Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill S-4 – An Act to amend the Criminal Code
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
May 28, 2009
Statement by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Thank you, Madam Chair and members of the Committee, for inviting me to address you on the pressing issue of identity theft. I’m joined by Lisa Campbell, Acting General Counsel with my Office.
We are pleased to see that the government is taking action on the growing problem of identity theft. Polling conducted by my Office this year reveals that one in six Canadians have experienced some form of identity theft. Over ninety per cent of Canadians are concerned about the issue of identity theft.
Identity theft is a broad term that is often used to describe a wide range of behavior. It can include credit card fraud. It often refers to pretexting, which is pretending to be someone authorized to obtain information in order to get it.Footnote 1 There are also more sophisticated techniques, such as skimming, which involves stealing personal information from the magnetic strip on debit and credit cards through the use of small electronic devices.
Another method of identity theft is phishing or vishing, which uses emails and phone calls from what appear to be trustworthy organizations, such as banks, to lure people into providing account and other personal information. Pharming is another variation, in which a counterfeit website is set up using the correct address of a genuine website; in order to entice people to give up personal information.
As technology evolves, identity thieves are constantly developing new techniques to obtain personal information. There are even online operators and underground networks that specialize in the sale of stolen personal information. Thus, identity theft can range from the stealing of credit card information to the wholesale misappropriation of an identity.Footnote 2
Once obtained, personal information can be used to open bank accounts, obtain loans or credit cards, obtain employment or transfer property in the victim’s name. Stolen or copied personal documents can also be used to obtain government benefits or government-issued documentation.Footnote 3
In 2007 my Office investigated the massive computer data breach at TJX/Winners, which affected millions of credit card holders worldwide. We found that the company had failed to adequately secure the personal information that it held, making it possible for thieves to hack into wireless networks and access the data. Aside from the costs to the company, millions of people were affected in Canada and other countries. Ultimately, eleven individuals were charged in the United States with identity theft. In January of this year, a Ukrainian man believed to have been at the centre of the TJX data breach received a lengthy jail sentence.
Victims of identity theft may suffer significant financial loss as well as damaged reputation or credit ratings. They may lose time, incur expenses and experience severe stress associated with restoring reputations and recovering financial and other losses incurred. There are also significant costs to government and the private sector when identity is misappropriated.Footnote 4
The lessons of the past few years teach us that stronger privacy protections are needed if privacy is to have any meaning at all in the face of contemporary challenges. Criminal gangs – like the one behind the TJX heist - and commercial organizations – like in the Abika case you discussed in previous hearings – have both come to the same conclusion. There is now a lucrative and booming global market for personal information. Many of our audits and investigations bear this out. From government officials being impersonated on social network sites, to company insiders misusing corporate data for their own ends. It is an issue that knows no borders, no neat distinctions between public or private organizations, and it is happening everywhere. Such an issue calls for global action.
When we appeared before the House Standing Committee on Access to Information, Privacy and Ethics in May 2007 on the issue of identity theft, we urged the government to adopt a broad-based strategy that would include public education, stronger regulation of data handling practices, civil remedies and finally criminal sanctions for the worst cases. In our view, the government's identity theft legislation is a step in the right direction; however it should form part of a broader-based strategy to address identity theft and identity fraud.
The recent introduction of anti-spam legislation is also an important contribution. At the moment, Canada is one of the only major developed countries without anti-spam legislation. The Electronic Commerce Protection Act addresses many of the shortcomings of the current Canadian legal framework, by providing severe penalties, and broadly defining unsolicited commercial electronic messages to include text-message spam. It also has targeted provisions against phishing and spyware, and a right of action against spammers, as well as greater government cooperation. Significantly, it would also create a national coordinating body, and a Spam Reporting Centre. Many of these provisions are consistent with the recommendations that the National Task Force on Spam made four years ago.
I would like to see a similar effort on ID theft. Too much fine work is being done to have the task at hand muted by lack of coordination. There is the Phone-busters anti-fraud call centre operated by the RCMP, Competition Bureau and the Ontario Provincial Police. There are excellent resources on identity theft on the Safe Canada website set up by Public Safety Canada. There is the federal-provincial-territorial CMC working group on ID theft. Now what we really need is for police and regulators, public and private sector, federal and provincial officials to sit at the same table to focus all this expertise for Canadians’ benefit.
When Bill C-27, the predecessor identity theft bill to S-4, was introduced, my Office sought an opinion on the effect of the proposed legislation from Professor David M. Paciocco, a respected author and expert in criminal law. His advice is available on our website. We shared this opinion with the federal government, together with our concern that while sanctions are required for the most serious instances of identity theft and fraud, many of the problems associated with these phenomena could be better addressed through regulatory measures and modernized privacy legislation.
In our recommendations for reform of the Privacy Act we have asked for stronger regulation, including better security safeguards and broader grounds to take matters before the Courts. In the review of our private sector legislation, PIPEDA, we have similarly recommended changes which would allow us to better regulate personal information handling practices, including the authority to cooperate with other enforcement authorities and mandatory breach notification. These measures would empower Canadians to prevent identity theft, and motivate companies and government organizations to properly safeguard personal information under their control.
Professor Paciocco agrees that conduct such as pretexting is better addressed through regulation than the criminal law. As he observes, regulatory regimes are often more efficient and therefore more enforceable than criminal offences. Regulatory legislation can be drafted to address the problem in a more aggressive way than criminal regulation could. Thus pretexting and other activities that are often the precursors to identity theft may be better addressed through targeted infractions and the stronger regulations that my Office has been calling for.
Thank you once again, Madam Chair, for inviting me to speak to you on this issue. I would be pleased to take any questions members of the Committee may have.
- Date modified: