The head of a financial services company that suffered a major leak of data on 2.7 million of its clients wants governments to work with businesses and ordinary Canadians to find new, more effective ways to protect personal information.
Desjardins Group president and chief executive Guy Cormier told an emergency meeting of the Parliamentary committee on public safety and national security that current ways of preventing leaks, such as third-party monitoring of transactions, are inadequate. He called for a committee of government, businesses, financial institutions and citizens to study best practices around the world and recommend changes to laws that would ensure public protection and make Canada a leader in the management of personal identity.
“I think the status quo isn’t an option,” he said.
In Monday’s meeting, called after Conservative Leader Andrew Scheer asked Tories on the committee to contact the other members to discuss the data breach, the committee also heard from the Royal Canadian Mounted Police and others.
The breach, which came to light last month, included names, addresses, birthdates and social-insurance numbers, and affected individuals and about 173,000 businesses – mostly in Quebec, said Denis Berthiaume, senior executive vice-president and chief operating officer at Desjardins. Mr. Berthiaume said the data of both current and former clients were leaked, adding that affected clients received a letter from Desjardins. He said there is no conclusive data on why the information of some people but not others was leaked.
Mr. Cormier said an employee who broke company rules for data protection was behind the breach, and has been fired.
He said the emergency meeting was premature, noting that police are still investigating and that Desjardins is still taking steps to protect its clients. He said he agreed to participate because it was a good opportunity to raise awareness about protecting personal data.
“We believe that people – elected officials – are becoming more aware of this matter and we wanted to contribute our perspective,” he said.
John McKay, the Liberal chair of the committee, told The Globe and Mail he would have preferred for committee members to have asked the Quebec-based financial institution more “tough-minded” questions about the leak. He said the committee isn’t much further ahead on understanding how it occurred and what the consequences are.
Mr. Cormier said Desjardins will offer permanent data protection to all members. Desjardins also committed $50,000 each for clients affected by identity theft, and will offer legal assistance, so rather than clients calling numerous government agencies to resolve the situation, Desjardins will walk them through the process.
Mr. Scheer called on the committee to examine whether issuing new social-insurance numbers would protect those whose data were leaked.
But Elise Boisjoly, assistant deputy minister at Employment and Social Development Canada, said assigning new SINs would not solve the problem. She said the old SIN would still exist and fraudsters could use it to take out loans.
Ms. Boisjoly also said a SIN can’t be cancelled like a credit card. She said it’s used as identifier for multiple organizations, such as employers and government services, and no ID system can update everything. She said the updating has been done manually in a few cases, but error is always a risk.
Mr. McKay said he’s concerned for public officials whose data were leaked. He said private information could be used to bribe a police officer to drop a charge, or an elected official to vote a certain way.
Mr. Cormier said Desjardins has launched the first part of its protection plan, but is still determining ways to protect those who are uniquely vulnerable.
“We are looking right now if there’s some more sensitive people,” Mr. Cormier said.