For the last 10 years, countless cases of identity theft have sprung up across North America because industry standards for customer privacy protection have been “inadequate,” said a co-author of Ottawa’s electronic privacy act Wednesday.
“I express indignation that
it has taken so long to address the issue (of identity theft) and I blame government and industry,” said Stephanie Perrin, one of the authors of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the president of Montreal-based Digital Discretion Inc.
Perrin was one of several panelists who spoke at an Ottawa conference entitled “”Identity Theft: A $5 Billion Speck on Canada’s Radar Screen.””
Another panelist charged that there are “very poor government and business security practices” for handling personal information.
“Much of the personal information that’s held in very large databanks is not encrypted,” said John Lawford, research analyst at the Public Interest Advocacy Centre, referring to government databases. “This is what happens when (a hard drive) goes missing. Someone can start reading the information immediately. This could mean 50,000 or 60,000 names at a time.”
Legislation should require companies to notify those who have had their personal information leaked, he added. “Currently, the only way we know about a leak is that if someone has passed that story on to a reporter.”
Lawford added creditors are currently free to ignore fraud alerts on a client’s file, and he recommended that an immediate credit freeze should take place after a fraud alert is recorded. He also suggested credit bureaus could be doing a lot more to tell customers that they are entitled to a free credit report at least once a year.
Several hundred cases of identity theft first showed up in the U.S. in the mid-1990s, and gradually filtered across the border. Public interest groups reported such cases as early as 1994, but they often fell on deaf ears, said Perrin. The Federal Trade Commission, along with its Canadian counterpart, didn’t wake up to the issue until the end of that decade.
“The government should have stepped in long ago,” Perrin said.
Perrin theorized that the U.S. credit reporting industry “probably knew” in the latter half of the 1990s of an increasing number of identity theft cases, yet didn’t do anything.
Meanwhile, victims at the time only found out their identity had been stolen months after the fact when they applied for a mortgage or loan, she said.
Lawford said there are still shortfalls in legislative efforts to deal with the problem, including the lack of a provision in the Criminal Code of Canada that would enable police to charge individuals during a raid if they are found to have boxes of other peoples’ personal information.
“That’s a problem, but it’s not a hard one to fix. I guess a change to the Criminal Code is harder than it looks,” he said, adding there is a need for a wider definition of personal information so some businesses aren’t excluded simply because they possess information that doesn’t seem to be useful for identity theft.
Perrin said police can now nail perpetrators under PIPEDA if they are found to have information without justification. “I think we’re going to see a number of lawsuits in the next five years.”
But trying to prove commercial organizations are guilty of mishandling personal information can be a long and difficult process, she said. “Crafting a way to show criminal intent might be difficult as well. Amending the Criminal Code is an interesting idea.”
In the case of encrypting more databanks, Perrin cautioned that it would likely slow transactions down and load up systems, adding it would be unrealistic to ask banks to encrypt everything.
Panelists from the private sector were also represented at Wednesday’s conference. Suzanne Morin, senior council regulatory law at Bell Canada, emphasized that the phone giant does not disclose anything except a client’s name, address and phone number without consent.
“We’ve gone that extra step and required expressed consent in writing,” she said.
Morin added that Bell employs multiple-level screening for customer service representatives, so “as more and more information is getting put into a large database, the rep doesn’t have to see everything right away.”
Perrin acknowledged that Industry Canada has recently used its Web site to inform citizens on privacy protection, and she looks forward to a more collaborative effort by Ottawa to work on these issues. The former privacy commissioner saw identity theft and privacy protection as “his issue” alone, Perrin said, adding she looks forward to a more consolidated approach from Ottawa in the future.