(The Montreal Gazette published this week this piece I sent them. It's part of a larger campaign to bring changes to ID theft laws in Canada that I have started on a separate domain; you can get more information at idtheftreform.ca. If you're interested, please join our mailing list.)
On June 20, 2019, millions of Desjardins customers learned that their personal data had been leaked in one of the largest incidents of this type to ever happen in Canada. They joined the increasing ranks of Canadians who have seen their information leaked. In its 2021-2022 annual report, the Office of the Privacy Commissioner of Canada informed of 645 breach reports, “affecting at least 1.9 million Canadian accounts.” These are only the breaches we know about; the actual situation is likely worse than that. A recent survey revealed that 74 per cent of responding businesses didn’t report a cyber security incident after it was discovered.
The people most affected by these leaks, the ones who saw their most sensitive data getting out (name, address, birth date and social insurance number), must be on the lookout for identity theft forever. With that information on hand, criminals can impersonate them, get a new car, phone or credit line, and the victims will have to scramble to prove, in a perverse inversion of the burden of proof, that they didn’t open those accounts. It can happen next week, next month or 10 years from now. In its 2021 report, the Canadian Anti-Fraud Centre reported 29,500 cases of identity theft, an increase of 45 per cent over the previous year.
Official guides to protect yourself against identity theft (CRA, Canadian Anti-Fraud Centre) emphasize personal measures: shred your mail, don’t give away personal information, use strong passwords. However, no matter what you do at the personal level (and you should still do it), your data is not yours anymore. It will keep jumping from company to database to report and every time it gets copied the probability that it will get leaked only increases. It doesn’t need to be digital: your data can be stolen from your mailbox, or from the tax receipt you threw away without shredding. And once it’s out there, there’s no going back; you can’t unscramble an omelet.
Once we accept that we have little control over our data, it is wise to establish a second line of defence downstream. The two main credit bureaus, Equifax and TransUnion, offer their customers credit monitoring services and will send them alerts if something changes in their file. It’s a reactive solution, and not a very good one at that; it may take up to 30 days for a notification to get sent.
A better tool arrived at the United States starting in 2003 in California, and later legislated federally in the Economic Growth, Regulatory Relief, and Consumer Protection Act: the credit freeze. It enables U.S. citizens to lock their credit files. This means that their file can’t be accessed and no new credit accounts can be opened unless the freeze is removed or temporarily lifted, in case that person is really applying for new credit. As opposed to monitoring services, it’s a proactive approach: it gets triggered before the damage is done.
Here in Canada we’ve had to wait almost 20 years, but credit freezes are finally arriving, though only in Quebec, thanks to the Credit Assessment Agents Act, passed in October 2020. As of Feb. 1 this year, Quebec residents are to be able to place security freezes with the credit bureaus. So if you are not currently shopping around for new credit, put aside a couple of hours, contact Equifax and TransUnion and freeze your file for free. You don’t know who might be trying to do something nefarious with your data until they do.
Those in the rest of Canada? Today is a day as good as any other to contact their elected representatives, to ask them to enact similar legislation.