Maintaining Trust in Commerce and Communication: What Will it Take?

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Privacy and Identity Theft Conference organized by the Freedom of Information and Privacy Association

Vancouver, B.C.
November 24, 2008

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)


Introduction

Good morning. I would like begin by offering a word of thanks to the organizers for inviting me to be here for what will no doubt be a thought-provoking conference.

This event is only the latest initiative by FIPA on identity theft. As many of you know, a couple of years ago, FIPA conducted one of the first comprehensive studies on identity theft in Canada. That project was funded by my Office’s contributions program.

Darrell Evans and his team deserve our kudos for all of the amazing work they do on identity theft as well as a number of different issues – all on a very tight budget.

I was extremely impressed when I saw the agenda for this conference. It includes many of the key themes my Office has been raising over the last number of years: the absence of good statistics on identity fraud in Canada; the urgent need for legislative action; and the requirement for organizations to do a better job when it comes to safeguarding the personal information of Canadians.

This morning I would like to share some thoughts on each of these issues. It is clear that fighting identity theft will require action on many fronts.

Building Trust

The title suggested by conference organizers for my presentation this morning was “Maintaining Trust in Commerce and Communication: What will it take?

Personally, I’m not so sure that consumers currently have a great deal of trust – in either the organizations that hold their personal information or in the government bodies that are supposed to be protecting them against identity theft. Perhaps a more accurate presentation title would have referred to building, or even creating trust. We have a system that, while perhaps not broken, is definitely in need of repair.

Why do I say this?

Each morning, the package of media clips that arrives on my desk in Ottawa invariably includes stories about some new breach – often more than one. We should hardly be surprised if individuals are becoming increasingly concerned about the security of their personal information!

An Ipsos Reid survey conducted for CanWest News Service and Global TV last year found that nearly half of Canadians don’t think banks and other businesses are doing enough to protect their personal information and prevent identity theft.

The same survey found that the threat of identity theft has prompted almost a third of Canadians to change their spending habits and how they use debit and credit cards.

Meanwhile, the federal government has taken some preliminary steps on identity theft. For example, legislation to better target identity theft was introduced in the last session of Parliament, but hadn’t been passed when the election was called.

However, we have yet to see the kind of comprehensive approach that is needed if we have any hope of making real progress. More is needed to inspire consumer trust.

Assessing the Issue

Part of the problem is that we lack a clear picture of the extent of identity theft in Canada and its causes.

To begin with, there is still debate over the definition of identity theft. The term is used to include everything from simple cases of fraud, when someone forges a cheque or uses a stolen credit card to purchase goods, to more sophisticated cases of where an impostor creates a new identity. The lack of consensus on a definition makes measuring identity theft a challenge.

When it comes quantifying the issue, PhoneBusters provides us with some numbers which are a useful indicator of trends. However, PhoneBusters readily acknowledges it is only capturing a tiny percentage of actual figures. Many people don’t bother reporting incidents of identity theft, perhaps because, for the moment, the police can’t do a lot to help individuals. Our Criminal Code just isn’t up to speed and there is also a question of law enforcement priorities.

Another problem is that we do not have good information about the sources of personal information being used by identity thieves. Some studies suggest that much of the information comes from within organizations; other research claims identity theft is usually perpetrated by people known to the victims. Solid data could help us to better target our efforts to combat this crime.

The Threat

Most of the data points to an explosion of identity theft.

Just last week, a new survey done by Doctor Susan Sproule for McMaster University suggested that, in the past year, 6.5 per cent of Canadian consumers – some 1.7 million people – had experienced some kind of identity fraud. These researchers also looked at the source of personal information used in this fraud. I look forward to hearing more details during the conference. I also want to acknowledge the leading research that CIPPIC has done on the legal and policy dimensions of identity theft.

One important development in identity theft trends that has emerged in recent years is the growing recognition by thieves that they can make a lot of money by stealing names, birthdates, credit cards and other personal information.

According to the RCMP, organized crime groups in Canada now see personal information as an important money-maker that complements their more traditional sources of income – cocaine and marijuana.

In particular, online threats are evolving and becoming more sophisticated and more targeted. Around the world, cyber crime has become a $105 billion dollar international business – bigger than the global illegal drug trade, according to David DeWalt, CEO of the security technology company McAfee Inc.

The crooks find opportunities to exploit everywhere…. While most of us are worrying about economic doom and gloom and our dwindling RRSPs, fraudsters are exploiting financial market upheavals. The U.S. Federal Trade Commission recently warned that scammers – well aware of the mortgage crisis – have been sending phishing e-mails designed to look as if they were from a financial institution that had recently acquired a consumer’s bank or mortgage.

Our side – the good guys – will need to be just as innovative as we develop strategies in response to the threat to our personal information.

The OPC’s Role

My own Office is addressing identity theft on a number of different fronts. In fact, this issue is one of four top strategic priorities guiding our work.

We investigate data breaches involving personal information, which can lead to identity theft. We also have the power to audit the privacy practices of private-sector organizations when we have reasonable grounds to do so. This work can help identify weaknesses in an organization’s systems and help to close gaps that could expose personal information to risk.

We also have an important public education role to play. It’s clear that many people fail to take even the most elementary steps needed to safeguard their own information.

My Office has also been pressing the federal government to do more on identity theft.

The Response

We’ve been pleased to see some positive – though relatively modest – steps from government.

1. Identity theft legislation

During the last Parliamentary session, the government introduced a bill to amend the Criminal Code in order to deal with a number of identity theft issues. The legislation focuses on the early stages of identity theft and addressed a number of different ways in which criminals gather personal information.

For example, it would make it an offence to possess or traffic in identity information when this information is to be used for a fraudulent purpose. The bill also addresses credit card fraud by creating a new offence dealing with the possession of instruments for copying credit card information.

These changes will provide police officers with important new tools to stop identity thieves or fraudsters before Canadians suffer actual financial harm.

Another praiseworthy element of the legislation is the possibility that offenders will be required to pay restitution to victims for costs incurred as a result of the fraud.

Overall, my Office sees the legislation as a positive first step.

2. Anti-spam legislation

Prime Minister Harper’s Conservatives have also said they would introduce legislation to reduce the amount of e-mail spam Canadians receive.

This legislation would prohibit the use of spam to collect personal information under false pretences and to engage in criminal conduct. It would include new fines and also establish a coordinating body to enforce the legislation and respond to consumer complaints.

Canada is currently the only G-8 country without such legislation – even though this was the key recommendation of a special federal Task Force on Spam (of which the OPC was a member) back in 2005.

Spam is proving difficult to deal with effectively. Roughly 98 per cent of the e-mails arriving at the Office of the Privacy Commissioner are spam. Thank goodness for filters!

While I did not hear any specific references to combating identity theft and spam in last week’s Speech from the Throne, I am hopeful that these are government priorities and that we will see some action soon.

3. Mandatory breach notification

The third key identity-theft-related initiative currently on the federal drawing board is a plan to begin requiring private-sector organizations to notify my Office and affected consumers following a data breach. This change is part of a broader review of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Notification will help individuals take steps to protect themselves against identity theft. These requirements should also help by acting as another incentive for organizations to improve security measures protecting the personal information in their care.

Cyber Crime Strategy

I’d also like to mention one other possible federal initiative. A recent media report suggested that we’ll soon see the details of a strategy to address cyber crime – a significant piece of the identity theft issue.

Next Steps

While these are all very welcome developments, we clearly can’t stop here.
My Office has been urging the federal government to develop a broad-based identity fraud strategy. We currently have several federal departments and agencies – for example the RCMP, Competition Bureau and Industry Canada – interested in identity theft, but their efforts have thus far not resulted in a concerted strategy.

I’ve proposed the federal government create a clearinghouse or task force that would play a coordinating role in developing a multi-pronged strategy. This central body would draw together various government institutions, the provinces, law enforcement and other organizations.
Action is needed on many fronts – new criminal and civil sanctions; measures against pretexting; action against spam; stronger security by organizations; recourse by citizens; modernization of the Privacy Act; and more public education – to name but a few examples.

U.S. Approach

There is no shortage of ideas, and if we are looking for inspiration, we might want to begin by looking south.

The United States has put the issue of identity theft into sharp focus by creating an Identity Theft Task Force in 2006 to marshal the federal government’s resources. In a recent progress report, the task force reported that federal identity theft convictions in the U.S. increased 26 per cent in 2007 from the year prior.

We have seen some very creative and avant-garde legislative developments in the United States.

For example, Massachusetts and Nevada have recently adopted laws that will require businesses collecting personal information about state residents to encrypt sensitive data stored on portable devices such as laptops, Blackberries and cell phones.

At a national level, President Bush recently signed into law a bill aimed at making it easier for prosecutors to go after cyber crooks. The same law also ensures that victims receive compensation when identity thieves are ordered to pay restitution.

The U.S. also recently adopted “Red Flags” Rules – new requirements for financial institutions and other creditors such as automobile dealers and utility and telecommunications companies to adopt written identity theft prevention policies.

These new requirements are called “Red Flag Rules” because organizations are required to set up programs to identify and respond to patterns of behaviour, practices or specific activities – red flags – that may indicate identity theft.

This is another example of how much more active the US government has been, compared to the Canadian government, in terms of combating identity theft.

The Data Breach Problem

I’ve talked about a number of areas where the federal government needs to show leadership. But private-sector organizations also have a critical role to play on the identity theft issue.

We continue to see too many data breaches. It seems to me that businesses – small and large – are underestimating the risk a breach will happen to them.

What we’re seeing in the breaches reported to my Office is that human error and inadequate employee training are big problems organizations must address.

A recent analysis of breaches reported since 2006 found that employee awareness and training was the most important contributing factor in reported breaches. It was an issue in more than half of the incidents examined.

Perhaps this shouldn’t come as a surprise – a poll conducted for my Office last year found only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws.

Another important finding related to our discussion about identity theft is the fact that unauthorized access use and disclosure accounted for roughly one quarter of the breaches reported to my Office. A majority of those cases (over two-thirds) involved rogue employees – many of whom wanted the personal information to commit fraud. The fraudulent use of personal information, including identity theft, was confirmed in almost 80 per cent of cases where fraud was the motivating factor behind the breach.

Organizations clearly need to do a better job at safeguarding the personal information entrusted to their care. Adequately protecting personal information is the law in Canada. It is not optional.

Conclusion

Identity theft is obviously a complex problem – a point that will no doubt be made in every presentation at this conference. There is no simple or single solution to identity theft, in part because it has so many root causes. One, I think, has been the easy access to credit in North America. Why does Europe seem to have fewer problems?
Organizations and individuals must do their part. And the federal government needs to lead the way with a multi-faceted strategy that will help us make progress against what some are calling the Crime of the 21st Century.

Just before going to the floor for questions, I’d like to invite all of you to visit my Office’s booth in the exhibitors’ area, where you’ll find some of the public education materials we’ve produced on identity theft as well as other information. I hope you will also take a look at an e-newsletter just launched by my Office. It includes news about our work and our points of view on emerging privacy issues. You can subscribe online on our website or sign up at our conference booth.

I would be pleased to answer any questions ….

Date modified: