacy and data protection60136656013666DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]They are not impacted at all, no.Computer crimeDesjardins GroupPrivacy and data protection6013667GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]In 2017 you created Aviso Wealth. That was the combination of a merged Credential Financial, Qtrade Canada and NEI Investments. Those all merged. Mr. Denis Berthiaume: That's correct.Mr. Glen Motz: Were any of those impacted?Computer crimeDesjardins GroupPrivacy and data protection601366860136696013670DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]Those were not impacted at all outside of the scope of what we talked about— Computer crimeDesjardins GroupPrivacy and data protection6013671GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]What about previous Desjardins clients whose accounts were closed? Has any of their data been impacted?Computer crimeDesjardins GroupPrivacy and data protection6013672DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]Let me be very, very specific here. It's strictly the members of our caisse network who are impacted. Let's say you were a member a year ago and you closed your account for whatever reason. If you do not receive a letter, you will not be impacted. There is no impact. You haven't been impacted—Computer crimeDesjardins GroupPrivacy and data protection6013675GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English] Just to be clear, if you do not have an active account with Desjardins, you have not been impacted by this data breach. Is that what I'm hearing you say?Computer crimeDesjardins GroupPrivacy and data protection6013676DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]If you did not receive a letter.... The key is whether you have personally received a letter. If you received a letter, it means you're a member that may be affected and we encourage you to subscribe to Equifax.Computer crimeDesjardins GroupPrivacy and data protection6013677GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]It doesn't really answer my question. If I'm hearing you correctly, you have to have an active account with Desjardins to have been impacted by this data breach. Is that a yes or a no?Computer crimeDesjardins GroupPrivacy and data protection6013678DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]The answer is no, because you could be a former member of Desjardins and you closed your account a year ago—Computer crimeDesjardins GroupPrivacy and data protection6013679GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—WarnerDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]—but you may be affected if you receive a letter.Computer crimeDesjardins GroupPrivacy and data protection6013681GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]I'm not worried about the letter because Canadians don't care about the letter. They want to know, if I am a current member, is it yes or no? The answer is yes. Current or former clients could be impacted.Computer crimeDesjardins GroupPrivacy and data protection6013682DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]Yes.Computer crimeDesjardins GroupPrivacy and data protection6013683GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]In 2018, Desjardins Ontario merged with about 11 Ontario credit unions, if I remember correctly. Would any of those potential clients be impacted by this data breach?Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection6013684DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]We're talking about the Ontario caisses....Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection6013685GlenMotzMedicine Hat—Cardston—WarnerGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1625)[English]The answer is yes. For the caisses in Ontario, merged or not merged, it's possible that there are some members of these caisses who have been impacted by the breach.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection6013686DenisBerthiaumeGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]In 2013 the Desjardins Group purchased insurance firms out west, particularly Coast Capital Insurance in B.C., First Insurance in B.C., Craig Insurance in Alberta, and Melfort Agencies and Prestige Insurance in Saskatchewan. Would any of these clients be impacted by the Desjardins data breach?Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection60136876013688GuyCormierDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]The answer is no.Computer crimeDesjardins GroupElectronic data protectionPrivacy and data protection6013689GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1625)[English]Could the phones of clients who use Apple Pay or Android Pay as part of their banking practices be compromised by this data breach, and are they at higher risk for any fraudulent texts that could occur as a result of this?Computer crimeDesjardins GroupElectronic handheld devicesPrivacy and data protection6013690DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1625)[English]The data that has been leaked outside includes some phone numbers and some emails. The answer to your question is yes, there may be phishing, but again, that's if they are members of a caisse, not if they're clients. If they're clients of Aviso Wealth or of former insurance operations or of life and health insurance, or they're property and casualty clients, they are not impacted.Computer crimeDesjardins GroupElectronic handheld devicesPrivacy and data protection6013691GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/94305GlenMotzGlen-MotzMedicine Hat—Cardston—WarnerConservative CaucusAlberta//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/MotzGlen_CPC.jpgInterventionMr. Glen Motz: (1630)[English]It's only the financial side.Computer crimeDesjardins GroupElectronic handheld devicesPrivacy and data protection6013692DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1630)[English]It's only caisse members.Computer crimeDesjardins GroupElectronic handheld devicesPrivacy and data protection6013693GlenMotzMedicine Hat—Cardston—WarnerGlenMotzMedicine Hat—Cardston—Warner//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1630)[Translation]I will continue somewhat along the lines of Mr. Motz's comments. Many of those who have not received a letter are worrying and wondering whether they are affected or not.Can we say to all those who have not received a letter that they are not affected?Computer crimeDesjardins GroupPrivacy and data protection60136976013698JohnMcKayHon.Scarborough—GuildwoodDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1630)[Translation]According to the information we have, only those who receive a letter are affected.Computer crimeDesjardins GroupPrivacy and data protection6013699David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1630)[Translation]So if someone does not receive a letter, they are not affected. Is that right?Computer crimeDesjardins GroupPrivacy and data protection6013700DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1630)[Translation]If they have not received a letter, they are not affected.Computer crimeDesjardins GroupPrivacy and data protection6013701David de BurghGrahamLaurentides—LabelleGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1630)[Translation]On June 14, we received information from the Laval police force. That information enabled our computer investigative teams to provide us with the figures of 2.7 million individuals and 173,000 businesses. We sent letters to those people.Despite everything, we are hearing people's concerns. That is why, this morning, we decided to speed up the launch of this protection program for all members, be they affected or not.Computer crimeDesjardins GroupPrivacy and data protection60137026013703DenisBerthiaumeDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1630)[Translation]That protection is a good thing, but in some of the towns in my riding, Laurentides—Labelle, a number of people don't have Internet access or a cellphone. They are fewer than when I first took office, but there are still some. A number of them have even lost their Desjardins branch. What can those people do?I have had an account with Equifax for several years. When something changes, I receive an email, but I must go on the website to try to figure out what it is, as it is not clear at all. So for those with an Internet connection, the Equifax-provided information is unclear, and those without a connection have nothing at all.You talked a bit about this, but could you elaborate further?Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection601370460137056013706GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1630)[Translation]There are two things to consider. First, it is urgent to connect Canadians across the country to the Internet if we want to enter the 21st century. On our end, as some of our members are not connected to the Internet—sometimes by choice, sometimes because they have no access to it—we have proposed an additional solution in partnership with Equifax. Mr. Berthiaume can explain that.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013707David de BurghGrahamLaurentides—LabelleDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1630)[Translation]People who don't go online and don't necessarily have an email address must still be reached. Therefore, we have set up a call centre so they can reach us by telephone. We will undertake to sign them up for the Equifax services.We have implemented an innovative solution with Equifax, which will enrol them, take care of monitoring and alerts, and then send us the results. At that point, we will contact those without Internet or email access. That is what we implemented today.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60137086013709GuyCormierDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1630)[Translation]So Equifax, and not Desjardins, will take care of the technical aspect.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection6013710DenisBerthiaumeDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1630)[Translation]Yes. Currently, Equifax has the ability to handle alerts. As we were saying earlier, Equifax holds 70% of the Canadian market when it comes to credit bureaus and detection and alert systems. So those are the services we use for this aspect.Once again, we liaise for people who have more difficulty accessing the Internet or don't have an email address. We reassure people and, in case of alert, we contact them.Computer crimeDesjardins GroupEquifax Canada Co.Privacy and data protection60137116013712David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1630)[Translation]Fine.In your statement, you talked about changing our digital identity system. What examples would you like us to follow?Computer crimeDesjardins GroupDigital identityPrivacy and data protection60137136013714DenisBerthiaumeGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1630)[Translation]Far be it from me to give you the perfect example that should be followed, because there will always be gaps in the perfect solutions that we think we have found. There will always be dishonest people who will try to get around these solutions. However, countries such as Estonia, India and even some European countries have put in place measures regarding unique identifiers or, at the very least, measures to ensure that government-issued cards, whether drivers' licences or health insurance cards, do not become ways of identifying people. The objective of these countries was to restore the primary role of these cards, which have become identification documents over time. Canada should draw inspiration from these countries.Computer crimeDesjardins GroupDigital identityPrivacy and data protection6013715David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1635)[Translation]Very well.I have one last question. What did the 2.9 million Desjardins clients who were affected have in common? Do we know why they were affected and not the others?Computer crimeDesjardins GroupPrivacy and data protection60137166013717GuyCormierDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1635)[Translation]On this subject, we have nothing conclusive. We relied on the data provided to us by the police services. We don't have conclusive data on why someone was on the list or not. We don't have that information.Computer crimeDesjardins GroupPrivacy and data protection6013718David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]Mr. Cormier, I would just like to reiterate what my colleague said. The fundamental objective of today's meeting, for us Conservatives, is to determine what the government, its agencies and institutions could do to help you and, in turn, to help Desjardins members, which is the most important thing. They are Canadian and Quebec citizens.As you know, I have contacted the three directors of the Desjardins branches in my riding to express my support.Has Canada's Department of Employment and Social Development contacted you to obtain the list of the 2.9 million citizens? This is a very important question.Computer crimeDesjardins GroupPrivacy and data protection601372160137226013723JohnMcKayHon.Scarborough—GuildwoodGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1635)[Translation]The department is in contact with us and collaborates with us. We have been talking directly with its representatives for more than two weeks now, whether it is about social insurance numbers or the situation Desjardins is in.I do not believe that the information was requested, at least not on an operational level. I don't have that information. I don't know if Mr. Brun or Mr. Berthiaume know more, but I don't think so.Computer crimeDesjardins GroupPrivacy and data protection60137246013725AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]When you have the answer, could you give it to the analysts or the clerk? It would be important for us to know that. If the request has been made, could you provide a list of these Canadians? We are trying to find out what the government can do, but first it should know who it is talking about. So would you be able to send this list to the Canadian government? Unfortunately, it would still involve sending data, but the recipient would be the government.Computer crimeDesjardins GroupPrivacy and data protection6013726GuyCormierDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1635)[Translation]We will have to see if this is possible. From a legal point of view, I am not sure.Computer crimeDesjardins GroupPrivacy and data protection6013727AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]Next, I would like to know if a member of the current cabinet has contacted you since June 20.Computer crimeDesjardins GroupPrivacy and data protection6013728DenisBerthiaumeGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1635)[Translation]When you talk about the current cabinet, you are talking about the cabinet....Computer crimeDesjardins GroupPrivacy and data protection6013729AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]I am talking about the federal cabinet. So it would be a minister.Computer crimeDesjardins GroupPrivacy and data protection6013730GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1635)[Translation]Yes, that's right. I had a discussion with Minister Morneau on the situation. He offered me his support to see how the federal government could support Desjardins in this situation.Computer crimeDesjardins GroupPrivacy and data protection6013731AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]Fine.In your introduction, you mentioned very humbly and respectfully that you had some questions. Personally, I would have liked to know your answers as an expert in your field. I don't remember your first question very well, but it was still interesting. You were wondering if Canada had an adequate system for social insurance numbers, for example. I would like to know your perspective on this. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60137326013733GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1635)[Translation]The first question was whether Canada is well equipped to manage technological development, which is full of promise, but also involves new risks.Do we need to adapt our identification systems?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60137346013735AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—LimoilouGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1635)[Translation]My two answers are simple: I think the status quo is not an option. The status quo in Canada today is not sufficient in the digital age, in the upcoming 5G era, and in the era of reflection about the world of financial services, including open financial services. On these two issues, I think we should not be satisfied with the status quo.That is why we humbly propose the creation of a committee composed of several stakeholders, including citizens, governments, businesses—not just financial institutions, but companies that process data—to reflect on these issues and see if, using examples from other countries around the world, we can continue to be leaders.As I mentioned in the beginning, I think that in artificial intelligence, Canada is taking an important leadership position in the world. At the same time, we must have the same ambition with regard to personal information and data protection. My answer revolves around these points.Artificial intelligenceComputer crimeDesjardins GroupPrivacy and data protection601373760137386013739AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1635)[Translation]I have a supplementary question, which will probably be the last one. I am addressing Mr. Cormier, the citizen.You made a very important announcement this morning. You said that the protection applies to all members, whether or not they are affected by this unfortunate event. You said all they have to do is call you and you can take care of them. You will establish contacts, take action and take the necessary steps.Do you think that's exactly the kind of attitude that the government, the federal state, should have right now towards the 2.9 million Canadian citizens?Citizens are being asked to contact us, and I think it is the federal government that should contact citizens. Let's say that citizens are communicating with the federal government, shouldn't the federal government have the same approach as you and say that it takes care of everything?The representative of Employment and Social Development Canada said that, if citizens' social insurance numbers were changed, they would have to call all their former employers. That's not what you're doing. You, incredibly, say you're going to take care of everyone at the last minute.As a citizen, would you like the federal government to act in the same way towards the affected members?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601374060137416013742601374360137446013745GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1640)[Translation]As a citizen, I would say that elected officials are elected to provide a framework and adopt laws. In the current digital age, regulatory parameters must be put in place to protect citizens in this regard. That's my message, as a citizen.This is also why, despite the fact that we found this meeting premature, we still made the decision to be present. We feel that this situation is sounding the alarm and that there is an awareness and a real willingness on the part of elected officials to address this issue. We wanted to provide our point of view on this subject. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60137466013747AlupaClarkeBeauport—LimoilouJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1640)[Translation]Thank you, Mr. Chair.I have a question that is somewhat similar to what Mr. Graham was saying about Internet and telephone access. Seniors have special needs.Are we also looking at that? Computer crimeDesjardins GroupPrivacy and data protectionSenior citizens601375060137516013752JohnMcKayHon.Scarborough—GuildwoodDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1640)[Translation]That's what I was saying. Often, seniors do not necessarily have an Internet connection or an email address. We take care of them. These people can call us. We will take charge of the situation from that moment on and act as intermediaries with Equifax regarding the alert system and what these people will receive as a message.Computer crimeDesjardins GroupPrivacy and data protectionSenior citizens6013753MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1640)[Translation]There is an interesting article in La Presse, in today's issue, if I'm not mistaken. It talks about how credit watch agencies, companies like Equifax, are regulated and that this regulation focuses more on consumer issues.It may be too much speculation for what you are comfortable talking about today, but given the somewhat symbiotic relationship they have with financial institutions and the breach Equifax has experienced, do you think it would be relevant in the digital age to review how these agencies are regulated?This has become more important than consumer protection; they now have a responsibility to protect data. We see that there are important consequences. Should we review this in the context of all these changes you alluded to?Computer crimeDesjardins GroupPrivacy and data protection6013754601375560137566013757DenisBerthiaumeGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1640)[Translation]I told you a few minutes ago: I think the status quo is not an option. That's why we're here today. Desjardins will be very honoured to participate in the discussions, if they are held.I think we need to bring together the stakeholders who work in the data field in Canada to think about how we want to change the situation. Sometimes it could be about regulation, sometimes it could be about business processes, sometimes it could be about working together. I think the status quo is not an option.Computer crimeDesjardins GroupPrivacy and data protection60137586013759MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1640)[Translation]I have one minute left. In closing, I would like to say that we are pleased to have you here. We understand that this is a difficult situation. I appreciate the fact that you understand why we have a duty to do this.Citizens are calling us. It affects them, they are worried. Our objective is not only to reassure them in this case, but also to ensure that they and other citizens who are clients of other financial institutions do not experience the same thing. You are sharing your experience, which is very useful not only today, but also for the future Parliament. We still want to put in place a roadmap in this rapidly evolving area.Computer crimeDesjardins GroupPrivacy and data protection60137606013761GuyCormierGuyCormier//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1640)[Translation]Thank you, Mr. Chair.Mr. Cormier, Mr. Brun and Mr. Berthiaume, I too will begin by congratulating you. I must admit that when I arrived here this morning, I had questions and concerns, which you answered. I think that your statement this morning is very beneficial to Desjardins. I too am affected by what happened at Desjardins, and I appreciate the measures you have taken. About two or three weeks ago, the Bank of Canada established the Financial Sector Resiliency Group to address IT threats. As far as I know, Desjardins Group has not been invited to join this group. Chartered banks, among others, and systemically important banks were invited. First, can you confirm that Desjardins Group has not been invited? Then, do you consider it would be appropriate for it to participate in such a working group?Computer crimeDesjardins GroupFinancial service industriesPrivacy and data protection6013765601376660137676013768JohnMcKayHon.Scarborough—GuildwoodGuyCormierBernardBrunBernard-BrunInterventionMr. Bernard Brun: (1640)[Translation]Thank you for this very relevant question. The Bank of Canada obviously has an extremely important role to play in ensuring financial stability. Recently, it announced the creation of a committee to develop supervision and review oversight by discussing matters with all kinds of partners. Naturally, it turned to the big banks and the regulator. We have had discussions with people at the Bank of Canada and we feel that they have an opportunity to explore this. As already mentioned, the financial system is extremely interconnected. All the players in this sector have issues, regulations and regulators, but they must be able to work together, go beyond that and discuss matters. We certainly have a great interest in participating in all of this. We felt that there was an opening in this direction and we are waiting to see what form this will take. Desjardins Group is certainly a Canadian and Quebec financial institution of systemic importance. If there are discussions, we should be involved.Computer crimeDesjardins GroupFinancial service industriesPrivacy and data protection6013770601377160137726013773GuyCormierRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1645)[Translation]You have the support of the Bloc Québécois on this. I hope my colleagues across the way will follow up on this and propose that the Bank of Canada invite you. Presently, there are discussions on the establishment of a national identity validation system. Previously, the social insurance number was used in the relationship between the employer and employees and the government. Now we see that it is used in almost every way. It is no longer clear how to behave in this regard, but it is clear that the simple social insurance number is no longer sufficient to ensure a certain level of security for citizens.In your opinion, would an identity validation system, which would include a PIN, fingerprint or whatever, be useful in a situation like the one you have experienced?Computer crimeDesjardins GroupDigital identityPrivacy and data protection601377460137756013776BernardBrunGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1645)[Translation]That is why we humbly submit a recommendation to the committee today. In Canada, 30, 40 or 50 years ago, we put in place certain mechanisms, which today are no longer used for what they were created for. It is time for industry players to sit down together to rethink all of this, and try to draw inspiration from best practices around the world; this reflection, as I can see very well, has already begun.Computer crimeDesjardins GroupDigital identityPrivacy and data protection60137776013778RhéalFortinRivière-du-NordJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/957JohnMcKayHon.John-McKayScarborough—GuildwoodLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/McKayJohn_Lib.jpgInterventionThe Chair: (1645)[English] Thank you, Monsieur Fortin. I want to thank the witnesses for their appearance here. I'm happy to note that your announcement of your package coincided with your appearance here. That's quite fortunate. There are four or five members of this committee who are uniquely vulnerable as members of your association. I'm wondering whether their unique vulnerabilities as public figures is covered by your announcement today.Computer crimeDesjardins GroupPrivacy and data protectionPublic office holders60137796013780GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1645)[English]All of the information, per the announcement we made this morning, of all of the people who were on the list of the members who have been affected by this leak will be taken care of by this program. With this protection program, if it's their financial activities in their accounts, if it's having access to assistance for recovery of their identity, or if there are problems with some fees they have to pay regarding the recovery of their identity, they will be allowed to go under this program.Computer crimeDesjardins GroupPrivacy and data protectionPublic office holders6013781JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/957JohnMcKayHon.John-McKayScarborough—GuildwoodLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/McKayJohn_Lib.jpgInterventionThe Chair: (1645)[English]I have taken note of that, as you mentioned it earlier. However, what I'm talking about is the unique vulnerability of public officials. If that vulnerability arises, will it be addressed by this particular package?Computer crimeDesjardins GroupPrivacy and data protectionPublic office holders6013782GuyCormierGuyCormierGuyCormierGuy-CormierInterventionMr. Guy Cormier: (1645)[English] This is something that we are looking at right now in our files. Among these 2.7 million people, we are looking right now if there are some more sensitive people. You probably read about policemen, judges, people like officials. This is something that we're looking at right now. Our priority was to send the letters to make contact with the people. Now we're looking what may be other sensitivity that we should be more careful—Computer crimeDesjardins GroupPrivacy and data protectionPublic office holders6013783JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/957JohnMcKayHon.John-McKayScarborough—GuildwoodLiberal CaucusOntario//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/McKayJohn_Lib.jpgInterventionThe Chair: (1645)[English]So in the initial thrust, not necessarily. Mr. Guy Cormier: Yes. We will look at it.The Chair: My question is that we've been doing this for awhile now and one of, if you will, the gold standards of protection is what's called “zero trust”, which was brought up by a previous witness, who said, “identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.”Do you feel that Desjardins adhered to the zero trust principle that seems to be the gold standard for protection of data?Computer crimeDesjardins GroupPrivacy and data protectionRisk management6013784601378560137866013787GuyCormierDenisBerthiaumeDenisBerthiaumeDenis-BerthiaumeInterventionMr. Denis Berthiaume: (1645)[English]When we say “zero trust”, we need to identify what we are talking about. Zero trust, we have people who have access to data. They need it to actually do their work. With zero trust, clearly we want to make sure that we have security mechanisms in place that aim at the zero trust principle. However, when you put it in practical terms, sometimes there's a difference between the theory and what you can really do practically. The objective is there to make sure that the data given to us by our customers, by our clients, is fully secure. That's our goal.Computer crimeDesjardins GroupPrivacy and data protectionRisk management6013788JohnMcKayHon.Scarborough—GuildwoodJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1650)[Translation]Thank you.Ms. Boisjoly, earlier you heard the people from Desjardins talk about the need to rethink the social insurance number system. Is research being done on the future of the social insurance number?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60137926013793JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1650)[Translation]Thank you for your question. As you know, the social insurance number is one identifier among many. As we have already mentioned, on our website, we are advising citizens that they should only give their social insurance number in very limited circumstances. This is explained to them. We tell them not to give their social insurance numbers to organizations that cannot legally request them. However, from what we hear, citizens often give it voluntarily to organizations that are not authorized to take it.We are certainly aware of the discussions. We are still looking at what we can do to improve the protection of our systems and practices related to the social insurance number.We want to hear the recommendations or see the report that this committee will publish, as well as other reports.I can assure you that work on improving the security of our systems is ongoing. I know that Treasury Board is also very actively working on digital identity projects. We are participating in these discussions to see how we can improve the digital identity of citizens in Canada.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60137946013795601379660137976013798David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1655)[Translation]Among the data that was taken, we know that there was a lot of information, not just social insurance numbers. There were also addresses, phone numbers, and so on. You have spoken several times about additional information to authenticate the social insurance number. Is all this information included in the data that was taken?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013799EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1655)[Translation]The social insurance number is an identifier that provides access to federal programs and services, as well as to income and tax systems. In the case involving the federal government, with respect to benefits, for example, my colleague explained that at the Canada Revenue Agency you have to ask an additional, secret question to identify individuals, such as the amount entered on a certain line of the tax return. In the case of employment insurance, participants are given a program access code, and must give two digits of this code in order to access private information related to the employment insurance program.The social insurance number is an identifier, but it is accompanied by other questions to validate the identity of the person with whom we do business. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138006013801David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1655)[Translation]There are Service Canada officers in every city. If people come to their offices to find out what they need to do about the current situation, what instructions will they be given?Computer crimeDesjardins GroupPrivacy and data protection6013802EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1655)[Translation]Thank you for your question.All our call centres, Service Canada offices and agents have received very clear instructions. Our call centres and Service Canada offices answered questions from approximately 1,500 citizens. They have informed them of the steps to take, including contacting a credit bureau, verifying their financial and banking transactions, and exercising extra vigilance with respect to the transactions they make. If they identify activities that are not related to their transactions, they should contact the police, Service Canada offices and the various institutions so that we can resolve the situation. To date, no fraud has been reported.Computer crimeDesjardins GroupPrivacy and data protection60138036013804David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1655)[Translation] The leak is recent, however.Computer crimeDesjardins GroupPrivacy and data protection6013805EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1655)[Translation]As I was saying, despite the number of leaks detected in recent years, there are about 60 cases per year requiring a change in the social insurance number.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013806David de BurghGrahamLaurentides—LabelleDavid de BurghGrahamLaurentides—Labelle//www.ourcommons.ca/Parliamentarians/en/members/88504David de BurghGrahamDaviddeBurgh-GrahamLaurentides—LabelleLiberal CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/GrahamDavid_Lib.jpgInterventionMr. David de Burgh Graham: (1655)[Translation]Is there a way to indicate somewhere that the social insurance number is no longer valid and then remove the liability associated with it?If I change my social insurance number and I am still responsible for the old one, in my opinion, it doesn't make sense. Can you tell us more about this?Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138076013808EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1655)[Translation]One of the reasons is that we do not know to whom citizens have given their social insurance number. The social insurance number should only be used as an identifier to link certain information to provide benefits. Individuals are the only ones who know to whom they have given their social insurance number and for what purpose. You can give your social insurance number for private pensions, insurance and car rentals or purchases, for example. The social insurance number should not be used to identify the person. This is a number that allows you to link certain files. We need this number to link the information. We now link the two social insurance numbers in our systems, but the first should never again be used by the individual.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138096013810David de BurghGrahamLaurentides—LabelleJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1700)[Translation]Thank you, Mr. Chair.Good afternoon, everyone. Thank you for waiting and staying here. Ms. Boisjoly, you are the assistant deputy minister at the Department of Employment and Social Development Canada. Did your minister instruct you to get the list? I asked the same question of Mr. Cormier. Have you received ministerial instructions to obtain the list of the 2.9 million Canadians affected by the massive data leak at Desjardins?Computer crimeDesjardins GroupPrivacy and data protection6013813601381460138156013816JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1700)[Translation]You raise an interesting question.The first thing to do, according to the Personal Information Protection and Electronic Documents Act, is to inform third parties. As you have heard, Desjardins has contacted us to ensure that we will provide the information and help Desjardins branches obtain as much relevant information as possible to help their members. In this case, we have given a lot of information on how to protect their members.Computer crimeDesjardins GroupPrivacy and data protection60138176013818AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/88404AlupaClarkeAlupa-ClarkeBeauport—LimoilouConservative CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/ClarkeAlupa_CPC.jpgInterventionMr. Alupa Clarke: (1700)[Translation]So there were no guidelines. In other words, you are reactive. I'm not talking about you, of course. You follow political orders, and we understand that. At the moment, everything is reactive and absolutely nothing is proactive.You said you received 1,500 requests or calls about the social insurance number. Our goal is to know how the government can help people proactively. Since you don't know which Canadians are affected, you necessarily have to wait for them to contact you. That is what is happening right now. You wait for the people affected to contact you, not the other way around. That's impossible, because you don't have the data. Mr. Cormier, from Desjardins, seemed to say that they would be ready to send this data. I know I'm asking you to give a political opinion, but you can't.I have to express something that royally disgusts the people in my riding. I went door-to-door a lot last week and the week before that. People have consistently told me that they doubt that the government can do anything. It saddened me very much. How is that possible? I would like to break the cynicism and listen to people. People contribute 50% of their income to the Canadian government. We Conservatives want the government to work for citizens, not the other way around. Mr. Cormier said that when someone calls Desjardins, they are proactive and take care of things for them.We learned something very important today. In fact, we already knew that because it had been mentioned here and there. I learned from an official like you that you can change your social insurance number. I know it's complex and that even if we change it, we still have to reach a myriad of institutions, our former employers, and so on. However, it is the government that requires that citizens have a social insurance number. It is a system that should perhaps even be called into question, and we are discussing it today, in a way.Wouldn't it be your duty to contact the 2.9 million people? The Liberal government should do this to be proactive. It knows these people. For example, at the Pizzeria D'Youville, where I worked in 2004 when I was 17, it was the boss who sent the GST to the federal government. All these things are well known. Your departments could easily link this information and change the social insurance number, perhaps not in a comprehensive way, but it should support the citizen in the very difficult task of reaching all former employers or government agencies. I really don't like this. I know it's not your fault. You have political directives from the Liberal government, but it is not proactive at the moment. I don't like it at all. What can you say about this?Computer crimeDesjardins GroupPrivacy and data protection6013819601382060138216013822601382360138246013825EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1700)[Translation]In view of the multiple leaks that can occur, the goal is to ensure that citizens and the benefits due to them, whether tax refunds or other benefits, are always protected. That is why we worked very closely with Desjardins to define what measures would enable us to support it in its relations with the affected citizens.Desjardins has implemented measures. When there were leaks at the federal level, very similar measures were taken with respect to credit bureaus, because it is really the best way to protect citizens from fraud. We continue to work with Desjardins. If an exchange of information proved to be a good solution, we would consider it. However, at this stage, the measures put in place are the best that could have been taken.Computer crimeDesjardins GroupPrivacy and data protection60138266013827AlupaClarkeBeauport—LimoilouAlupaClarkeBeauport—Limoilou//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1705)[Translation]Thank you, Mr. Chair. I would like to come back to the question I asked, namely whether you want to hold information sessions in major centres in Quebec, among others. I know that people outside Quebec are also affected, but it is in Quebec that the leak had the greatest impact. The population must be informed.I forgot what it was, but I have already received a letter in the mail regarding a change in federal policy. I would like to believe that it is possible to send letters by mail to the people of Quebec informing them of the schedule of public consultations or information sessions that will take place in the next two months. You are giving us information today and I think people are listening, of course. Nevertheless, we should make sure to reach as many people as possible. Despite the pervasiveness of social media, I am not convinced that this response is adequate.Is this something you are open to? I believe that the Department of Finance and the Canada Revenue Agency also have a role to play.Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection6013831601383260138336013834JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1705)[Translation]Absolutely.To be proactive, we have put additional information on our website. We have issued press releases. We used social media, as you said. We hold workshops on the social insurance number in several communities. These are workshops that are given on a regular basis and I won't see why we can't use this method as well.So, thanks for the recommendation. We will take it into consideration. Computer crimeDesjardins GroupInformation disseminationPrivacy and data protection601383560138366013837MatthewDubéBeloeil—ChamblyMatthewDubéBeloeil—Chambly//www.ourcommons.ca/Parliamentarians/en/members/71368MatthewDubéMatthew-DubéBeloeil—ChamblyNew Democratic Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/DubéMatthew_NDP.jpgInterventionMr. Matthew Dubé: (1705)[Translation]Perfect. We thank you for that because these are indeed special circumstances, and when there are natural disasters, for example, the local government—whether it is the municipalities or the Government of Quebec—always answers.As my colleagues said, and not to insult anyone, the federal government is the furthest away. In this case, there are real impacts on people's lives.Either way, if we ourselves—I'm just talking about myself right now—don't necessarily know how to navigate the social insurance number system when we are federal legislators, I don't think it's because of our own ignorance. It's just a very complex system. That's why you're here today, and that would be knowledge worth sharing.Thank you for your openness. This completes my questions. Computer crimeDesjardins GroupPrivacy and data protection6013838601383960138406013841EliseBoisjolyJohnMcKayHon.Scarborough—Guildwood//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1705)[Translation]Thank you, Mr. Chair.I'll start with Ms. Boisjoly.If we consider that the social insurance number was created in 1964 to govern employer-employee and government-to-government relations, we see that it is used in every way now, but in any case, much more widely than before.Wouldn't it be necessary to review the security regulations concerning its use? For example, there could be a PIN that matches the health card, fingerprints or other data, for example.In your opinion, can anything be done with this? Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138446013845601384660138476013848JohnMcKayHon.Scarborough—GuildwoodEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1705)[Translation]That is an excellent question.As I always say, it is important, when you have situations like this, to review and rethink certain things.As far as the social insurance number is concerned, as I said, it is one of several identifiers. At the federal level—and, of course, in many places— people are invited to add secret questions that only they can answer. It is not a PIN, but it is an additional way to ensure security and identify the right person. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers601384960138506013851RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1705)[Translation]Correct me if I'm wrong, but the social insurance number is valid, regardless of whether or not we have matching questions.I am asked for my social insurance number for a transaction, whatever it is, with a bank, or whatever. I don't have a PIN. I just have the number. Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138526013853EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1705)[Translation]You are absolutely right. You do not have a PIN.Is this something we could consider? Maybe. What is important to say is that, to access a service, you must give other identifiers such as the line...Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138546013855RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1705)[Translation]It depends on the companies we request services from, but, I agree, you're right.Wouldn't a penalty be appropriate? We see that retailers or banks frequently ask for social insurance numbers, and this is not always necessary. Shouldn't there be a system of penalties for those who ask for a social insurance number when they don't need it? Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138566013857EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1710)[Translation]That is an interesting question. I don't know if any predecessors have addressed this issue.Currently, we have a very clear list of who can do so. We have very clear instructions for citizens. When someone asks them for a social insurance number and they are not on the list of people who should ask them for it, they can seek redress with the Privacy Commissioner of Canada.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers60138586013859RhéalFortinRivière-du-NordRhéalFortinRivière-du-Nord//www.ourcommons.ca/Parliamentarians/en/members/88605RhéalFortinRhéal-FortinRivière-du-NordBloc Québécois CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/44/FortinRhéal_BQ.jpgInterventionMr. Rhéal Fortin: (1710)[Translation]Couldn't we include criminal provisions in the act for this, whether it be a fine or some other sanction? Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013860EliseBoisjolyEliseBoisjolyEliseBoisjolyElise-BoisjolyInterventionMs. Elise Boisjoly: (1710)[Translation]Yes, it would be something to check, but I don't have any information on that today.Computer crimeDesjardins GroupPrivacy and data protectionSocial insurance numbers6013861RhéalFortinRivière-du-NordRhéalFortinRivière-du-NordAïshaFournier DialloAïsha-FournierDialloInterventionMs. Aïsha Fournier Diallo (Senior Legal Counsel, Desjardins Group): (1110)[English] Thank you, Mr. Chair.[Translation]Honourable members, on behalf of the Desjardins Group, thank you for inviting us to testify before your committee. I am pleased to be here today to talk about something as important as the review of Canada's anti-spam legislation, that I will call CASL. It is an important piece of legislation for our industry, and it has a considerable impact on how we communicate with our members and clients.As the Chair said, my name is Aïsha Fournier Diallo. I am senior legal counsel with the Desjardins Group, more specifically with its subsidiaries in property and casualty insurance that do business across Canada. My job is to support the validation of the legal risks associated with Canada's anti-spam legislation. Naturally, we are called upon to interpret the legislation every day. Let me introduce Natalie Brown. She is the director of the caisse network and she leads a team that deals with credit card services, payments and litigation.[English]Although my remarks will be mostly in French, we will be happy to answer your questions in both languages. [Translation]First, I will say a quick word about the Desjardins Group because I would like to move on to CASL.It was here, in Ottawa, that the idea for the Desjardins Group was born. Right next door, across the road, Alphonse Desjardins was a Hansard reporter for more than 25 years. After a debate on loan sharking, he got the idea to found a co-operative financial group that would address the needs of smaller depositors.Today, 117 years later, the Desjardins Group is the largest co-operative financial group in Canada, and the 6th largest in the world, with assets of over $270 billion. Our close to 1,100 caisses and financial centres in Quebec and Ontario, together with our online platforms and subsidiaries from coast to coast to coast, serve over seven million members and clients. It should be noted that a third of our service centres are located in less densely populated areas.From heritage to insurance management, including business services, the group employs just under 48,000 employees and 5,000 managers.That said, I would like to say what a pleasure it is to be among you today, honourable members, to share with you my point of view.I came to Desjardins as a lawyer in 2013, about one year before the legislation came into force. I was able to witness the impact it had on what we do and how we communicate with our members and clients.People's expectations towards communications have changed. Our modes of communication have also changed. Clients expect us to reach out to them in the most natural and effective way possible. You have to put yourself in the shoes of the consumer, which we do every day since we are in contact with them. They want emails and texts, and are looking for an easy way to connect with us. This is why organizations should be able to communicate with their clients and their members without having to constantly worry about whether they are violating a section of Canada's anti-spam legislation. With every message we send, we have to ask: does my email or text comply with the law? Is it a commercial electronic message, a CEM? Do I have the necessary valid consent to send it? Is it excluded under the legislation? Is the prescribed information included in the email?Imagine having to do this every single time you send an email to a member or client. In the past, the government said, “Canadians deserve an effective law that protects them from spam and other electronic threats that lead to harassment, identity theft and fraud.” As Mr. Smith said, no one is against this. However, the law is far too broad. People, like ourselves for instance, who work everyday with this legislation while trying to support our business operations have been anxiously waiting for this review. We hope that the government will take advantage of this opportunity to undertake an in-depth review of this legislation so that it may achieve its goal, while at the same time finding a balance that will allow organizations that have legitimate reasons to communicate with their clients to do so without fear and with the benefit of more streamlined legislation. (1115)[English]CASL is one of the most restrictive pieces of anti-spam legislation in the world. It was a great idea, protecting Canadians from spam. No one likes spam. But in our view, there has been a chilling effect on marketing and business communications, primarily for four reasons: the lack of clarity and the interpretive issues that exist in the act that require either clarification or amendments to the law; the fact that it is an opt-in consent model piece of legislation, meaning that you need an express or implied consent to send commercial electronic messages; the incredibly steep administrative penalties that the CRTC can impose for violations of the act; and the possibility of lawsuits from consumers through the private right of action.The interpretive issues and lack of clarity make it difficult for lawyers like us to provide firm advice to their clients and for clients to be confident that they are in compliance with the law. There is no room for error under CASL, and all are extremely cautious, therefore missing opportunities to communicate with the clients for legitimate reasons, particularly in the one-on-one context. It should be easy for small businesses and larger ones to understand CASL and to apply it. [Translation]I am going to give an overview of the major interpretive issues we have faced these past few years, and we will provide you with a brief explaining them in greater detail, because there are quite a few. First of all, the definition of a “commercial electronic message” is so broad that it includes practically any commercial message, even if the message is sent to a client with whom we have a perfectly legitimate commercial relationship.As I said earlier, with every message, its content and the context in which it is sent have to be considered. You need to be aware of things like hyperlinks in the emails, clickable logos, in short, anything that could be seen as promoting the image of whoever is sending the email, and that includes a lot of things. For example, the fraud prevention email we would like to send to our members and clients could be considered a CEM because of the hyperlinks it includes. If a hyperlink leads to our website where our products and services are advertized, we have to ask whether it compromises the email by turning it into a CEM, which is prohibited.The fact that our clients have to consult us before they send an email to their clientele with every new initiative and new campaign or innovation complicates things a great deal. We need more clarity to make sure that the nature of the messages we send, like the fraud prevention email, cannot be misinterpreted, even if they include hyperlinks, logos or elements that promote the Desjardins Group. We feel it necessary to clarify the definition of CEM and to relate it back to the legislation's original purpose, which is to protect consumers from spam and the electronic threats that could lead to harassment, identity theft and fraud. Essentially, we need the assumption to be that Canadian companies have no ill intent when they communicate with their clients, and focus rather on the truly problematic communications.I am now going to talk to you about the notion of consent and related provisions. As you know, the law requires express and implicit consent. Some of the provisions around implicit consent are a bit murky, and as a large financial group, we need to know who can benefit from this consent. Therefore, we recommend an opt-out option, that way, we would administer an unsubscribe mechanism instead of getting bogged down with consent management.There is still one more area I want to cover. Earlier, Mr. Smith mentioned that subsection 6(6) is unclear. Indeed, some emails that shouldn't even qualify as CEMs are prohibited under this subsection. Finally, I would like to mention the private right of action provision. We are very happy that it was suspended and we think it should be completely struck from the act. As a regulatory body, the CRTC can interpret the act. We believe that it is better to defer to such a body on matters of interpretation instead of overwhelming the courts.(1120)I would like to thank you once again for inviting us to testify today. I sincerely believe it is possible to find a balance that would allow organizations to communicate more freely with their clients while at the same time protecting the interests of Canadians.An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications ActDesjardins GroupElectronic mailLegislationSpamStatistics50602745060275506027650602775060278506027950602805060281506028250602835060284506028550602865060287506028850602895060290506029150602925060293506029450602955060296506029750602985060299506030050603015060302DanRuimyPitt Meadows—Maple RidgeDanRuimyPitt Meadows—Maple Ridge//www.ourcommons.ca/Parliamentarians/en/members/35309MaximeBernierHon.Maxime-BernierBeaucePeople's Party CaucusQuebec//www.ourcommons.ca/Content/Parliamentarians/Images/OfficialMPPhotos/42/BernierMaxime_CPC.jpgInterventionHon. Maxime Bernier: (1240)[Translation]Thank you.My question is for the officials from the Desjardins Group.You mentioned that there is a need for data and to maintain a database in order to show compliance. In your estimation, what are the costs incurred by the Desjardins Group in order to comply with CASL? How many employees do you have in each of Desjardins' networks working on this?I imagine that you are currently doing your best to be in compliance. Do you think that small companies have the same resources as Desjardins to ensure compliance?An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications ActDesjardins GroupLegislationSmall and medium-sized enterprises50605885060589DanRuimyPitt Meadows—Maple RidgeNatalieBrownNatalieBrownNatalie-BrownInterventionMs. Natalie Brown: (1240)[Translation]First, on the issue of the cost of compliance, we will have to forward you that information at a later date. We never bothered to establish a grand total.Furthermore, having chaired the Desjardins Group's anti-spam committee, as Aïsha is doing now, I can tell you that we are talking about several dozen employees, since we have to include every branch, every caisse and every aspect of compliance, from legal affairs to operational risk. I will forward you this information as well.On your second question, now, as to whether smaller companies can bear these kinds of costs, I would have to say that it would be unrealistic to think so. The Desjardins Group is a massive company, and even despite that, we feel the burden is much too heavy to bear. I think that more than answers the question.An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications ActDesjardins GroupLegislationSmall and medium-sized enterprises50605915060592MaximeBernierHon.BeauceAïshaFournier DialloBernardBrunBernard-BrunInterventionMr. Bernard Brun (Director, Government Relations, Desjardins Group): (0910)[Translation]Thank you, Mr. Chair.My name is Bernard Brun, and I'm here on behalf of Desjardins Group.I'd like to thank the committee for the opportunity to share our input today and contribute to the prebudget consultations in advance of the 2017 federal budget.It is especially lovely for us to be here, in Quebec City, given the tremendously important role of Desjardins among financial institutions and services in the capital and around the province.Desjardins Group is the country's leading financial co-operative group, and the sixth in the world. Today, its assets total more than $260 billion, and it has some 47,000 employees working to serve seven million members and clients.The Bloomberg news agency ranked Desjardins Group as the most solid financial institution in North America, with some of the best capital ratios and credit ratings in the industry.I am going to pick up on some of the elements contained in our previous brief to the committee.In particular, I want to highlight the distinct co-operative dimension that sets Desjardins Group apart from other financial institutions, as well as the regulatory impacts and issues it gives rise to at the provincial and federal levels.Financial co-operatives differ from traditional banks by virtue of their mission and their democratic structure. Because of this special relationship with members, we can attest to the fact that, in addition to contributing to Canada's financial system, financial co-operatives represent an additional vector of economic stability and regional prosperity. For example, 30% of Desjardins Group's points of service are located in sparsely populated areas, with fewer than 2,000 inhabitants.That brings me to my first point.We would like to stress to the committee members the importance of consistent rules governing financial institutions.Quebec's provincial regulator, the Autorité des marchés financiers, designated Desjardins Group a domestic systemically important financial institution. At the end of the day, Desjardins Group is a leader in Quebec and Canada alike. The rules that governments put in place, particularly at the federal level, affect all financial institutions no matter where they are headquartered, as well as the taxpayers and citizens they serve.We are asking committee members and the government to recognize that any measures governing financial institutions must be adapted to the co-operative model, which is clearly not the prevailing model in the financial institution industry. That is especially important in light of the federal government's current review of the regulatory framework governing financial institutions.The second point I'd like to discuss, which relates more to the economy, is a hot topic right now and one that concerns many in the government and financial sector. I am talking about household debt and the measures related to the housing market.It is fair to say that household debt is worrisome on a number of levels. Steps must be taken. Just recently, the federal finance minister announced that measures would be put in place. Despite being well-received, these measures will have a clear impact on access to housing; the extent of that impact, however, is still not fully known. Regional disparities exist within the housing market, particularly in a country like Canada. It is important to keep that in mind, and I urge the committee members to consider that element carefully. Educating the government on this point is key. It is not advisable to introduce uniform standards across the country, given that the overheated market is limited to certain geographic areas and certain types of housing.Furthermore, it is recommended that the government take a step back in order to fully assess the impact of the recently introduced measures before proposing new ones.(0915)Addressing household debt through the financial sector requires a very delicate hand given the interrelationship with economic growth and interest rates. The government must exercise the utmost caution in its cost-benefit analysis in order to achieve a so-called smooth landing for the entire Canadian economy.I would just like to wrap up by, once again, urging the government to fully recognize the characteristics, specific needs, and benefits of the financial co-operative system. The government must also recognize that Desjardins Group and the rest of the country's financial co-operatives are an important and integral part of the Canadian financial system and that the rules need to be adapted accordingly.Thank you.Cooperatives and mutualsDesjardins GroupFinancial institutionsHousingPersonal debtPre-budget consultations45920404592041459204245920434592044459204545920464592047459204845920494592050459205145920524592053459205445920554592056459205745920584592059WayneEasterHon.MalpequeWayneEasterHon.MalpequeBernardBrunBernard-BrunInterventionMr. Bernard Brun (Director, Government Relations, Desjardins Group): (1300)[Translation]Thank you, Mr. Chair.My name is Bernard Brun. I'll start with some opening remarks and a short introduction of Desjardins Group.First, thank you for inviting us and for listening to us this afternoon. It's especially meaningful since Desjardins Group started here, in Lévis, over a century ago. Alphonse Desjardins founded the first caisse populaire. Since that time, the history and the city, in addition to economic development and the presence of financial institutions in Quebec, have been thoroughly intertwined with the evolution of Desjardins Group.Desjardins is the leading cooperative financial group in Canada and the sixth largest cooperative financial group in the world, with assets of about $260 billion today. It's a completely cooperative group, meaning we provide a full range of financial services to all our members and clients. We're located in all regions of Quebec and across Canada. Desjardins Group has about 47,000 employees in total.It's worth noting that Desjardins Group is considered North America's strongest bank, according to Bloomberg News.I also want to mention that the name “Mouvement Desjardins” in French is well chosen. We're constantly evolving. We must adapt to the changing reality of the environment, in terms of both the needs of our members and the evolution of the environment.I'm joined by David Mourinet, Director of Administrative Services for Desjardins Group. He'll talk more specifically about the business relationship Desjardins Group is maintaining with Canada Post, as a service user, and about the changing use of the services.We'll then be pleased to answer your questions.Thank you.Canada Post CorporationCooperatives and mutualsDesjardins GroupPostal services455256745525684552569455257045525714552572455257345525744552575TomLukiwskiMoose Jaw—Lake Centre—LaniganDavidMourinetDavidMourinetDavid-MourinetInterventionMr. David Mourinet (Director, Administrative Services Directorate , Desjardins Group): (1305)[Translation] Mr. Chair and members of Parliament, thank you for meeting with us in Lévis.Canada Post is currently a major service provider for Desjardins, since we mail about 108 million letters a year. In general, the letters are mailed by our network of caisses or by the Desjardins card service, which represents the vast majority of clients with the exchange of cards, whether they are bank cards, Visa cards, or another type of card.Desjardins Group has exactly eight distribution centres in Canada. Each distribution centre manages a high volume of letters, documents or packages. Recently, we expanded out west by acquiring State Farm. Desjardins has started a major project to digitize all its documents. In the past two years, our shipments have decreased by 5%. We have a number of major global digitization projects. In the next five to ten years, most documents will be completely digital. We estimate that, within at least five years, the decrease will result in 30% fewer Desjardins shipments. The number of documents shipped by Canada Post, our main service provider, will decrease by about 30 million.This major streamlining is being carried out as a result of client demand and the changing technology and markets. People want information as quickly and efficiently as possible. The digital solutions are currently the most suitable and least expensive for us and our clients.As you know, Desjardins Group must deal with the changing technology and behaviour of its members, who use digital technology for their financial transactions.All financial institution activities are affected to a certain extent by the changing technology and mail services. It's not only Desjardins members. All people who have bank accounts will use digital technology.I'll let Mr. Brun finish.Canada Post CorporationCooperatives and mutualsDesjardins GroupPostal services45525764552577455257845525794552580455258145525824552583BernardBrunBernardBrunBernardBrunBernard-BrunInterventionMr. Bernard Brun: (1305)[Translation]In closing, thank you to the committee for allowing us to speak about the issue. We have a great deal of information, and Desjardins Group is there to answer your questions and give you things to consider.Thank you.Canada Post CorporationDesjardins GroupPostal services45525844552585DavidMourinetTomLukiwskiMoose Jaw—Lake Centre—LaniganBernardBrunBernard-BrunInterventionMr. Bernard Brun (Director, Government Relations, Desjardins Group): (0800)[Translation]Thank you, Mr. Chair.Members of the committee, I would like to give a brief introduction to the name of the Desjardins Group. First, I want to thank you for the invitation. It is much appreciated.My name is Bernard Brun. I am the Director of Government Relations for the Desjardins Group, which is a cooperative financial group. It is the leading financial cooperative group in Canada, and the fifth largest in the world. It has 7 million clients.We offer a full range of financial services, from basic financial services and insurance to access to capital and, of course, financing services. We are a leading actor.Desjardins is the leading financial group in the agriculture and agri-food sector. We would particularly like to discuss this field and the potential impacts of the free trade agreement on the agriculture and agri-food market.Alain Gagnon, who is Vice-President, Agriculture and Agri-Food Sectors Division, is with me today. He will talk to you more specifically about this subject.Desjardins GroupTrade agreementsTrans-Pacific Partnership436865343686544368655436865643686574368658MarkEykingHon.Sydney—VictoriaAlainGagnonAlainGagnonAlain-GagnonInterventionMr. Alain Gagnon (Vice-President, Agricultural and Agri-Food Sectors Division, Desjardins Group): (0800)[Translation]Good morning. Thank you for the invitation.Our institution's activities in this sector extend from coast to coast, but a majority are concentrated in Quebec. The Desjardins Group has a more than 41 per cent share of the farm credit market in that province, more than all of the other financial institutions combined. Overall, nearly half of all farmers in Quebec do business with Desjardins.Overall, the implementation of the Trans-Pacific Partnership will have favourable repercussions for Canadian agriculture, and in particular for the major exporting sectors. We need think only of pork producers, cranberries, blueberries and maple syrup. Signing the agreement will lead to greater general competitiveness in the agri-food sector with its main competitors in the international markets.Notwithstanding the generally positive aspects of the treaty, some Canadian exporters could be disadvantaged by the new access it grants. We are thinking mainly about exporters subject to supply management, such as milk and poultry, who will experience new pressures on the domestic market. The agreement in principle signed by Canada includes partial opening of agricultural markets under supply management to foreign countries.That openness will directly affect a number of sectors, and particularly milk. For the dairy industry, that comes on top of the chink created by the agreement between Canada and the European Union. Sectors under supply management are an important part of the Desjardins Group's farm credit portfolio, and we are also a major partner of many companies in the farm supply and food processing industries. That is why it is essential, for all actors in the agricultural sector, including financial institutions like the Desjardins Group, that the compensation and financial support programs announced in the fall of 2015 be put in place.Financial compensation and the deadlines that the government wants to put in place for compensating for certain provisions of the TPP agreement will encourage a gentle transition and enable companies to develop strategies for adapting. Without those measures, losses of markets will lead to declining revenues, which will have consequences for companies' capacity to meet their financial obligations and continue to expand.In addition, the shock could be particularly great for regions whose economic activity depends more heavily on agricultural sectors that are under supply management. It is important to note that 31 per cent of Desjardins Group service points are located in municipalities with populations under 2,000. There were be more negative impacts for us than for the other financial institutions.Smaller companies and those that have recently been acquired by the next generation of farmers will generally be the most affected. The Desjardins Group wants to have a clear picture of its members' and partners' business environments so that it can manage its risks appropriately. As a cooperative financial institution that has a significant presence in agricultural regions and is active in farm credit, the Desjardins Group considers it to be important for the compensatory and transitional measures aspect to be clarified quickly. As long as those measures have not been officially confirmed and put in place, all actors in the agricultural sector will have to make important business decisions against a background of uncertainty.Similarly, we urge the government to remedy the inconsistencies in federal legislation that allow goods to be imported by circumventing customs tariffs. This was the case in the past, for example, for certain poultry products, and the most recent example is diafiltered milk. That is why we believe that in addition to adopting compensatory and transitional measures that are necessary for the sectors...Countervailing dutyDairy industryDesjardins GroupFarming and farmersMilk proteinPoultryPoultry farmingSupply managementTrade agreementsTrans-Pacific Partnership436865943686604368661436866243686634368664436866543686664368667BernardBrunMarkEykingHon.Sydney—VictoriaINTERVENTIONParliament and SessionDiscussed TopicProcedural TermCommitteePerson SpeakingProvince / TerritoryCaucusParticipation TypeSearchResults per pageOrder byTarget search languageSide by SideMaximum returned rowsPagePUBLICATION TYPE