Canada to Criminalize Identity Theft

November 14, 2007 by Rachel Chow

The move to criminalize identity theft comes amid pressing calls to modernize current privacy laws that have be made irrelevant by rapidly evolving technologies. Identity theft, that is the unauthorized gathering, possessing of or dealing in identity information, is not caught by the existing Criminal Code. While several activities integral to the unauthorized use of personal information, such as fraud, theft and impersonation are illegal under the Criminal Code, there remains a lacunae in the law which identity thieves have been quick to exploit. Moreover, it is inherently difficult to prove intent, a necessary element to prosecute an identity thief under the Criminal Code.

Justice Minister Rob Nicholson’s plan to criminalize identity theft is a welcome, albeit long overdue one. Identity theft has emerged as the crime of the information age, facilitating widespread criminal activity, even across borders. By criminalizing the gathering and trafficking in personal data for purposes of fraud, law enforcement agencies will finally have the teeth to intervene and clamp down on criminals before actual fraud is committed. Such a move will mitigate the financial and intangible losses caused to identity theft victims. It is estimated that identity theft costs at least $2.5 billion a year to Canadian consumers, banks and other businesses. (1)

However, identity theft is not solely a criminal concern. A heightened sense of privacy awareness amongst Canadians is another impetus to criminalize identity theft. If individuals are the legal owners of their personal information, they should have the right to control access to their information, and the right to protect it. In that respect, identity theft is akin to a violation of one’s privacy. As technology evolves, so must the law in defining the legal ownership rights of individuals regarding their personal information.

At first blush, the term `identity theft’ appears to be an oxymoron. Just as the taking of intellectual property is not theft in the traditional sense, identities cannot be stolen, its owners are still left in possession after the taking. Yet, one’s reputation and credit-worthiness can be severely damaged when fraud takes place. The financial ramifications and emotional devastation can last for a long time. As stated by Minister of Labour, Jean-Pierre Blackburn, `Canadians are entitled to have their identities and personal information protected to the highest degree possible.’ There is value in personal information, and as echoed by Privacy Commissioner, Jennifer Stoddart, there is a clear need to protect it.

In addition, capitalistic imperatives must not be ignored. Personal information can be exploited for unlawful money making schemes. As legal owners of their personal information, individuals ought to have exclusive rights, in that a 3rd party should not be allowed to infringe on their monopoly over their data, especially where it is used to make money through fraudulent means.

Criminalizing identity theft is not the panacea for all its ills. Stoddart recognizes that a broad-based strategy is required for tackling identity theft and fraud. This involves the cooperation and coordination between various government departments and agencies, as well as between stakeholders.

While amendments in the Criminal Code will better equip police with the tools to tackle identity thieves, privacy legislation must be reformed to more adequately protect Canadians from identity theft. The recent TJX Cos. and CIBC security breaches highlight the vulnerable position of consumers as they entrust sensitive, personal information into the hands of Canadian companies. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies and organizations to adopt security safeguards when handling personal information. However, there is no requirement for organizations to notice customers in the event of an unauthorized disclosure. Breach notification laws should be imposed, thus requiring organizations to disclose any security breaches. This would induce organizations to protect personal information, and to reconsider the accumulation of extraneous data. In support, Stoddart asserted that such a scheme would provide individuals with an early warning system to mitigate the losses from a privacy breach. Through Criminal Code amendments and reform in privacy law, the risk of identity theft in the private sector would be minimized.

The government has rightly taken the leading step in combating identity theft. Where technology is fast outstripping the existing law, more must be done to combat identity theft. Besides reform in the Criminal Code and mandatory breach notifications, public education is essential. Individuals should be empowered to play an active role in securing their personal information.

(1)  Minister Denis Coderre in an address to the Standing Committee on Citizenship and Immigration (Feb.6,2003)

  1. One Response to “Canada to Criminalize Identity Theft”

  2. I agree that the plan to criminalize identity theft in Canada is a much needed and long overdue initiative by the Canadian Government. There is little doubt that identity theft may lead to substantial harm for Canadian consumers, businesses, financial institutions and the economy as a whole. In fact, an individual’s personal credit rating and reputation can be ruined overnight. This reinforces the need for Criminal Code provisions to be introduced, which target the gathering and trafficking of personal information, to prevent identity theft before it occurs.

    I also agree that privacy legislation plays important role in preventing identity theft, and should be reformed to better protect Canadians. Although the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations handling personal information to implement appropriate safeguards, it does not go far enough to protect the privacy interests of Canadians. Additional measures such as the introduction of mandatory security breach notifications, requiring companies to disclose breaches of personal information, are required to help prevent identity theft. This would alert consumers to the heightened risk of identity theft, and enable them to take preventative steps such as contacting their financial institutions proactively, to determine what additional measures can be taken to mitigate the risk.

    The introduction of additional legislation prohibiting the use of data mining and spyware programs on the internet should also be considered (Michael Giest, Canada’s Identity Theft Bill). These applications can facilitate identity theft by surreptitiously collecting information about consumers while they are surfing the internet.

    By Christopher Davenport on Nov 29, 2007

You must be logged in to post a comment.