The Conservative government’s proposed legal measures to make it easier for police to catch identity thieves are welcome – but far more needs to be done, says a legal expert.
Draft amendments to the Criminal Code introduced by the Federal government, yesterday would – if passed – make it illegal to obtain, possess or sell other people’s identity information with the intention of committing fraud a crime.
Under existing legislation, a suspect must have committed – or be in the act of committing – fraud before charges can be laid.
While these legal initiatives may serve as some sort of a deterrent, they are only one piece of a much larger puzzle.
Several other steps need to be taken if the ID theft issue is to be effectively licked, says one public interest advocate.
“It’s not enough to make these activities criminal”, said Philippa Lawson, Director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa’s Faculty of Law.
She suggested other “equally important” measures such as: offering incentives (positive and negative) to companies and governments to ensure they are more security conscious, empowering individuals so they can more effectively protect themselves, enforcing data protection laws, and assisting victims recover their financial reputations.
Lawson is lead investigator on an ID theft research project funded by the Ontario Research Network on Electronic Commerce (ORNEC)
She rued that in Canada we have very little data on the extent of the problem, and the incidence of various types of ID theft, but noted that “a lot of information [subsequently used in ID theft crimes] is being accessed from computer databases.”
Today ID thieves today are using the Internet to advantage, the CIPPIC director noted. “You can go online and find stolen credit card numbers; and there’s also a lot of online trafficking of stolen data.”
Noting that the situation is getting graver, she said companies and government organizations “need to take steps to prevent the kinds of data breaches we’re seeing week after week.”
Many such breaches can be averted if companies take fundamental steps such as encrypting data – especially data that is on laptops that employees are allowed to take out of the office. “Steps also include simple, unsophisticated measures, such as locking filing cabinets.”
She said the motivation provided to companies to companies to practice these measures should be either financial or reputational.
“Those are the two things that speak to private companies – as well as government entities. CEOs need to see there’s a really a significant risk to their reputations and their bottom lines if they don’t invest the time, money and resources in minimizing the risk to data theft.”
CIPPIC research suggests a big part of the ID theft problem can be attributed to “over-collection of personal information” by organizations, and from lax corporate security, Lawson noted.
She said despite data protection laws prohibiting collection of more personal information than necessary by businesses, the marketplace is replete with examples of over-collection as well as inexcusable security breaches.
“This government recently had an opportunity to put some teeth into our data protection laws but chose not to do so.”
On the criminal side, she said, legislation is not enough, but needs to be supplemented with resources and training to those required to enforce new laws.
“We’re talking more bodies, but also properly trained bodies,” said Lawson. She said police forces need to be equipped with strong white collar crime operations with officers that are experts in the technology and know how to use it.
“Right now it’s quite clear that criminals are ahead of the police in their ability to use technology to their advantage.”
Lawson noted that much of the focus of police training is on controlling physical violence. “This is a completely different kettle of fish and they need to get the right kind of people in those positions, with the right kind of knowledge.”
Lawson said there’s also need for new sentencing guidelines, and judicial education so when perpetrators are caught, they pay a price that constitutes more than a cost of doing business.”
“We expect to see much more in the way of law and policy reform focusing on other actors who contribute to this problem through their negligence and who could do more to protect consumers from the often devastating effects of this crime.”