The head of Desjardins Group urged provincial lawmakers Thursday to pave the way for more secure digital identification systems while responding to questions about a data breach that’s affected 4.2 million people.
Guy Cormier, president and CEO of Desjardins, the largest federation of credit unions in Canada, said the current identification procedures used by financial institutions are cumbersome, outdated and ill-equipped to meet the security challenges of the 21st century.
“At the moment, we register our information on different networks with government documents that were designed for other reasons, during a different time,” he told a hearing of the legislature’s public finance committee in Quebec City.
“We’ve built a whole set of security measures to protect this. But that’s not optimal.”
Cormier used his appearance at the hearing to champion digital ID procedures, which refer broadly to emerging technologies that would do away with paper-based methods of identity verification, such as social insurance numbers.
In India and Argentina, for example, biometric technology is used increasingly to verify identity.
In some U.S. states, pilot projects are underway to make driver’s licenses available on smartphone apps. This allows users to control what information is provided to which authorities. A police officer would have the right to see all the data connected to your driver’s licence, for example, but a bouncer would only get access through the app to see your age.
Cormier described such digital ID procedures as a more effective long-term solution to securing the personal information that financial institutions like Desjardins store in their databases.
Financial institutions often collect more data than is necessary for providing services to the public, he said. Digital ID would streamline how individuals prove their identity and limit the amount of personal information that is shared online.
Cormier said Desjardins will create a Quebec branch of the Digital ID and Authentication Council of Canada (DIACC), a non-profit dedicated to establishing a national framework for digital ID procedures. He called on the Quebec government to join the organization.
“There are countries around the world that have taken the lead on this,” Cormier told reporters after the hearing.
“What I’m telling legislators today is to look at the problem beyond what happened at Desjardins and approach it more systemically.”
Desjardins has ‘sense of duty’: Cormier
Members of the governing Coalition Avenir Québec did not ask any follow-up questions about Cormier’s proposal. Instead, they sought to extract more details about how the data breach occurred and what kind of support Desjardins is offering its members.
“We think it’s important to meet with the trial figures … so they can explain what happened and what measures they took in response to the leak,” CAQ MNA Youri Chassin said in his opening statement.
“This is to help orient the government’s efforts to better protect the personal information of Quebecers.”
Earlier this month, the credit union revealed the breach it first reported back in June actually affected 1.2 million more members than it initially believed.
The Desjardins officials who testified Thursday repeated information provided previously by provincial police: that the main suspect in the breach is a former Desjardins employee.
At one point, Cormier described the suspect as a “data expert” who had “several years’ experience,” but he avoided providing further details, citing the ongoing police investigation.
He also drew attention to a report released earlier this month by the federal privacy commissioner that concluded 28 million Canadians had been affected by data breaches in the past year.
Unlike other organizations, Cormier said, Desjardins went public almost as soon as it learned of the breach.
“Who else has acted with as much transparency and the same sense of duty as Desjardins has in these past months?” he asked.
Earlier Thursday, Premier François Legault said his government is preparing legislation aimed at increasing the security of personal information.