Identity theft is deeply disturbing emotionally, financially debilitating and unfortunately, largely beyond the control of consumers.1 Learning of ID theft is only the first hurdle for victims. Attempting to stop losses due to identity theft is a time-consuming, frustrating experience. Resolving credit problems is a long journey.
Business and government, not consumers, must lead the battle on ID theft
Business and government have to lead the ID theft battle, not consumers. Business practices cause many ID theft opportunities and may impede consumer recovery. Opportunities for ID theft often result from the implementation of technology to improve profitability. Businesses that handle sensitive personal information may not implement procedures required to protect this data.
Business must limit collection of personal data to the minimum necessary for the purpose of the transaction. Expansive collection for potential secondary marketing purposes simply risks over-collection and subsequent data loss or risks abuse. Use of sensitive personal identifiers such as Social Insurance Numbers (SIN) and drivers license numbers (DLN) exacerbates this problem and provides identity thieves with the golden key to unlocking victims’ personal finances.
Simple changes to business models can be made. For example, secure destruction of personal information holdings after appropriate hold periods for privacy and other legal challenges should be routine. Business should carefully check ID, should not give out account details to third parties and should be extremely careful in extending credit. Phasing out of reliance on SINs and DLNs is essential. Above all, consumers should be immediately notified when personal information leaks occur.
Credit bureaus stand at the cross-roads of detecting, responding to and preventing ID theft. However, consumers have little control over the quality of credit reports about them.
Business and government must realize that they hold personal information in trust for consumers.
Legislation is required
While many businesses and governments have taken measures to protect against ID theft, a patchwork of initiatives with too little enforcement and compliance continues to threaten consumers.
The Council recommends Canada’s federal and provincial governments require and enforce:
- DATA LEAKS NOTIFICATION. Require business and government to report leaks of personal information to consumers.
- SIN USE. Business must cease its reliance on SINs.
- CREDIT FREEZE. Consumers should have a free credit freeze facility.
- The consumer should control credit freezes.
- Consumers should be notified of attempts to access credit reports or credit scores when a credit freeze is underway.
- Consumers should have a right to a credit report clean-up.
- Businesses and credit bureaus should educate consumers about how credit bureaus can detect and prevent loss through ID theft.
1See P. Lawson and J. Lawford, “Identity Theft: The Need for Better Consumer Protection”, November 2003, Public Interest Advocacy Centre. Online: http://www.piac.ca/IDTHEFT.pdf
2Office of the Privacy Commissioner of Canada, “Fact Sheet: Best Practices for the use of Social Insurance Numbers in the private sector”, August 2004. Online: http://www.privcom.gc.ca/fs-fi/02_05_d_21_e.asp . Specifically, the OPCC states:
The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes.
While recognizing that some private-sector organizations are required by law to request customers’ or employees’ SINs, we remain opposed in principle to the practice of requesting the SIN for general purposes of identification. We recommend that no private sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.