that handle sensitive data on a daily basis.
“”It’s telling consumers the obvious,”” said John Lawford, an analyst with the Ottawa-based group and one of the report’s authors.
Keeping PIN numbers secret, maintaining a healthy degree of skepticism when being asked to disclose personal information over the phone or online — basically common sense notions of protecting one’s identity. Those will go a long way to assuring that personal information stays personal, he said, but there needs to be a standard way to approach these issues for the agencies that handle this information.
Businesses, banks and government branches routinely ask for and process personal information, occasionally with disastrous results. There were a few examples in 2003 of government bodies that lost personal data, most recently the Canada Customs and Revenue Agency. On Sept. 4, four laptops were stolen from the CCRA’s Quebec Tax Office in Laval, one of which contained the names, addresses and social insurance numbers of 120,000 Canadians.
Lawford said that at a minimum data should be encrypted — which it was not in the CCRA case — but the PIAC report also points to an unnecessary reliance on SIN numbers as a identifier in both business and government circles. The report describes SIN numbers as the key to unlocking a person’s identity and that SIN cards should not be carried around in a wallet.
“”We’re also suggesting that people do good document practice — shredding their leftover documents and trying not to produce them in the first place,”” said Lawford. “”That’s a little more difficult. Even something like doing a transaction in person now and again is not a bad idea.””
But by far the largest security threat is stolen credit card numbers. According to the PIAC report, 42 per cent of ID thefts are credit card-related. The odds of it happening are slim, though, since the report notes that only 0.27 per cent of all credit cards in Canada are fraudulently used.
The value of good security practices has not escaped that attention of the Canadian financial sector. “”Certainly we agree that identify theft is a growing problem and one that we are actively working on,”” said Caroline Hubberstey, director of public affairs for the Canadian Bankers Association. “”Not just with our member banks but working with our other stakeholders. (We’re) taking a network watch approach to finding identity theft in the country.””
She said the CBA is working in co-operation with its members as well as different levels of provincial and federal government to update the Criminal Code to reflect how technology has changed the collection and management of identity.
“”There’s about 30 different provisions where you could pigeonhole it, but it’s not clear,”” she said.
While it doesn’t directly address criminal behaviour, the Personal Information Protection and Electronic Documents Act, “”is important because of the fact that it’s certainly encouraging businesses to be very mindful of how they handle personal information,”” added Hubberstey. PIPEDA, which comes into full effect in January, makes provisions for how companies should handle personal data, that it be collected for a specific purpose and that purpose be clearly communicated.
The PIAC report was partially funded by Industry Canada and has been circulated across all branches of government, said Lawford. “”The concern was expressed at the Industry Canada that there was a growing problem here.””
He noted that the United States Federal Trade Commission is further along in its approach to information protection than Canada. Much of the data in PIAC’s report relies on FTC research. “”The FTC does an awful lot to help people . . . and basically acts as a central starting point for everybody down there. We’re not quite there yet,”” he said.
The PIAC report offers several tips to consumers to prevent identity theft and what to do if you’re a victim of it. The CBA Web site also provides a series of security tips which covers credit cards, debit cards and online transactions.