Bill would regulate credit bureaus in Quebec following high-profile data breaches

Quebec’s finance minister wants consumers to be able to freeze their credit files, a service currently unavailable to Canadians.  Minister Eric Girard announced his plan to regulate credit bureaus on Wednesday. It comes following a series of high-profile data breaches this summer.

In June, Desjardins Group revealed the personal data — including social insurance numbers (SINs) — of roughly 2.7 million people was shared with a third party by an employee. At the end of July, the credit card company Capital One said data belonging to 6 million Canadians, including 1 million SINs, was obtained by a hacker.  Recently Revenue Québec said the data of some 23,000 employees and contractors was transferred outside of the organization.

Girard says he wants Quebecers to have access to the best protection offered by the credit industry as the risk of identity theft grows with each data breach.  “It’s in [the credit industry’s] interest to offer the best services to Quebecers,” said Girard.

He said his bill, which he intends to table when the legislature resumes this fall, would set standards that credit bureaus, namely Equifax and Transunion, would have to comply with in order to operate in the province.

Girard said his bill will go further than legislation in place in other provinces by compelling the credit bureaus to allow consumers to freeze their credit file.  This would stop third parties from viewing their file. No new loans and credit cards could be created in their name.  While American customers are able to pay for this service, in Canada credit bureaus only offer credit monitoring.  A CBC Marketplace investigation found credit monitoring does little to protect consumers as consumers are often not immediately notified about suspicious activity.

Opposition wants steep fines for lax data security

Québec Solidaire finance critic Vincent Marissal thinks regulating credit bureaus is a step in the right direction.  But he says financial institutions, whether public or private, must also be held accountable if they have sub-standard data protection.  “There are people losing sleep, who are in depression because their identity has been stolen,” said Marissal, calling the Desjardins breach a “wake-up call.”  He wants these institutions to face “severe” fines that reflect the pain inflicted on their customers.

Girard defends Desjardins’s handling of breach:  Girard said he would be open to a legislative committee studying what happened in the Desjardins case. But he also told reporters that, with help from the Autorité des marchés financiers, Desjardins is “managing the situation properly.”

He highlighted that the credit union is offering identity protection services to all its banking customers, as well as paying for five years of credit monitoring through Equifax (itself the subject of a massive data breach in 2017).  He said the Desjardins data has not yet been found on the dark web, a part of the internet that is not indexed by search engines and serves as home to digital black markets for illegal and stolen goods and services.

Some Quebecers are also petitioning the federal government to have their SINs changed.