The chair of the House of Commons public safety and national security committee says he's not sure Canada's laws will ever be able to prevent data breaches like last month's massive leak at the Desjardins Group.
"After Bill-59 [the Liberals' national security bill], I have a lot more confidence that the security architecture has improved. Is it there? I don't think this will ever be there," Liberal MP John McKay told reporters before heading into a rare summer committee meeting to discuss last month's breach.
"It's just simply the nature of the beast that this is a very fast-moving file and regulators are necessarily coming late to the game."
Last month, the Quebec-based institution revealed that an employee with "ill intention" collected information about almost three million people and businesses and shared it with others. They've since been fired.
The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. A police investigation is active.
The House of Commons public safety and national security committee met today at the request of the Conservatives to discuss how to prevent future breaches and look into whether issuing new SINs would be feasible. Tens of thousands have signed a petition demanding new numbers.
Federal officials told the committee replacing SINs would offer less protection than the free credit check service Desjardins is offering victims of the data breach.
MPs victims of breach too
For some committee members, the Desjardins breach is quite personal.
Liberal MP Francis Drouin and Conservative MP Pierre Paul-Hus are two of the nearly 2.7 million individual members and 173,000 business members swept up in the breach, thought to be one of the largest ever to hit a Canadian financial institution.
Desjardins Group President Guy Cormier fielded questions from the committee but told MPs his appearance was premature, given the ongoing police investigation.
But he did acknowledge future governments will have to grapple with data breaches, adding that "the status quo is not an option" when it comes to preventing identity theft and protecting private data.
"Data are raw materials, are as important as water, as wood. It's so integrated in our economy right now that we have to be really, really careful," Cormier said.
The Desjardins head recommended the government convene a special working group to help set up a new framework for data and privacy in Canada.
Even before the meeting started, McKay was trying to downplay expectations about what the committee could actually accomplish. As a credit union, Desjardins is largely regulated at the provincial level.
The committee also called the RCMP to testify, even though it's not the police force handling the investigation.
"I would tamp down those expectations ... This is, if you will, a 35,000 foot look at what is actually going on here and where there may be some gaps," said McKay.
"You can't deny that Parliament is not sitting, can't deny that this isn't in the middle of an election cycle."
The committee's Desjardins study dovetails with a report they've already published on cybersecurity and Canada's financial sector. It found that Canada's small- and medium-sized financial firms could be vulnerable to the constant barrage of cyberattacks.
"From a security standpoint, this is the new terrorism," said McKay
The Office of the Privacy Commissioner of Canada and its Quebec equivalent also have launched investigations looking at whether Desjardins was in compliance with federal and provincial laws on personal information protection.