Desjardins data breach to put Bill C-59 to the test: Liberal MP

Ahead of Monday’s emergency meeting of the House of Common’s public safety and national security committee on the massive Desjardins Group data beach, committee chair John McKay says the matter will test Bill C-59, the newly implemented federal national security legislation.

“This is, if you will, almost a classic example, a working example, of whether the various interfaces that have been set up under C-59 can be stood up and can work,” McKay, who also serves as the Liberal MP for Scarborough-Guildwood, told The West Block’s Eric Sorensen on Sunday.

McKay said that representatives from Desjardins and the RCMP are among witnesses set to appear before the committee’s meeting in Ottawa to probe the breach that has affected nearly three million individuals and business members.

The Liberals’ National Security Act, Bill C-59, received royal assent in June, two years after it was first introduced. The law, which civil liberties advocates have criticized for endorsing mass surveillance, revamps Canada’s national security regime, including tasking a new intelligence commissioner with overseeing activities of espionage.

As for what the public safety and national security committee can do to address these kinds of data breaches, McKay said he would “like to hear the evidence first and then make the recommendations afterwards.”

“I take some comfort in the fact that, under C-59, the government has set up an entity called Cyber Security or Cyber Security Task Force and it is to do the interface between industry, financial services and the Government of Canada,” said McKay. “No entity no matter how large … can do its own cyber security on its own.”

Desjardins, the Quebec-based financial institution, said last month that a Laval police investigation traced the data breach to a lone “ill-intentioned” employee. Personal information including social insurance numbers, names, addresses were leaked.

WATCH BELOW (Dec 2018): Canada struggling for experts in war against hackers

1:52 Help wanted: Canada struggling for experts in war against hackers

The ex-employee is suspected to have sold at least a portion of that data to criminal organizations, the Journal de Montreal reported on Friday, citing police sources.

“On the face of it, it’s a rogue employee. However, there may well be further implications beyond it simply being a rogue employee,” said McKay.

In response to the breach, Desjardins said it has implemented “additional security measures have been put in place to ensure all our members’ personal and financial data remains protected.”

Two privacy watchdogs, the Office of the Privacy Commissioner and the Quebec Access to Information Commission, launched a joint investigation this week into the breach and to determine whether Desjardins had adhered to provincial and federal regulations that protect personal information.

A pair of proposed class action lawsuits against the financial institution was filed in Quebec Superior Court last month, alleging that Desjardins was negligent in protecting personal and financial information.

Conservative leader Andrew Scheer urged his MP Pierre Paul-Hus, vice-president of the committee, to discuss to whether it would be possible to issue new social insurance numbers for victims of the breach. More than 80,000 people have signed a petition calling on the federal government to replace those SIN numbers.

McKay said that replacing SIN numbers would a “very formidable undertaking” and would be “something to be considered, but it also may be a response which is not well considered.”

Around the time that news broke of the Desjardins breach, the committee released a report entitled “Cybersecurity in the financial sector as a national security issue.” The report includes nine recommendations such as encouraging Canadians to adopt “sounds cyber hygiene habits” and that the federal government prompts individuals and companies to report all instances of cybercrime.

— With files from the Canadian Press and Global News’ Amanda Connolly,