Identity theft is a crucial issue for today’s consumers. Identity theft is deeply disturbing emotionally, financially debilitating and unfortunately, largely beyond the control of consumers.1 Victims find that learning of ID theft is only the first hurdle. Attempting to stop the losses in a timely fashion is a time-consuming and frustrating experience and resolving credit problems is a long-term task.
Business and government, not consumers, must lead the battle on ID theft
Business and Government have to lead the ID theft battle, not consumers. Business practices cause many ID theft opportunities and may impede consumer recovery. Opportunities for ID theft often result from the implementation of technology to improve profitability. Businesses that handle sensitive personal information may not implement procedures required to protect this data.
Business must limit collection of personal data to the minimum necessary for the purpose of the transaction. Expansive collection for potential secondary marketing purposes simply risks over-collection and subsequent data loss or risks abuse. Use of sensitive personal identifiers such as Social Insurance Numbers (SIN) and drivers license numbers (DLN) exacerbates this problem and provides identity thieves with the golden key to unlocking victims’ personal finances.
Simple changes to business models can be made. For example, secure destruction of personal information holdings after appropriate hold periods for privacy and other legal challenges should be routine. Business should carefully check ID, should not give out account details to third parties and should be extremely careful in extending credit. Phasing out of reliance on SINs and DLNs is essential. Above all, consumers should be immediately notified when personal information leaks occur.
Credit bureaus stand at the cross-roads of detecting, responding to and preventing ID theft, however, consumers lack meaningful awareness of, and control over, their credit reports.
Business and government must realize that they hold personal information in trust for consumers. ID theft due to their information holdings and handling practices is a real possibility and business and government must take steps to manage the risk.
Legislation is required
While many businesses and governments have taken measures to protect against ID theft, a patchwork of initiatives with no mechanisms for enforcement and compliance poses a serious threat to consumers.
The individual and collective impact of ID theft is far too serious to be left to the whim of governments and businesses that may not always place consumer interests ahead of established business models and data handling practices.
An effective war on ID theft requires specific legislation and real enforcement measures.
The Council recommends that Canada’s federal and provincial governments move quickly to develop and adopt the following new laws to protect consumers in the personal information and identity theft age:
- DATA LEAKS NOTIFICATION. Require business and government to report leaks of personal information to CONSUMERS not just credit bureaus and police.
- Notice should be made as soon as possible and no later than 48 hours.
- Notice should include what was compromised and steps consumers should take to protect their identity (e.g. contact credit bureaus).
- Notice should be given if there is a breach or potential breach.
- SIN USE. Business must ERADICATE its reliance on SINs. (Two year phase out).
- SINs are used for ID theft more often than anything else.
- The Office of the Privacy Commissioner of Canada has advised directly against its use for all but income reporting and direct employment purposes.2
- Business should not be permitted to ask for SINs for any other purpose.
- Business must develop and alternate unique identifier.
- Use of similar sensitive identifiers (DLNs, Health Card Numbers) likewise should be prohibited for identity or other business information-processing purposes.
- CREDIT FREEZE. Consumers should have a free credit freeze facility.
- The consumer should be permitted to lift credit freezes with a special code for certain creditors either permanently or for a period of time.
- Consumers should be notified of attempts to access credit reports or credit scores after a credit freeze has been issued.
- Consumers should have a right to a credit report clean-up where entries relating to fraudulently obtained credit are removed.
- Businesses and credit bureaus should educate consumers on the central role of the credit bureaus in detecting and preventing loss through ID theft.
1See P. Lawson and J. Lawford, “Identity Theft: The Need for Better Consumer Protection”, November 2003, Public Interest Advocacy Centre. Online: http://www.piac.ca/IDTHEFT.pdf
2Office of the Privacy Commissioner of Canada, “Fact Sheet: Best Practices for the use of Social Insurance Numbers in the private sector”, August 2004. Online: http://www.privcom.gc.ca/fs-fi/02_05_d_21_e.asp . Specifically, the OPCC states:
The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes.
While recognizing that some private-sector organizations are required by law to request customers’ or employees’ SINs, we remain opposed in principle to the practice of requesting the SIN for general purposes of identification. We recommend that no private sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.