Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on privacy breaches at the Canada Revenue Agency

December 5, 2024

Ottawa, Ontario

Opening statement by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

Good afternoon, Mr. Chair, Members of the Committee.

Thank you for the invitation to speak to this critically important issue.

Data breaches have surged over the past decade, in scale, in complexity, and in severity. As stewards of sensitive personal information, government institutions are attractive targets.

To ensure that personal information is protected, federal organizations, including my Office, must be continuously adapting to an evolving threat environment.

In February 2024, we tabled a Special Report to Parliament with our conclusions on an investigation into a 2020 credential-stuffing incident that impacted the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC).

During the final stages of this investigation, we learned of other breaches related to Canada Emergency Response Benefits (CERB) fraud that the CRA had not reported to the OPC, dating back to 2020 and affecting up to 15,000 individuals. We indicated these breaches in our Special Report and added that we would be following up on this with the CRA.

The OPC recommendations on this investigation included improving communications and decision-making frameworks to facilitate a rapid response to attacks, and developing comprehensive incident-response processes to prevent, detect, contain, and mitigate future breaches. Both the CRA and ESDC agreed to implement these recommendations.

On May 9, 2024, the OPC received a breach report from CRA, retroactively covering incidents from May 2020 to November 2023, which captured 31,393 separate incidents.

The OPC’s breach response team has met regularly with the CRA since then to find out more about the CRA’s response to the situation, and to be kept up to date on the actions that the CRA is taking to address the breaches, notify, and mitigate risks to Canadians. There have been ongoing discussions related to the breach report but also pertaining to the February 2024 investigation report, given the linkages between both. Indeed, the CRA confirmed that, of the 31,393 incidents, approximately 15,000 related to the CERB fraud incidents that were mentioned in our Special Report to Parliament.

In the context of our ongoing engagement with them, on October 25, 2024, the CRA notified my Office of approximately 3,200 additional material breaches that occurred in 2023 and 2024 and were assessed retroactively.

This fall, the CRA sought and ultimately obtained an exception by the Treasury Board so that they could report individual cases of unauthorized use of taxpayer information by a third-party (UUTP) to the TBS and to my Office on a quarterly basis instead of within a seven-day period, for operational reasons.

I had indicated to the TBS that while I would support this exception, I recommended that it be for a limited time period of 12 months, that the CRA be required to promptly notify and provide information, support and advice to affected individuals and that the breach reports include additional details including how and when affected individuals were notified and what additional actions were taken by the CRA to improve personal information safeguards.

On October 29, 2024, following the receipt of a complaint, I launched a formal investigation. This investigation will determine whether the CRA met its obligations under the Privacy Act and whether it employed adequate safeguards and breach response processes.

The privacy breaches at the CRA both in the earlier credential-stuffing investigation and the ones more recently reported, underscore the risk to personal information and the importance that must be placed on addressing and mitigating all breaches, including cyber incidents.

My Office regularly engages with federal institutions, by providing advice and helping to assess the privacy impacts of new programs or technologies; following up on the response to breach incidents; resolving situations that were raised through privacy complaints; and conducting investigations. Each engagement and compliance activity plays an important role in supporting and advancing privacy protection across the Government of Canada, which is increasingly complex and significant in this digital era.

This includes advice and guidance to support organizations in addressing and mitigating the risks posed by breaches, including on how to prevent, contain and report breaches, as well as the importance of notifying affected individuals.

Data breaches represent one of the most significant threats to personal information globally. In the 2023-2024 fiscal year ending on March 31, 2024, my Office received over 350 reports of cyber incidents, the vast majority (over 90%) from private-sector organizations.

This year, I have launched investigations into other major privacy breaches. These include the Ticketmaster Canada breach that impacted over half a million Canadians, and a joint international investigation with my counterpart, the UK Information Commissioner, into the 23andMe data breach, which involved sensitive DNA data.

We know that breaches can occur even when organizations have put in place safeguards. This is why an effective response to a breach is also critical to mitigating the impacts on Canadians and preserving trust in their institutions.

Given the significance of these risks and the potential impacts that they can have on individuals, timely breach reporting requirements need to be made a legal obligation under the Privacy Act, rather than a TBS policy requirement as they currently are.

In 2023, the OPC requested and obtained additional temporary funding as part of Budget 2023 to deal with breaches. While this request was for temporary funding for a two-year period, I believe that permanent funding is required, as breaches are a permanent and growing concern that pose a significant threat to individuals and organizations.

In a digital world where the risks are higher than ever, investing in privacy is crucial. Privacy protection must be embedded throughout government programs and services.

We must also continue to progress on efforts to modernize Canada’s privacy laws – both the private-sector law, as well as the Privacy Act, which predates the Internet, and we need to ensure that my Office is adequately resourced given the increasingly complex data landscape.

This will continue to be a priority for us, and I will look forward to your committee’s report on this important issue. Thank you and I would be pleased to answer your questions.