Other PIAC Documents

Tell us your story!
Please contact us with your stories and questions.

Canadian Consumer Initiative Identity Theft Policy Position

Identity theft affects consumers

Identity theft is a crucial issue for today’s consumers. Identity theft is deeply disturbing emotionally, financially debilitating and unfortunately, largely beyond the control of consumers.1Victims find that learning of ID theft is only the first hurdle. Attempting to stop the losses in a timely fashion is a time-consuming and frustrating experience and resolving credit problems is a long-term task.

Business and government, not consumers, must lead the battle on ID theft

Business and Government have to lead the ID theft battle, not consumers. Business practices cause many ID theft opportunities and may impede consumer recovery. Opportunities for ID theft often result from the implementation of technology to improve the corporate bottom line. Businesses that handle sensitive personal information may not be implementing procedures required to protect this data.

Business must limit collection of personal data to the minimum necessary for the purpose of the transaction. Expansive collection for potential secondary marketing purposes simply risks over-collection and subsequent data loss or risks abuse. Use of sensitive personal identifiers such as Social Insurance Numbers (SIN) and drivers license numbers (DLN) exacerbates this problem and provides identity thieves with the golden key to unlocking victims’ personal finances.

Simple changes to business models must be made immediately. For example,truncating credit card number receipts should be demanded by business of credit card and debit card terminal suppliers, not simply waited for when eventually rolled out. Secure destruction of personal information holdings after appropriate hold periods for privacy and other legal challenges should be routine. Business should carefully check ID, should not give out account details to third parties and should be extremely careful in extending credit. Phasing out of reliance on SINs and DLNs is essential. Above all, consumers should be immediately notified when personal information leaks occur.

Credit bureaus stand at the cross-roads of detecting, responding to and preventing ID theft, however, consumers lack meaningful awareness of, and control over, their credit reports.

Business and government must realize that they hold personal information in trust for consumers. ID theft due to their information holdings and handling practices is a real possibility and business and government must take steps to manage the risk.

Legislation is required

While many businesses and governments have taken measures to protect against ID theft, a patchwork of initiatives with no mechanisms for enforcement and compliance poses a serious threat to consumers.

The individual and collective impact of ID theft is far too serious to be left to the whim of governments and businesses that may not always place consumer interests ahead of established business models and data handling practices.

An effective war on ID theft requires specific legislation and real enforcement measures.

The CCI recommends that Canada’s federal and provincial governments move quickly to develop and adopt the following new laws to protect consumers in the personal information and identity theft age:

  1. Data leaks notification. Require business and government to report leaks of personal information to CONSUMERS not just credit bureaus and police.
    1. Notice should be made as soon as possible and no later than 48 hours.
    2. Notice should include what was compromised and steps consumers should take to protect their identity (e.g. contact credit bureaus).
    3. Notice should be given if there is a breach or potential breach.
  2. SIN use. Business must ERADICATE its reliance on SINs. (Two year phase out).
    1. SINs are used for ID theft more often than anything else.
    2. The Office of the Privacy Commissioner of Canada has advised directly against its use for all but income reporting and direct employment purposes.2
    3. Business should not be permitted to ask for SINs for any other purpose.
    4. Business must develop and alternate unique identifier.
    5. Use of similar sensitive identifiers (DLNs, Health Card Numbers) likewise should be prohibited for identity or other business information-processing purposes.
  3. Credit Freeze. Consumers should have a free credit freeze facility
    1. The consumer should be permitted to lift credit freezes with a special code or for certain creditors either permanently or for a period of time.
    2. Consumers should be notified of attempts to access credit reports or credit scores after a credit freeze has been issued.
    3. Consumers should have a right to a credit report clean-up where entries relating to fraudulently obtained credit are removed.
    4. Businesses and credit bureaus should educate consumers on the central role of the credit bureaus in detecting and preventing loss through ID theft.
  4. Identity Theft Criminal Offences. Criminalize identity theft related offences.
    1. Police are presently unable to prosecute many identity theft related crimes effectively due to a lack of criminal offences relating to ID theft.
    2. Consumers require police reports and investigations to support their efforts to halt identity theft and re-establish their identity and credit.
    3. Making ID theft specifically illegal provides consumers with additional remedies in other contexts such as making valid insurance claims and in dealing with creditors.

Secondary Threats of Identity Theft

Identity theft is spawning a number of secondary threats to Canadian consumers.

The first of these is the trend to making consumers pay for combating identity theft. This takes the form of credit monitoring services and identity theft insurance. For the most part these forms of monitoring and insurance cannot stop identity theft and may be an unnecessary expense. It is inappropriate for businesses to have improper or insecure data safeguards and then charge consumers for this shortcoming. Businesses should not profit from ID theft.

Secondly, identity theft has frequently been cited politicians and others as an excuse for implementing national ID cards or similar schemes, often with biometric identifiers. Identity cards with or without biometrics will not significantly impact identity theft, as most major ID theft occurs from sloppy information handling by government or business coupled with easy credit. Identity cards and biometrics will, however, reduce civil liberties by requiring consumers to self-identify in a traceable way as they go through life. Identity theft must not be used as an excuse to introduce privacy-invasive technologies such as biometrics and national ID cards.

One Stop Shop

Government can do more to help stop identity theft. In the U.S., the Federal Trade Commission is a “one stop shop” for consumers with identity theft questions. Canada should have a similarly convenient and authoritative government resource for Canadians dealing with the threat of identity theft.

Notes

  1. See P. Lawson and J. Lawford, “Identity Theft: The Need for Better Consumer Protection”, November 2003, Public Interest Advocacy Centre. Online:http://www.piac.ca/our-specialities/identity-theft-the-need-for-better-consumer-protection/
  2. Office of the Privacy Commissioner of Canada, “Fact Sheet: Best Practices for the use of Social Insurance Numbers in the private sector”, August 2004. Online:http://www.privcom.gc.ca/fs-fi/02_05_d_21_e.asp Specifically, the OPCC states:

The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes.

While recognizing that some private-sector organizations are required by law to request customers’ or employees’ SINs, we remain opposed in principle to the practice of requesting the SIN for general purposes of identification. We recommend that no private sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.

Personal Information PIAC does not retain any of the information you enter here
Place enter a name
Place enter a valid email
Place enter a valid email