A proposed amendment to the Criminal Code that would add a new offence for possessing other people’s personal information with the intent to commit fraud, could help law enforcement combat identify theft, according to some Canadian IT security experts.
Bill C-27, tabled in the House of Commons Wednesday by the Conservative government, would amend the current law, which makes it a crime if fraud is committed, or is in the act of being committed.
But the federal government also wants to make it illegal to obtain or possess identity information with the intention of committing crimes, or to traffic identity information knowing it could be used to commit crimes.
The proposal makes sense because if a person or organization is found hoarding data they aren’t authorized to have, then “it’s a sure thing that their intent is to misuse this sensitive information,” said Brian Muir, vice-president of business development with Concord, Ont.-based value-added distributor of security products Simple Technology Inc.
While granting authorities the tools to prosecute against personal data collection is a good first step, it doesn’t stop there, said Muir, adding there still need for standards to protect personal data.
The availability of encryption and other technologies, he said, can enable businesses to protect data at rest and in transit, be it in a database, on a laptop or a USB key.
But businesses also have the responsibility of ensuring employees don’t steal customers’ personal data for their own purposes, he said, by ensuring that only those authorized to access that information is doing so.
Muir suggests using two-factor identification technologies – whereby two different methods are used to authenticate identity – to not only ensure access by authorized staff, but to provide necessary audit trails and the comfort to employees that they won’t be wrongly accused of accessing sensitive data. Although such tools are readily available, he said, most often businesses fail to use them.
“For businesses, the spin-off of using these new technologies is far reaching, being that they can protect all of their intellectual property and not just the information covered in the theft legislation,” said Muir. It’s not adequate to make collection and possession of others’ personal information a crime, agreed Philippa Lawson, director of the Ottawa, Ont.-based Canadian Internet Policy and Public Interest Clinic (CIPPIC).
She suggested there be an enforcement of other measures. For example, she added, companies and government departments should be given incentives to employ appropriate security measures around customer data.
“If the government is serious about this issue, we expect to see much more in the way of the law and policy reform focusing on other actors who contribute to this problem through their negligence,” said Lawson.
Besides identity theft legislation, the country needs legislation to address personal data security especially considering it’s something the average person has no control over, said Muir.
The government should also legislate the encryption and protection against theft of sensitive data, Muir said. “You have to prove that the person that’s accessing it is authorized to access it and prove that you’ve taken whatever safeguards are possible to make sure that others can’t.”