Other PIAC Documents
Tell us your story!
Please contact us with your stories and questions.
Identity theft is a crucial issue for today’s consumers. Identity theft is deeply disturbing emotionally, financially debilitating and unfortunately, largely beyond the control of consumers.1Victims find that learning of ID theft is only the first hurdle. Attempting to stop the losses in a timely fashion is a time-consuming and frustrating experience and resolving credit problems is a long-term task.
Business and Government have to lead the ID theft battle, not consumers. Business practices cause many ID theft opportunities and may impede consumer recovery. Opportunities for ID theft often result from the implementation of technology to improve the corporate bottom line. Businesses that handle sensitive personal information may not be implementing procedures required to protect this data.
Business must limit collection of personal data to the minimum necessary for the purpose of the transaction. Expansive collection for potential secondary marketing purposes simply risks over-collection and subsequent data loss or risks abuse. Use of sensitive personal identifiers such as Social Insurance Numbers (SIN) and drivers license numbers (DLN) exacerbates this problem and provides identity thieves with the golden key to unlocking victims’ personal finances.
Simple changes to business models must be made immediately. For example,truncating credit card number receipts should be demanded by business of credit card and debit card terminal suppliers, not simply waited for when eventually rolled out. Secure destruction of personal information holdings after appropriate hold periods for privacy and other legal challenges should be routine. Business should carefully check ID, should not give out account details to third parties and should be extremely careful in extending credit. Phasing out of reliance on SINs and DLNs is essential. Above all, consumers should be immediately notified when personal information leaks occur.
Credit bureaus stand at the cross-roads of detecting, responding to and preventing ID theft, however, consumers lack meaningful awareness of, and control over, their credit reports.
Business and government must realize that they hold personal information in trust for consumers. ID theft due to their information holdings and handling practices is a real possibility and business and government must take steps to manage the risk.
While many businesses and governments have taken measures to protect against ID theft, a patchwork of initiatives with no mechanisms for enforcement and compliance poses a serious threat to consumers.
The individual and collective impact of ID theft is far too serious to be left to the whim of governments and businesses that may not always place consumer interests ahead of established business models and data handling practices.
An effective war on ID theft requires specific legislation and real enforcement measures.
The CCI recommends that Canada’s federal and provincial governments move quickly to develop and adopt the following new laws to protect consumers in the personal information and identity theft age:
Identity theft is spawning a number of secondary threats to Canadian consumers.
The first of these is the trend to making consumers pay for combating identity theft. This takes the form of credit monitoring services and identity theft insurance. For the most part these forms of monitoring and insurance cannot stop identity theft and may be an unnecessary expense. It is inappropriate for businesses to have improper or insecure data safeguards and then charge consumers for this shortcoming. Businesses should not profit from ID theft.
Secondly, identity theft has frequently been cited politicians and others as an excuse for implementing national ID cards or similar schemes, often with biometric identifiers. Identity cards with or without biometrics will not significantly impact identity theft, as most major ID theft occurs from sloppy information handling by government or business coupled with easy credit. Identity cards and biometrics will, however, reduce civil liberties by requiring consumers to self-identify in a traceable way as they go through life. Identity theft must not be used as an excuse to introduce privacy-invasive technologies such as biometrics and national ID cards.
Government can do more to help stop identity theft. In the U.S., the Federal Trade Commission is a “one stop shop” for consumers with identity theft questions. Canada should have a similarly convenient and authoritative government resource for Canadians dealing with the threat of identity theft.
The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes.
While recognizing that some private-sector organizations are required by law to request customers’ or employees’ SINs, we remain opposed in principle to the practice of requesting the SIN for general purposes of identification. We recommend that no private sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.