Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue No. 28 - Evidence - November 2, 2017
OTTAWA, Thursday, November 2, 2017
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud.
Senator Tkachuk: Good morning and welcome, colleagues, invited guests and members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening on the web.
My name is David Tkachuk. Today is our fifth meeting on our study on issues and concerns pertaining to cybersecurity and cyberfraud, including cyber-threats to Canada’s financial and commercial sectors.
I’m pleased to welcome Daniel Therrien, Privacy Commissioner of Canada, and his officials; Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis Branch; Brent Homan, Director General, Personal Information Protection and Electronic Documents Act Investigations Branch; and Steven Johnston, Senior IT Research Analyst.
Thank you for joining us today. Please begin with your opening statement and, after that, we will do a question-and-answer session. Welcome and proceed.
Daniel Therrien, Privacy Commissioner, Office of the Privacy Commissioner of Canada: Thank you, Mr. Chair and members of the committee, for the invitation to address the privacy issues related to cyber security and cyber fraud.
Canadians are concerned about the security of their personal information. According to our latest public opinion poll released in January, 92 per cent of Canadians expressed concern about the protection of their privacy, and a clear majority, 57 per cent, were very concerned.
As more and more personal information is processed online, privacy protection increasingly relies on effective cyber security implementation by organizations to secure personal data. The private sector carries significant responsibility for cyber security because it controls so much of the infrastructure and information in cyberspace. The Personal Information Protection and Electronic Documents Act, PIPEDA, Canada’s private sector privacy law, sets out the ground rules for how private sector organizations collect, use, disclose and safeguard personal information in the course of commercial activities across Canada. It also applies to personal information of employees of federally regulated organizations, such as banks, airlines and telecommunications companies.
My office also oversees compliance with certain aspects of Canada’s anti-spam law, alongside the CRTC and the Competition Bureau.
Cyber-attacks can impact organizations of all sizes, potentially leading to significant privacy breaches. In the case of larger organizations, their substantial customer holdings may pose considerable interest for criminals. But in today’s online economy, small and even micro organizations can also hold vast amounts of personal information, or may be particularly vulnerable because they can be targeted as a prelude to attacks on larger or partner organizations. Therefore, we are aware that they may particularly need additional help, resources and oversight.
Under PIPEDA, all organizations are accountable for protecting the personal information under their control, which includes identifying risks and implementing appropriate security safeguards to protect the data they collect.
My office receives a considerable number of security breach reports under PIPEDA. Since the adoption of the Digital Privacy Act in 2015 — previously Bill S-4 — the volume doubled and has stayed at that higher level for the past two years. Once mandatory breach reporting comes into force through regulations being developed by the Department of Innovation, Science and Economic Development, we can expect that number to increase significantly.
Such a volume increase will place even greater pressure on our office’s already stretched breach oversight capacity. Currently, our capacity is largely limited to examining only the most significant and complex breaches that come to our attention, such as Equifax, the World Anti-Doping Agency, Ashley Madison, and the Phoenix pay system.
Senator Tkachuk: Excuse me; what is WADA?
Mr. Therrien: The World Anti-Doping Agency, which is an IOC, International Olympic Committee, related organization in Montreal. Through recent amendments to PIPEDA, the private sector law, the WADA organization is subject to oversight by my office.
Senator Tkachuk: Thank you. If we can avoid acronyms, it would be great for people watching. It’s hard enough for us but, for people watching, it’s even harder. It would be great if you use the full title.
Senator Black: If I may also ask, do you mind slowing down a little bit? You’re giving us extremely important information, but you’re going too quickly.
Mr. Therrien: Absolutely.
Senator Black: Thank you.
Mr. Therrien: The mandatory data breach reporting regulations for the private sector, although not as extensive as we would have hoped, will be an important instrument for improving security practices of organizations. That said, we have made some recommendations to the government on some areas in which we believe the draft regulations are deficient. For example, first, it must be ensured that the content of breach reports provides the information necessary to assess the quality of safeguards, and an assessment of the risk of harm for individuals. Second, the record-keeping requirements for organizations must be clarified. Why have we made these recommendations? Because this information is critical. It provides baseline data so that trends can be identified and systemic issues can be addressed, allowing for effective oversight.
The Digital Privacy Act also resulted in a number of significant amendments to PIPEDA, including the introduction of mandatory breach reporting. It also included a number of amendments, which allow for the disclosure of personal information in certain circumstances where the intent is to combat and prevent fraud and financial abuse. Some witnesses have talked to you about those provisions in your meetings.
Unlike PIPEDA, the private sector privacy law in Canada, the Privacy Act does not impose any legislative requirements on government institutions to safeguard the personal information under their control. Organizations are required by Treasury Board policy to report material breaches to my office. However, we have seen a significant disparity in the breach reporting practices of government institutions. For instance, last year, we noticed a 50 per cent reduction in the number of breaches reported, and we are in the process of inquiring into the causes of this by reaching out to government institutions.
We have also recommended to Parliament that the Privacy Act be amended to place a specific legal obligation on federal government institutions to report material privacy breaches to our office and to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of the sensitivity of the data. In other words, we have recommended that federal public sector institutions be subject to the same legal obligations as companies and organizations under PIPEDA.
It should also be noted that there are extensive standards, directives and policies outlining requirements for government institutions on IT security as well as privacy. Despite these many rules, however, the reality is that limited resources across government can lead to hasty implementation of new systems without sufficient attention to technical and organizational safeguards. In the interests, if not the rush, of implementing new programs and initiatives, certain important safeguards required by rules are sometimes not adopted or are adopted very partially.
We know from recent reports that there are thousands of attacks each year on Government of Canada IT systems. Fortunately, organizations such as the Communications Security Establishment, or CSE, have been successful at thwarting the vast majority of these attacks. However, when breaches do occur as a result of insufficient safeguards, there can be very real impacts on privacy.
This is why my office, the Office of the Privacy Commissioner of Canada, has a role in this context along with the cybersecurity specialists. We at the OPC can contribute by ensuring that organizations implement both security and privacy by design so that risks to individuals are adequately mitigated, and encouraging them to be more transparent when things go wrong.
On another theme, when we are protecting cyberspace, the information that resides in it and the infrastructure on which it rests, we are, in part, protecting people’s personal information. This is why I want to emphasize that, in the context of data protection, the joint objectives of privacy and security are not at odds, although the relationship is not always a harmonious one.
In an environment where cyber-threats are a persistent and global occurrence and are increasingly sophisticated, there is clearly a need for the government and private sector to share information about vulnerable IT systems in a timely way. An example of this stems from the proposed amendments in Bill C-59, which call for CSE, the security establishment, to have a role in sharing cybersecurity information with other organizations. According to the proposed amendments, this information may include intercepted private communications, depending on the context of the sharing.
We understand that protecting cyberinfrastructure can require up-to-the-second monitoring of all activities on a network in order to detect anomalies and threats. In some cases, monitoring of this nature could involve the capture and analysis of massive amounts of personal information. We recognize that the collection of all this data is necessary to effectively monitor networks, but it is equally important to ensure that the retention, use and sharing of personal information is appropriately limited.
On yet another theme of partnerships, I would agree with the statements that the committee has heard about how to effectively address the challenges of cybersecurity, which include partnerships and education. Education is a key focus for our office under our PIPEDA mandate, and we are focusing our outreach efforts on small businesses, given the resource limitations for many of these companies.
The OPC has also been an active participant in the development of standards on cyber-related topics with the International Organization for Standardization, or ISO, specifically on topics such as identity and access management and codes of practice for protection of personal information generally, and one specifically for the use of public clouds. We continue to provide input into emerging ISO standards on de-identification, the Internet of Things, artificial intelligence and blockchain technology.
We also have a new privacy techno blog that tries to demystify cybersecurity and other information technology issues for the public. You would find these techno blogs on our website. Our most recent posts cover topics such as ransomware and virtual private networks, and upcoming posts help explain encryption and blockchain or distributed ledger technology.
In 2014, we produced a research paper on cybersecurity to generate dialogue on cybersecurity as an important element of online privacy protection. This year, my office is particularly interested in funding through our contributions program independent research or knowledge translation projects that aim to promote the development and adoption of privacy enhancing technologies.
In conclusion, Canadians expect a high level of protection and trust in our digital economy. Against that backdrop, it is imperative that cybersecurity specialists and data protection authorities like my office work even more closely together to improve the defences of our cyberinfrastructure and ensure privacy protection is a guiding principle in cybersecurity efforts.
Thank you for your attention. Along with my colleagues, I look forward to your questions.
Senator Moncion: My question is about Equifax, and you must have been expecting it. Last week, we met with the representatives of the Canadian Bankers Association. I asked them who was in charge of the relationship between Equifax and Canadian banks — for example, who was responsible for information. The Canadian Bankers Association seemed to be saying that private information belonged to Equifax, but I presumed that Canadian banks, financial institutions and Equifax are engaged in a relationship. The party that signed the agreement is responsible for privacy.
So I have two questions about Equifax. Let’s put things in context. We have recently heard on the news that Equifax shareholders or executives knew about a breach in March or May. Yet they waited several months to report it. In the days following the breach, they sold their shares to maximize revenue. A few months later, they announced the breach.
My second question is about the decision of when to announce a breach. When must a data breach be reported?
Mr. Therrien: We were expecting questions about Equifax. I hope that my answer will be useful, but I will start with an aspect that may be less useful.
We are currently investigating the complaints that have been filed with the commissioner’s office concerning the privacy breach in Equifax’s case. We have to investigate and reach findings following a legal process involving the company. I will not be able to give you much information on our assessment of that specific situation.
I will move from that question about Equifax to the situation in general. There are instances of privacy breaches and hacking. We hear those stories constantly, as that happens all too often. I will try to answer your questions about breaches in general. When it comes to the relationship between a company that is involved in a leak or loss of information and other companies, according to the Personal Information Protection and Electronic Documents Act, when a private Canadian company manages, collects and uses a consumer’s information and that company, as is usually the case, has a business relationship with other companies, the company that collects information must ensure that the information is managed in compliance with the legislation throughout the chain. That is the case when it comes to the relationship between the company the individual deals with directly and other companies, in what some refer to as an “ecosystem.”
As for how quickly businesses that get hacked or experience breaches should report them to their clients or the regulatory agency — in other words, us — it should clearly be done as quickly as possible. As quickly as possible does not necessarily mean the next day, as the company must assess the circumstances and the impact of the breach on its clients. We know that can take some time, but we are talking about days and not months.
An assessment has to be carried out, and that takes a few days. We expect the breach to be reported to us as quickly as possible when clients are likely to be affected.
Senator Moncion: How much time did it take for Equifax to report to you?
Mr. Therrien: According to the public facts, it took months.
Senator Wallin: I have two questions — troubling ones. In your comments, you stated that you recognize the collection of data is necessary to monitor the networks. It seems you are saying that the legislated protection may be actually worse than the crime or the problem in the first place, because then you start monitoring all the data and then that too becomes breachable. Is that what you were saying here? That it creates another access point?
Mr. Therrien: That was not my direct statement, but it could be a risk. I don’t think it’s the primary risk.
The phenomenon that I’m trying to describe is that for cyber-threats to be detected, addressed and remedied, there needs to be this ongoing monitoring, and there needs to be a fairly wide level of sharing and cooperation between various actors — government actors, companies — to know what’s happening on networks. That presupposes a lot of collection and a certain amount of sharing of information between players. That information may include private information and the content of certain communications. It’s obviously a topic of interest to privacy. That needs to happen to ensure that the network is safe. We know that.
What I’m saying around collection being fine but organizations and governments need to be careful about use and sharing is that when you collect for the purpose of monitoring and detecting threats, that’s fine, but don’t then use that authority to share for any and all purposes that have nothing to do with the purpose for which you have collected the information. That was really what I was talking about.
But as this information is collected and shared among a number of players, it may increase the risk that this information may be hacked. That is less a legal or legislative issue with respect to the private sector, although it may bleed into my recommendation on the public sector with the Privacy Act, but it certainly requires a high standard of information protection for all players in the system to ensure that they are not at risk of being hacked, knowing that this risk will never be eliminated and can only be managed and mitigated.
Senator Wallin: You also stated here that, last year, you noticed a 50 per cent reduction in the number of breaches reported and you’re into the process of inquiring into this. What’s your theory about what would cause that? It’s either incredibly new good technology or —
Mr. Therrien: Unlikely.
Senator Wallin: Exactly.
Mr. Therrien: We think it’s unlikely that the number of breaches has actually gone down. We’re not too sure why the number of breach reports has gone down.
One of the criteria in the Treasury Board policy that requires reporting to the office speaks to the breach being “material,” so maybe departments are applying a new definition of what is “material.” That may well be the case, but it is very unlikely that the situation is becoming better in terms of vulnerability.
Senator Wallin: Then we have to conclude it means they aren’t being reported because definitions might have changed.
Mr. Therrien: That’s a likely answer, but we’re investigating with the departments.
Senator Massicotte: I want to thank you, Mr. Therrien, and your colleagues for joining us this morning. This topic is of great interest to Canadians. I am one of the people who are worried about our personal information being hacked.
I feel that there is not much we, as Canadians, can do. It is not illegal, and no one will go to prison for hacking. We are not sure whether personal action can be taken against people whom we trusted by sending them information. It’s true that we sign a lot of forms and that those signatures authorize organizations — banks among others — to share information, such as credit ratings, with others.
Although I know that you make good recommendations on the way to report information in the case of privacy breaches, it appears that we are going nowhere. The procedure is long, and if we compare the situation with that in the United States, we don’t hear much about those cases. As consumers, we don’t feel that recourse is available to us. Am I wrong? Is there something we can do — for example, initiate a personal lawsuit? It would appear that, when such cases arise, we don’t talk about them, and that frustrates us.
Mr. Therrien: When it comes to criminal charges, I am not an expert in the area, but I think that criminal offences do exist. Do we have the necessary evidence? Are police resources available to investigate those crimes? I cannot answer those questions. However, I will address your question about civil remedies, especially concerning the company people deal with that has been hacked.
The company is a victim of hacking. It is a victim, but it has a legal obligation to take adequate measures to protect information. What happens if the company is not meeting that obligation? As things currently stand, the individual can submit a complaint to the commissioner’s office, and we can investigate. That has been done in some cases, with Ashley Madison being a recent example.
That system does have some benefits for society in general. For example, the investigation of Ashley Madison led to the realization that the company’s security measures were deficient. We think that exists elsewhere, and we have been able to provide information to many other companies, in a number of other sectors, regarding what we have learned in the Ashley Madison case. There are some concrete benefits for the current system.
That said, what is missing is the possibility for individuals to take civil action against the company if it has failed to take adequate measures to protect its clients’ information. That is one of the reasons our September 2017 annual report recommends that PIPEDA be amended to give the commissioner the power to make orders — as is the case in a number of other countries, such as the United States, some European countries and others — and the power to impose substantial fines for the legal violation. To me, that is a significant deficiency.
Senator Massicotte: I will go to your example to make sure I understand.
If I give the bank typical financial services information — and there are not that many banks in Canada — that information for which I probably gave my consent has been shared with Equifax, since the bank shares a lot of information with that company. As you know, Equifax was the target of hacking, and a lot of information was affected, as were 10,000 Canadians and hundreds of thousands of people elsewhere, whose information became public for those who hacked the website.
Before sending the information to Equifax, did the Canadian bank have the responsibility to make sure that Equifax’s computer system provided high-level security to ensure that personal information was shared in a secure manner? Did the bank have that kind of a responsibility? Did the bank rather just take into account measures related to its own banking needs, and shared the information as if that was normal and as if there was no reason to perform further checks to ensure there was no risk of information leaks for Equifax?
Mr. Therrien: Once again, I cannot talk about the Equifax situation, since the investigation is ongoing.
However, I can answer your question by talking about general relationships among companies that collect consumer information.
As I was saying, there are deficiencies in the current legislation, such as the fact that we cannot order companies to raise their security level and cannot impose fines. There are presumably remedies under common law or the Civil Code, but there is no private recourse for individuals who want to take action against the offending companies.
I think that a complete system would make it possible to file a complaint with the Privacy Commissioner of Canada, as is currently the case, but the commissioner would also have the power to issue orders and impose fines. Finally, Canadians could use a direct right if they felt that the companies they are dealing with were failing to meet their obligations.
The goal of those various remedies is not to punish, but rather to ensure that the consequences lead to adequate compensation and, more importantly, to ensure that the companies in question take the situation seriously. It is problematic that there are no monetary consequences for the companies — aside from the loss of clientele, which is a real and very tangible consequence — or legal repercussions under specific remedies. I am not saying that banks and companies are not taking some measures, but I think that potentially being subject to legal proceedings that could lead to significant fines would make corporate leaders give the issue special attention, including by ensuring that their legal risks remain at an appropriate level.
Senator Tkachuk: Could you just help me with where the responsibility lies? I used my credit card when I went to visit my family in the States. It was maybe a week or two later that I got a phone call on my cell at night, and someone was using my credit card at a 7-Eleven in Florida. They are taking out small bits, $20, $20. “Are you in Florida?” “No, I am not.” We have a problem. I never find out anything further from that. I don’t know what company gave out my card information. I don’t know what happened to the investigation. I don’t know who the person is who was using my card. It is just like a door is shut. The only thing you know is that VISA compensates you because they are insured for it. This was small amounts. They were taking out $20 apiece, at a time, so I think it added up to $60 or $80 or something over a couple of days. But, if it were large amounts, shouldn’t I be able to sue people who don’t take care of my information? Shouldn’t I, as a consumer, be able to sue those people, and shouldn’t I also know who released information from me? We have all the big companies doing it, but I give out my credit card to the pizza guy. Is there a way for us, as citizens, to impart damage to people who actually don’t look after our information, which is their responsibility?
Mr. Therrien: I think this gets into the territory where I answered Senator Massicotte, but, to be clear, we haven’t investigated these situations exactly. To your question, should you, as a citizen, be able to sue a company that has not taken proper precautions with your information, my answer is yes. There are improvements to be made in Canadian law to that effect in terms of order making and fines for my office, but also a private right of action that citizens could exercise directly.In your example, there may be a number of actors out there who have not taken care of your information properly.
Senator Tkachuk: Obviously.
Mr. Therrien: The bank, in your example, appears to have assumed their financial responsibility, and they have made you whole, but there may be others who are involved. My answer would deal with that. There should be a right of action against any and all companies that had an obligation to secure your information properly. I think that, in your example, the bank treated you properly, but there may be other actors involved in this situation.
Senator Tkachuk: I may go to that same restaurant again that I went to last time that released the information, but I don’t know who that person is.
Mr. Therrien: I am getting to that.
Senator Tkachuk: Okay.
Mr. Therrien: That is more directly related to a privacy issue. Here, the law currently gives you a right of access to personal information held by a company about you. You have a right to ask for that information. There may be exemptions along the lines of law enforcement and so on, which may apply and limit the amount of information you would receive, but, in principle, you have a right of access to information held by a company about you. Through that mechanism, you may be — I’m not going to say you will be, but you may be — able to obtain some of the information you are seeking.
Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology, Analysis Branch, Office of the Privacy Commissioner of Canada: I would add that the question you asked raises the whole spectre of identification theft. We have long said that the issue of ID theft is a collective issue that engages not only the Privacy Commissioner’s office but law enforcement. There are many actors and many players. For many years, we have called for a coordinated strategy to combat ID theft, which, as I said, exceeds the four corners of the Privacy Commissioner’s office, but we certainly need to collaborate and engage with law enforcement and the other actors that could attend to some of these issues, particularly if the issue and the situations are at the individual level and not necessarily with organizations involved. Then, there is even less recourse if the identity theft was at the individual-to-individual level.So it’s a very big question, which involves many actors.
Senator Wetston: When I hear this discussion, I kind of long for the good old days.
Senator Tkachuk: Cash is still king, right?
Senator Wetston: Cash is king. It’s the CIF method, cash in your fist.
Thank you for coming here today. I want to ask you a bit about the Internet, where it is going and your role in managing privacy issues. From my perspective, the Internet was never designed with security or privacy concerns in mind. It was designed for a completely different purpose. But we know what its purpose is today.
You might agree with me that today, data is an asset. It is a commodity today. It is sold. Access to it has important commercial reasons and not just the typical hacking annoyance kind of issues that we hear about. The result is that it is an interface of a lot of challenging issues for businesses, governments and individuals, so it is kind of messy.
When I look at the policy framework — we have heard from a number of government officials — it is kind of messy because there are a lot of interrelationships required and a lot of coordination. I have come to the conclusion it is messy because the world is kind of a messy place. You might agree with me there, given your comments.
Having said that, how do you view your role? I understand your responsibilities, obviously, but how do you view your role? How do you look at this issue? Do you look at it as a risk issue or a crisis issue or a privacy issue? I see from some of the work you are doing it is not just that, obviously, and I have noted your submissions to Public Safety Canada when you are talking about these issues. Can you help me with that, please?
Mr. Therrien: I will try.
Yes, data is an asset with huge financial value. You only need to look at the big 10 companies in the New York Stock Exchange to know that that is the case. Some of this data is personal information that deserves privacy protection. Many people are interested in data for commercial reasons but also for very good public policy purposes such as health, research and so on.
The situation is probably messy today. There are a number of laws, few of which are very effective in addressing the concerns. There are certain issues that are not really the subject of laws, cybersecurity per se being one of them. How do we address that? Of the possibilities you put before me, the one I am more comfortable with would probably be that it is a multifaceted risk, of which privacy is one but not the only one.
In larger terms, the Internet and the digital economy are obviously the way of the future. Our economic growth depends on it. There are many advantages for individuals as consumers, as citizens, in the development of the Internet. Overall, I think the digital revolution is a good thing. But it creates many risks, of which privacy is one.
The way I see my role and responsibilities, beyond enforcing the four corners of the laws that we must enforce, is to ensure that the sum total of privacy laws and practices by companies and departments and the behaviour of individuals is such as to allow us all to benefit from the many advantages of the Internet, while minimizing to the maximum possible privacy and other risks.
Senator Wetston: I hear what you are saying. It is hard to disagree with your point, obviously. It seems to me that you are saying privacy concerns are potentially manageable, but they are certainly not solvable.
I want to ask you about what instruments you feel will assist your role and responsibilities because, as an institution responsible for this, you need to have the appropriate tools to do your job. What I am hearing you say is that you are lacking administrative sanctions to be able to achieve aspects of your roles and responsibilities, which I would not disagree with at all. If you have the responsibility, you need to have the tools to be able to implement and do your job. Tell me what instruments you have presently that seem to be working and tell me what you need. I think you have already indicated that administrative penalties would be an instrument that would be of benefit in the discharge of your responsibilities.
Mr. Therrien: One way to answer your question would be to direct you to our annual report of September of this year and the ultimate conclusion of our review of the consent issue; that is, to what extent is consent effective in protecting privacy in Canada.
At the core of that report, we said that consent remains a very important and primary tool for privacy protection because it allows for personal autonomy. People can consent or not to certain things. That is it important. However, consent must be assisted by many other things, primarily — but not only — an independent regulator. In other words, it is my office but also provincial equivalents or other federal bodies that have a role in privacy, such as the CRTC, regulators that are sufficiently resourced and have the tools to inform citizens of the risks, guide companies and organizations on their obligations and sanction illegal conduct. Where we are lacking in Canada today is in the latter, for sure. The sanctions are not commensurate with the risks to privacy and other rights, as you have indicated in your question.
Personal information is data, and it is data from which huge profits can be derived. That means there is a huge interest in mining the data. If so, the consequences for acting improperly, illegally, should be commensurate with the potential advantages for actors in mining the data. That is one of the reasons why we are asking for order making in fines, powers.
Senator Wetston: The incentives are obvious. That is the point I think you are making.
Mr. Therrien: Yes.
Senator Ringuette: This is along the same line of questioning. When you say that you receive complaints and you investigate, in the example of Equifax, for instance, your investigation is limited to the Canadian jurisdiction. Therefore, your report is limited to the Canadian jurisdiction.
A few weeks ago, we had the special unit from the RCMP that talked about Equifax being the victims from their perspective. I suspect that from your complaint mechanism, individual people would be the victims.
Mr. Therrien: Yes.
Senator Ringuette: How much sharing of information happens between your office and the RCMP special unit with respect to the kinds of investigations that you do?
Mr. Therrien: I will start with your comment that our investigation is limited to Canada.
First, our investigation is limited, like all of our investigations, to the fact that we cannot make orders and we can only make recommendations to the company.
Second, is it limited to Canada? Strictly speaking, yes, but not totally. As you know, data moves across borders. There have been complaints against Equifax not only in Canada but obviously in the U.S., the U.K. and I think in other countries as well. That is a function of the fact that data moves across borders.
The OPC only has jurisdiction vis-à-vis Canada, but because of the fact that data moves across borders, there are equivalents in other countries with which we do share information to ensure that, as a whole, the behaviours that may not be privacy protected are addressed, each within our jurisdiction but also collectively in a global manner. That doesn’t work perfectly, but it works to a large extent.
Within Canada, sharing with law enforcement agencies like the RCMP is subject to limitations, the first one being that our statute says that the information we receive in the course of our investigations is confidential as between us, the complainant and the respondent, in this case Equifax. The reason for this is that we want the organizations we are investigating under PIPEDA, or the departments we are investigating under the Privacy Act, to cooperate with us and not to think that because they give us sensitive information as to their practices, that it will automatically become public. The rule is confidentiality, but the exception is publicity, if I am of the view in a given case that the disclosure of the information to the public is in the public interest. That is the scheme we have. Based on that, the sharing of information with bodies like the RCMP is limited.
Another exception to confidentiality is a provision of PIPEDA, section 20(5), which allows me to share information with the Attorney General in certain cases. However, the rule is confidentiality. As a result, the sharing with the RCMP is rare, but there are exceptions.
Senator Ringuette: I was somewhat surprised that an organization like yours, whose main purpose is to receive complaints with respect to privacy issues — you indicated in your presentation that you finance some research projects. I am surprised that it is in your mandate.
Mr. Therrien: We have a limited fund of $500,000.
Senator Ringuette: But is it in your mandate?
Mr. Therrien: Yes. It is in our statutory mandate, and it derives from our mandate to educate the public, in part through this contribution program. The essential reason is that privacy rights are not well known. We want the population — not only citizens, but also companies and organizations — to better know their privacy rights or obligations. One of the ways in which we achieve that is through our contribution program to develop knowledge and to share that knowledge.
Senator Ringuette: But not to develop security programs?
Mr. Therrien: No, not at all.
Senator Black: We understand there is an ongoing cross-government initiative to deal with the issues of cybersecurity. Are you involved with that?
Ms. Kosseim: Could you be more specific in terms of the program?
Senator Black: I am only repeating what we’ve heard here. I understand that various agencies of government are currently coordinating their efforts to develop a national cybersecurity strategy for Canada. Is your agency involved in those conversations?
Mr. Therrien: Not at the level of participating fully in the development of strategies, because we are an independent agent of Parliament, independent from the executive. Our involvement in the development of policies at the government level is limited by that fact. However, at the working level, we have some exchange of information, which Steven may wish to speak to.
Steven Johnston, Senior IT Research Analyst, Office of the Privacy Commissioner of Canada: Senator, I am aware that there is an ongoing effort to revisit and update the cybersecurity strategy that was issued a number of years ago. Our office has made submissions for revisiting both the national security strategy and the related cybersecurity strategy. However, as a general rule, we don’t participate directly in those deliberations.
Senator Black: Should you be part of that conversation?
Mr. Therrien: I don’t think fully, because of our status as an agent of Parliament. We found that the optimal way for us to know the factors that are considered by the executive branch in developing these policies so as to provide value — we have made a submission here. That is one way. Is it perfect? No. I don’t think it should reach the stage where we should participate in government policy-making because of the relationship between us, as an agent of Parliament, and the executive branch. It is an area that might require a bit of thinking through as to finding the optimal way of doing that, but I don’t think that fully participating would be appropriate.
Senator Black: I would urge you to find a way to input, because what you are telling us is extremely important, and Canadians expect their privacy to be protected. Most folks, including government agencies, don’t fully understand the balance between security and privacy. My suggestion would be that part of your mandate is to ensure that any cross-government initiative considers your point of view.
Mr. Therrien: Yes. It is certainly with that in mind that we made the submission. We can give you a copy of the submission, if you are interested.
Senator Black: No, that’s fine.
Mr. Therrien: We will certainly reflect on that.
Senator Enverga: Thank you for being here today.Has your privacy office been involved in investigations that involve state-sponsored threats? Have you seen those things happening?
Senator Tkachuk: Do you want to clarify that, Senator Enverga?
Senator Enverga: It is more like a state-sponsored cyber-threat on privacy. Have you run into that type of thing?
Mr. Therrien: The question is in the context of investigations. As I have stated, investigations are confidential, so I cannot go into what we have found in terms of the details. I will leave it at that.
I think the involvement of foreign powers is best addressed by organizations like the Communications Security Establishment. They are the experts in that area. It is certainly possible that a breach that would lead to a complaint to us might have as an origin the actions of a foreign state. That is conceivable. However, the first line of defence to this would be the CSE, the Communications Security Establishment.
Senator Enverga: Recently a Chinese company bought Norsat, a satellite company. Have you been involved with those investigations at all?
Mr. Therrien: No, in large part because of this division between the executive branch and our office as an agent of Parliament.
Senator Day: Mr. Therrien, I am interested in your comments with respect to your role in the International Organization for Standardization. Do ISO standards get adopted into Canadian law through reference? Can you explain that process to us?
Mr. Therrien: Yes. I will ask Ms. Kosseim to answer first, and perhaps Steven Johnston can add to this.
Ms. Kosseim: For a number of years, we’ve invested office resources, in the form of Steven, and I will ask Mr. Johnston to answer more directly in the form of his involvement in ISO working groups, as a Canadian delegate that contributes to the standard that is eventually adopted.
Steve, could you elaborate on the process?
Mr. Johnston: Certainly.
Once an ISO standard has been published, once the drafting is finished and everybody agrees that it’s ready to be published, it can be adopted by the national bodies of the countries that participate in the standards development process. That is done here in Canada through organizations such as the Standards Council of Canada and the Canadian Standards Association. Those standards then become Canadian national standards.
Whether or not they’re adopted into law, the only one that I’m aware of was the Canadian Standards Association principles that form Schedule 1 of the Personal Information Protection and Electronic Documents Act. That’s the only occasion I’m aware of where a national standard has been written into law specifically.
Having said that, we do encourage organizations to look to ISO standards, among others, as examples of good practice. We do use them as a framework when we’re investigating breaches that involve a failing in security.
I hope that answers your question.
Senator Day: Just to finish that one, you did make reference to topics such as “identity management” as one of the ISO standards. I can see how that could be an important source of information and guidance.
Mr. Johnston: Yes, the working group that I have been most active in has responsibility for developing standards in the area of identity management. There are several that have been adopted internationally and are in the process of working their way into national standards. Treasury Board is aware of that work and has been taking that into account when developing government standards and policies.
Mr. Therrien: To add to what Mr. Johnston has said, as an office and personally through Steven, we have participated in a number of working groups under the ISO, so we have direct involvement in the development of some of these standards. How then they become real in Canada will depend. Some of these standards will lead to codes of best practices, as was mentioned.
One of the virtues of the private-sector privacy law in Canada, PIPEDA, is that it sets general standards. For instance, with respect to security, the standard is general. Companies and organizations must adopt adequate or appropriate standards of security to the sensitivity of the information. An ISO standard could then be read into a general norm like this to say an adequate standard, statutory language, would be informed by technical standards such as those developed by ISO.
Senator Day: Thank you. That’s helpful.
The other question I wanted to ask is in relation to the mandatory breach reporting requirement. You made reference to the Digital Privacy Act passed a couple of years ago, and you said in your comments that regulations for the private sector were “not as extensive as we would have hoped,” and you pointed out a couple of areas where you feel more could be done. Did you make a submission to government and is that available?
Mr. Therrien: Yes, it’s on our website and we can make it available to the committee directly.
Senator Tannas: Thank you for being here today.
I have a couple of questions around your organization. Commissioner, how many employees do you have in total in the commission, and how many are specifically focused on this area of cybersecurity, breaches, investigations and so on?
Mr. Therrien: We have approximately 180 employees.
It’s very difficult to say how many people are working on cybersecurity issues per se because we’re divided along the lines of investigative branches. Then there’s the policy and technological branch that Ms. Kosseim heads. A cybersecurity issue may arise in the form of primarily a breach report, either from the private sector or the public sector, so that would be individuals working in investigative branches.
We have a handful of people involved in this. Essentially there are many privacy issues. Breaches of privacy is an important aspect of privacy protection, but it is not the only one, and we’re short of resources generally, so we have a handful of people.
How many in your branch?
Brent Homan, Director General, Personal Information Protection and Electronic Documents Act Investigations Branch, Office of the Privacy Commissioner of Canada: In the branch, for investigators, around 20 to 25. With respect to breaches, we have a dedicated unit to receive the breaches, and it’s staffed by around two and a half or three individuals. That said, those are the people that catch the breaches and do the preliminary assessment, and to action them it would involve working with analysts such as Steve and as well with the legal branch. When we engage on a breach action, that then engages more resources, analysts and lawyers within the organization.
Mr. Therrien: There is a handful of investigators, plus from time to time, when we’re called upon to make submissions, participate in working groups and so on, people at the policy level, it is difficult to quantify, but certainly fewer than 10 overall.
Senator Tannas: So here it comes: Do you feel you have sufficient resources to fulfill your mandate and to do everything necessary to protect or ensure the protection of Canadians’ privacy?
Mr. Therrien: The short answer is no. A big reason why we think we would add more value if we had more people is that we receive hundreds of breach reports, for instance, and we only investigate a minuscule part of them, which means that we are unable to identify systemic issues or threats. The idea of having more resources would be to have a better handle on the environment. We have an okay handle on the environment. We could have a much better, more nuanced handle on the environment to give more helpful advice and mitigate threats.
Senator Tannas: Thank you.
Mr. Homan: The environment the commissioner refers to is getting more challenging and complex, not necessarily just with respect to the nature of the breaches but with mandatory breach reporting coming into effect, once it was announced, basically the breach reports that we did receive doubled from 2012-13 to these days. And that’s before even mandatory breach reporting comes into effect.
If our experience is anything like some of our provincial counterparts, such as Alberta, and I suspect there is no reason it wouldn’t be, once mandatory breach came into effect in their jurisdiction, I believe they realized a 200 per cent increase in terms of the number of reports they received. We anticipate even greater volumes in already stretched resources.
Mr. Therrien: The last point on this is that when Bill S-4 was adopted, we received no resources to handle these breach reports. The resources we’re devoting to this issue had been identified through internal reallocation of resources, but we have received an important new responsibility with no additional resource for this issue.
Senator Moncion: My question pertains to the privacy act. It has two parts. First, a lot of people disclose personal information when they go into stores. They often give out their address, telephone number and postal code. There is the issue of the security of the information that people voluntarily give out when they go shopping. In my opinion, people do not think about the potential breaches of confidentiality involving their personal information. People do not necessarily give out their date of birth or social insurance number, but there is nonetheless an expectation of a level of security that is certainly lower than what financial institutions provide. What are the rules surrounding information that is voluntarily given out in stores, and what right do businesses have to request that information?
My second question pertains to personal information, this time as regards financial institutions. I worked in that sector for many years and, when the privacy act came into force, a problem arose regarding the security of that information. Financial institutions are required to preserve client confidentiality, even if they know that one or some of their clients do things that are not always legal. They cannot disclose that information. It came to the point that we found the privacy act much too restrictive in this regard.
I would like to hear your opinion on what I experienced, not in everyday situations, but when the police came to see us to investigate a case. We were not able to disclose information. There were also cases that we knew should have been investigated, but we could not do anything.
Mr. Therrien: There is no difference between stores and financial institutions as to their legal obligations under the PIPEDA. The act does not distinguish between sectors of commercial activity, between banks or any other commercial activity. Legally speaking, stores are subject to the same obligations.
As to your question about people being able to access the information held by those companies, the answer is yes.
Turning to the question about disclosure to the police for the purpose of fraud detection, I would say that stores certainly have the same obligations, but there are different sizes of organizations. Large organizations, although they have implemented measures that are not perfect, generally offer better protection than small organizations. I will ask my colleague, Brent Homan, who has discussed these various matters at length with SMEs, to complete the answer.
Mr. Homan: With respect to SMEs, small- and medium-sized enterprises, we’ve found that they’re specifically vulnerable when it comes to security fraud because they often are not aware of their privacy obligations.We’ve actually worked to conduct outreach with this specific group of organizations to make them aware of not only their privacy obligations but some of the steps they can take to augment their security safeguard infrastructures. For some of them, that can be very low tech — just being aware of threats that might be within their own business or sector and knowing that if one of their sector partners are attacked or vulnerable to a certain security safeguard breach, they might be the next ones.Part of it is just talking with SMEs and letting them know they also have an obligation and risks.
It could be as simple and low tech as ensuring that documents and filing cabinets are locked, that data is kept on secure systems and that encryption is used. They may not necessarily need to have or even have the finances to have a full IT department there are one or two individual operations, but they certainly have the means to take certain precautions to ensure the information they hold and share is safe. Some of it is taking a look through an inventory on an interim basis to ensure that what information they have is still needed. If they don’t need it, get rid of it, or if they feel they need it for a certain purpose, figure out when they will get rid of it.
These are the types of lessons we’ve been focusing on getting out to small businesses over the last year and a half in terms of a concerted effort, because we did identify them a specific group in need of such education and outreach.
Mr. Therrien: As to disclosure by companies, there are provisions in the act that allow this for the purpose of detecting crime or fraud, regardless of the company involved. I know some companies find them too restrictive. I will ask Ms. Kosseim to describe the provisions in question.
Ms. Kosseim: There are three parts. First, as to the ability of banks or other organizations to share information among themselves for the purpose of sharing information or facts or circumstances to detect fraud, there are new provisions that now allow this, absent consent under certain conditions, pursuant to the amendments to Bill S-4 that were passed. In this regard, we have issued guidelines that recommend a common sense approach on the whole, given that organizations do have to share information to a reasonable extent and comply with the conditions set out in the act.
Secondly, there is information sharing with police forces when they request it or when they want to share information themselves. When police request information from banks or other institutions, whether organizations, stores or telecommunications companies, the Supreme Court set out very clear conditions in R. v. Spencer: there are exigent circumstances under which police forces can request that personal information absent consent, reasonable legislation that would authorize this or when the data does not create a reasonable expectation of privacy. This is where the Supreme Court left a grey area for interpretation.
As to companies that want to share the information they detect with police forces, when they perceive or suspect a problem or potential crime, the Supreme Court has left the door open to sharing on a voluntary basis. There is an immunity provision that allows for this under certain conditions, while still complying with the circumstances set out by the Supreme Court in the Spencer decision, but there must not be any collusion with police forces and this must not be done systematically without the organization giving thought to it. There is in fact a decision by the Quebec Court of Appeal, which found that the systematic sharing of information with police forces — not in specific cases, but in specific cases — violated the Charter.
Senator Ringuette: Can you tell me roughly how many complaints you have received and how many investigations you have conducted?
Mr. Therrien: I will ask Mr. Homan to provide the details. We receive about 3,000 complaints a year from the private and public sectors. Almost all of them are resolved using early conflict resolution mechanisms, among other methods. Nonetheless, we are not able to investigate every complaint filed.
Mr. Homan: In terms of complaints, we received approximately 150. That does not include breaches. In terms of notices of breaches, there are between 90 and 95.
Mr. Therrien: For the private sector.
Mr. Homan: For the private sector only.
Senator Ringuette: Let us start with the private sector.
Mr. Therrien: There are a few hundred complaints.
Senator Ringuette: You said about 150?
Mr. Homan: I said 150 complaints.
Senator Ringuette: How many of those 150 complaints have investigated?
Mr. Homan: There are different types of investigations. There are formal ones and informal ones. There were about 80 investigations.
Mr. Therrien: Formal ones.
Mr. Homan: Formal.
Mr. Therrien: As much as possible, we try to resolve cases quickly, when the dispute between the complainant and the company is not a major one. We are able to resolve about half the complaints in that way; we conduct formal investigations for the other half.
Senator Ringuette: Can you give us an example of the type of resolution you reach when there is a complaint involving a private company?
Mr. Therrien: Do you mean rapid resolution?
Senator Ringuette: Yes.
Mr. Therrien: Mr. Homan will complete my answer. In some cases, the complaint is not entirely founded. In that case, we would contact the complainant. Or there might be an obvious breach and the company might not have given much thought to the matter. When we point out that their actions were not appropriate in terms of privacy, the company agrees to comply quickly.
Mr. Homan: We often conduct mediation between the organization and the complainant. If the problem is not systemic or if the problem entails a major risk, that is an opportunity to resolve the complaint without mobilizing a lot of resources.
Mr. Therrien: That being said, to get back to cyber security and technology, with advances in technology, the complaints we receive increasingly raise complex technology issues. In those cases, quick resolution is certainly not an option. We need investigators as well as technology specialists to help the investigators.
Senator Wetston: As you could tell from my previous question, I have the particular point of view that the Internet and digitization is rapidly becoming the 21st century crime scene, and I question whether or not we’re ready to deal with it.
Mr. Therrien: Did you say “currency”?
Senator Wetston: Crime scene, or the new juvenile delinquency, depending on the approach you’re taking. Just your point of view with respect to your work at the commission, who is more vulnerable, from your perspective, the government to data privacy breaches or the private sector to data privacy breaches?
Mr. Therrien: I don’t think it’s possible to say. They’re both at high risk, government because it obviously holds a massive amount of very sensitive and personal information about taxpayers, people who receive health care, all kinds of very sensitive information; and companies because they also hold a massive amount of personal information about communications, personal interests and so on. I think the level of risk is high both for the public sector and the private sector.
Senator Wetston: I’m wondering from a privacy perspective. We have heard from officials, and it’s the state of readiness that I’m thinking about. To understand it, I know it’s a difficult question to answer, but I think it’s really important given the opportunities that exist and the protections that are required for the public, whether it’s commercial data breaches, criminal data breaches or hacking of the sort that we’ve talked about. It may be difficult for you to give us your opinion on that, but it seems to me that we have some reporting. I think, for example, Alberta has mandatory breach reporting as opposed to what we see federally. I’m wondering a little bit about whether or not those kinds of requirements are of some assistance in being able to at least address the issue of vulnerabilities.
Mr. Therrien: Yes, the experience of other jurisdictions — Alberta, among others — is useful.
In terms of the state of readiness issue, I would say that government and large companies are in more of a similar situation because they are large organizations that have the resources to manage these issues. Smaller organizations do not have the same level of readiness. That being said, large organizations have large holdings of information that are particularly interesting to sophisticated hackers. It’s very difficult to say.
Senator Tkachuk: I have a couple of questions. How do we deal with operating systems like Apple and Windows? They have what they call the cloud. I’m not sure if people know exactly where all their information is going, but it’s obviously going to a central source. Apple would have everything I have on my computer, basically, so I can access it with another computer somewhere else. That’s a heck of a lot of information. They have everything I have on my computer. How do we secure security with systems like that? What responsibility do they have? People can now access a central source and basically pick up information from everyone.
Mr. Therrien: The fact that governments or extremely large corporations hold a massive amount of information, if not all of our personal information, is certainly of concern from a privacy perspective because —
Senator Tkachuk: Apple holds it.
Mr. Therrien: — they know us more than we know ourselves. From a privacy perspective, it’s a huge concern.
From a security perspective, the fact that there is the “cloud,” where information is housed on networks that may certainly be outside Canada and some inside, where there is a central repository, is not necessarily a bad thing because these huge companies know their business and usually have better security systems than smaller companies. From a security perspective, I’m not saying the cloud is not a problem, but usually the companies that are involved in that area have better security safeguards than smaller organizations. From a privacy perspective, from the perspective that I explained, these companies know everything about us, and that is a huge concern.
Senator Massicotte: Your predecessor, I believe, warned this committee a couple of years ago that Canadians share the most amount of private information on social networks and are the most exposed. In other words, we’re more trusting than other nations. Is that good or bad? I presume that increases the risk of identity theft and so on. How do you deal with that?
Mr. Therrien: On social media?
Senator Massicotte: Yes.
Mr. Therrien: It continues to be the case that Canadians use the Internet more than most other citizens around the world. I don’t know if we are still number one, but we are among the biggest users.
In terms of social media, we are trying to put certain guidance and some tips on our website on how to protect your personal information. People are very trusting and, by and large, have the sense that when they use social media, the information is limited to a known circle. Well, check your privacy settings, because that may not be the case. Maybe this information is getting to many people to whom you don’t think it is going.
That is where public education is very important. Social media is a modern, useful and fun way for some people to communicate. I understand that, but it creates risks. Our responsibility, in large part, is to try to educate the public in the best way we can, and our most important tool is our website, which people can look at. We don’t have any money for publicity, for instance, but in terms of resources we think we have a great tool in our website. But are people coming to it to get the information that they want? We don’t have any money for publicity. That might be something that would be useful.
Senator Tkachuk: So if I become a Neanderthal and say that I no longer want that information on the cloud and instead I just want to use a backup that I unplug at the end of the day, how do I know that Apple will remove the data that they have acquired on me?
Senator Massicotte: When you delete it.
Senator Tkachuk: When I say, “I no longer want to take part in this,” and I will no longer use the Apple cloud or the Windows cloud but will use a data backup instead, how do I know that Apple or Windows will get rid of the information that they acquired from me?
Mr. Therrien: That is a huge issue. The easy, first answer is that the law provides that organizations can only retain information as long as it is needed, and if consent is no longer given by the individual, they should no longer hold it. But during the time they had it, they may have shared it with many other people.
Senator Tkachuk: That is the scary thing.
Thank you very much. This was a very informative session.
(The committee adjourned.)