Consumers, tech companies look to life beyond the Social Insurance Number

Christopher Reynolds

The Canadian Press

In the wake of data breaches at both of Canada’s credit monitoring agencies, some experts say the problem isn’t theft of social insurance numbers and other information, but rather our approach to proving who we are.

As social insurance numbers (SINs) continue to flow into the hands of hackers, industry players and consumers are increasingly on the hunt for an overhaul to how we identify ourselves in the digital age.

Over a lifetime, Canadians hand out their SINs left and right — to landlords, credit agencies, credit card companies, car rental firms, colleges and universities. In none of those cases are they required to do so, although a SIN is often requested.

Federal rules require citizens to provide their SIN only to certain government agencies as well as employers and — if the account earns interest — to financial institutions.

Starting in 1964, SINs originally served as client numbers tied to employment insurance programs and the Canada Pension Plan. Its current use as a kind of ultimate identity marker has far outgrown its original intent, providing effective proof of who you are when matched up with another personal document or piece of information such as a driver’s license or date of birth.

However, if criminals gets a hold of more than one of those ID verifiers, they could use them to file a fake tax return or apply for a loan or mortgage in your name, with consequences that could last decades.

Until the digital age, computer hacking hardly posed a risk to people’s data. Nor were there large databases that stored millions of SINs, outside of government institutions and banks, says Rich Mogull, CEO of Phoenix-based security firm Securosis.

“Earlier, even in my lifetime — I’m only in my 40s — everything was more local. We went into our local bank, even credit cards were generally issued from a local bank,” he said.

“But we started moving toward large-scale regional and national banking…and we started applying for things like loans online” — boosting the need for unique identifiers that could be presented remotely and recognized by a computer.

Increasingly, credit monitoring agencies, utilities companies and credit card vendors began to use social insurance numbers — or social security numbers in the United States — as key identifiers to keep track of clients.

“Everybody is relying on one number, and it’s not a secret,” Mogull said.

“When I went to university my student ID number was my social security number,” he recalled, shaking his head. “Once that number’s out there and exposed, there’s no taking it back. And it can be used for all sorts of fraud.”

The problem drove Quebec resident Pierre Langlois to launch an online petition calling on Ottawa to replace social insurance numbers compromised by identity theft.

Moved to action last summer after a breach at Desjardins Group scooped up data from nearly 2.9 million members — including their social insurance numbers, names and addresses — Langlois posted a second petition asking the government to propose a “quick solution to this security problem.”

With more than 147,000 signatories, the petition shied away from a more specific demand for two reasons, Langlois said: the difficulty of changing your SIN — proof of fraudulent use must be shown — and the dubious benefit of that tactic in the first place, since those newly assigned citizens could be just as susceptible to data breaches down the line.

“The government is asking us to give it to every employer you’ve ever worked for. Do you think the small restaurant where you worked has higher security than a bank?” Langlois asked in a phone interview.

The solution, says Mogull, lies in local transactions or encrypted SIN storage that would make data theft harder.

Cryptographic keys comprise a long string of random numbers that can be used to unlock personal data, but Greg Wolfond, chief executive at Toronto-based SecureKey Technologies, is skeptical of cryptographic identifiers as the answer.

“I fear that the bad folks are still going to be able to take this data and use AI and put it together in smart ways to try to become you to get a loan, to file a fake tax return in your name,” Wolfond said.

He wants to get away from the “static information” model that underpins ID confirmation and motivates data hacks. Instead, Wolfond is advocating something called real-time verification as the best way to show that you are, in fact, you.

His company’s product, dubbed Verified.Me, allows customers to provide proof of their identity using information they’ve already given their financial institutions. The Verified.Me smartphone app connects with participating financial institutions and removes many of the steps currently required to establish a person’s identity.

Though only a few financial products are available through the app, Verified.Me counts Desjardins and the Big Five banks as Canadian partners.

In the long run, the approach could include applying for a mortgage, renting an apartment or obtaining a driver’s licence, Wolfond said.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including Canadian-based cheaters’ website Ashley Madison as well as British Airways, Uber, Deloitte and Walmart.

TransUnion revealed Wednesday that the personal information of 37,000 Canadians may have been compromised this past summer, leaving both of Canada’s credit monitoring agencies with data blemishes on their record.

Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and about 19,000 Canadians.

Stay Safe, Drive Sober This Thanksgiving Holiday Weekend

Happy Thanksgiving! Ever wonder why the Americans celebrate Thanksgiving Day in November, and we celebrate in October?

In the 1870s, the US Thanksgiving Day tradition began, and Canada, not wanting to appear rude, quickly followed suit. From 1879 to 1898, Canadian Thanksgiving celebrations were held usually on the first Thursday in November.

In 1899, Thanksgiving Day was moved from Thursday in November to a Thursday in October. In 1908, Canadian commercial and trade groups pressured Parliament to move Thanksgiving Day from a Thursday to a Monday “to give three days in which tradesmen and others could enjoy that holiday.”

In 1931, Canadian Thanksgiving Day finally stopped changing – it and Armistice Day were formally separated. Armistice Day became  Remembrance Day and found a permanent home on November 11, and Thanksgiving Day was permanently set for the 2nd Monday in October.

The ILScorp offices will be closed Monday, Oct. 14th, as we take some time to enjoy the long weekend. We’ll be back Tuesday morning, ready to take your calls, answer your questions and register you for online insurance programs. You can reach us from 8 a.m. – 5  p.m. Pacific Time.

You can also register for our insurance training programs online, anytime, at ILScorp.com

Happy Thanksgiving to all of our readers. All the best to you and your families as we pause to reflect on everything significant in this world. For subscribers to the ILSTV insurance industry newsletter, your daily dose of Canadian insurance news returns to your inbox on Wednesday, Oct 10th.

“Like” us on Facebook | Follow us on Twitter | Sign up for our free daily Canadian Insurance Newsletter

Insurance brokerage Hub bulking up Canadian benefits business with acquisition spree

The biggest insurance brokerage in Canada has been on a dealmaking blitz that may only be about halfway done, according to the company’s Ontario chairman.

Chicago-based Hub International Ltd. sells insurance, but it has also spent the past year expanding the Canadian side of its business, which advises companies on their employee benefits, such as health or retirement plans. It has been doing so in part by acquiring a number of boutique firms.

On Tuesday, Hub said it acquired for an undisclosed sum Toronto’s PDF Financial Group Inc., an independent brokerage that helps a company’s human-resources department manage employee programs. The acquisition was one of five such deals Hub has announced to date in October, involving three companies in Canada and two in the United States.

Hub is Canada’s biggest property and casualty insurance broker by a “healthy margin,” but it had heard back from some clients wanting advice about benefits and pensions as well, according to Gregory Belton, the executive chairman of Hub Ontario.

“We’re not only getting larger and filling out a geographic footprint, but we’re developing services for what we think is the under-served middle market of Canadian business,” Belton said in an interview with the Financial Post.

After announcing its Canadian benefit strategy in July 2018, Hub noted at the beginning of this year that it had already acquired 13 Canadian employee-benefit and pension brokerages since 2018, increased fee revenue to more than $50 million and opened seven new offices. Hub wants to earn more than $100 million in commission fees by 2021, and said it expected to open an additional 10 offices.

“I would say that we’re about halfway done in our acquisition strategy,” Belton said. “We have a fairly robust pipeline across the country, and you’ll see further acquisitions being closed in the coming months.”

Mike Berris, a partner at accounting firm Smythe LLP who specializes in valuations and M&A consulting in the Canadian P&C insurance industry, said he expects more activity in the benefits space — although not all brokers may be able to pull it off.

Even though it’s a risk-based product, you really have to have scale and expertise to do it properly.

Mike Berris, partner, Smythe LLP

“There’s a lot of desire, but there’s only so many people who are capable of doing that,” Berris said. “Even though it’s a risk-based product, you really have to have scale and expertise to do it properly.”

Hub has been scaling up since it formed in 1998 with the merger of 11 Canadian brokerages. It went public soon after, expanded into the U.S. and in 2007 was bought by private-equity firm Apax Partners and investment bank Morgan Stanley.

In 2013 Hub announced it was being acquired by funds advised by another private-equity firm, Hellman & Friedman LLC, in a deal that valued the brokerage at around US$4.4 billion.

Hub then said in October 2018 that it had agreed to a deal involving “a substantial minority investment” from funds managed by Toronto-based investment firm Altas Partners. The agreement implied a total enterprise value for Hub of more than $10 billion.

Since the deal, Hub’s website shows it has made more than 50 acquisition-related announcements. Currently, the brokerage has more than 11,000 employees, with more than 250 offices in the U.S. and about 200 in Canada, a spokesperson said.

“Like a lot of private-equity-owned brokerages, they have been very, very aggressive and they’re very, very effective in growing through acquisitions,” Berris said.

Belton said most Canadian businesses fit the mid-market mold, but that there is no “dominant player” in that section of the market right now for the sort of benefits business Hub is expanding. Even so, he said there has been “very robust competition” for the types of companies Hub is buying.

“Our aspiration is to become the dominant player, just as we are in the property-casualty side of the business,” Belton said.

SSQ Insurance participates in a unique research project with Le Pole Sante – HEC Montreal

QUEBEC CITY, Oct. 10, 2019 /CNW Telbec/ – SSQ Insurance is proud to partner up with Le Pôle Santé – HEC Montréal to study the link between health and wellness management practices in the workplace and the most common insurance claims made by employees. By participating in such a project, the insurer hopes more will be learned about the impact that corporate practices have on the health of individuals, and help participating companies apply the findings to improve the health and wellness of their employees.

For this study, SSQ Insurance will be soliciting some of its group insurance planholders. Data gathered on a voluntary and confidential basis will be used to identify promising health and wellness workplace management strategies. These will be based on each sector’s context, in an effort to curb financial, human and social costs, improve quality of life at work as well as bolster performance and productivity. Companies who participate in the study and follow its recommendations could reap significant benefits.

The climate that Canadian companies find themselves in confirms the need for such a study. Currently, several millions of Canadians are living with a chronic illness, making it the most common category of illness. Of all chronic illnesses, mental disorders will be the number one cause of disability in high-income countries by 2030. The loss in productivity caused by mental disorders will cost Canadian companies $198 billion by 2041 – the current cost of Canada’s public health insurance plan1.

“Health problems at work and professional burnouts plague all sectors. We are very proud to partner up with Le Pôle Santé – HEC Montréal in order to help companies fight mental health issues and take concrete action for the health and wellness of their employees. This initiative is a testament to SSQ Insurance’s concern for its customers’ health,” said Geneviève Fortier, Senior Vice-President – Sales and Distribution, SSQ Insurance.

This research project, conducted with the Le Pôle Santé – HEC Montréal, is an extension of SSQ Insurance’s HealthInSight program and the initiatives spearheaded by its Innovation Team. Designed as an incentive for developing healthy habits in insureds, the Health InSight Program instills and fosters awareness by applying tangible solutions adapted to each workplace.

For more information about Le Pôle Santé – HEC Montréal, please visit polesante.hec.ca (French only).

About SSQ Insurance
Founded in 1944, SSQ Insurance is a mutualist company that puts community at the heart of insurance. With assets under management of $12 billion, SSQ Insurance is one of the largest companies in the industry. Working for a community of over three million customers, SSQ Insurance employs over 2,000 people. Leader in group insurance, the company also sets itself apart through its expertise in individual life and health insurance, general insurance and the investment sector. For more information, please visit ssq.ca.

1.

Sources:

Mathers, C.D. and Loncar, D., Projections of Global Mortality and Burden of Disease From 2002 to 2030, PLoS Medicine, vol. 3, no 11 (2006), p. e442.

Roberts, G. and Grimes, K. (2011), Return on investment: mental health promotion and mental illness prevention, Canadian Policy Network at the University of Western Ontario, March, 67 pp.

Smetanin, P., Stiff, D., Briante, C., Adair, C.E., Ahmad, S. and Khan, M. (2011). The life and economic impact of major mental illnesses in Canada: 2011 to 2041. RiskAnalytica on behalf of the Mental Health Commission of Canada.

SOURCE SSQ Insurance

ssq.ca

TransUnion says data on 37,000 Canadians may have been compromised

TransUnion says someone fraudulently accessed data using a customer’s login credentials

The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada’s credit monitoring agencies with data blemishes on their record.

The TransUnion incident is much more limited than the high-profile data hack at credit monitoring agency Equifax Inc. in 2017, which exposed the information of 147 million people, including about 19,000 Canadians.

TransUnion said in a statement Wednesday that someone fraudulently accessed its data through the use of one of its business customer’s login credentials between June and July.

Company spokesperson David Blumberg said that while the investigation is ongoing, the company maintains that the fraudulent login was not a failure of its systems.

“The unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s system,” he said.

Canadian Western Bank (CWB) confirmed that the credit report data was accessed through an account at its leasing division.

“In August, we learned that CWB National Leasing’s account was illegally used by an unauthorized third party to perform unauthorized credit checks,” said company spokesperson Maya Filipovic.

She said no personal information held by CWB National Leasing was taken, disclosed or misused in any way.

Type of personal information accessed

TransUnion did not disclose what kind of personal information was compromised by the fraudulent login.

A credit check by a bank or lender could give access to an individual’s name, date of birth, current and former addresses, information on existing credit and loan obligations, credit repayment history and potentially their social insurance number.

TransUnion said it learned of the breach in August and has notified those whose information may have been accessed as well as the privacy commissioners.

The incident is the latest of numerous data breaches in recent years, including the Equifax breach. More recently, Capital One said in July that data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June that the data of about 2.7 million accounts was hit with a breach.

The problem is that no system is foolproof, said Hasan Cavusoglu, an associate professor of management information systems at the UBC Sauder School of Business.

“The reality is this is a moving target. Organizations are every day exposed to new type of attack vectors, new kinds of threat actors.”

He said customers have little choice but to have their data held with TransUnion and Equifax.

“As long as you do some kind of transaction, your data will inevitably fall into these companies.”

The two credit monitoring agencies collect a variety of financial data to help banks and other lenders figure out how reliably a customer might pay them back. The model means the agencies want to collect as much information as possible to clearly represent someone’s credit worthiness, said Cavusoglu.

While breaches are impossible to rule out entirely, major financial institutions like credit agencies have significant incentives to keep the data safe, he said.

“Reputational damage as a result of these kinds of attacks is tremendous, let alone other kind of maybe regulatory sort of penalties as well as some legal costs associated with it. So they don’t want that reputational damage.”

Chicago-based TransUnion continues to look for ways to strengthen its defences against unauthorized access of any kind, and supports customers in efforts to protect their data, Blumberg said.

Caller claimed woman’s SIN was used for a $100,000 fraud, drug trafficking

Read more

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest