Tighten credit-card information rules: consumers group

The Consumers' Association of Canada wants the federal government to move in at least three areas to protect consumers' credit-card information, president Bruce Cran says.

The group made a presentation to Parliament's ethics committee Thursday, just two days after several Canadian banks said that theyhave issued thousands of new credit cards, along with warnings that the old ones may have been used fraudulently.

"During this process, there was likely a lot of personal information from consumers that was scalped off the records. We're concerned about that," Cran told CBC Newsworld.

The ethics committee is reviewing the Personal Information Protection and Electronic Documents Act, designed to protect personal information.

Cran said the associationwants the government to make changes to:

• Limitthe credit information stores can collect or give out.
• Keep the information collected in Canada.
• Give the privacy commissioner the power to punish companies when information is released.

It's "an absolute essential" that there are limits on the collection of information, he told CBC's Newsworld.

Once the information leaves the country, "we have no idea what happens to it," he said, as in the recent case of the U.S. parent company of Canadian retailers Winners and HomeSense, whichrevealed in January that millions of credit-card accounts may have been compromisedby hackers.

Some customers who received the new credit cards issued by the banks said they were told the cancellations of their old cards were linked to that security breach, although the retailers said no Canadian information was compromised.

The privacy commissioner, a federal employee, needs the power to make companies pay when information is disclosed, Cran said, and the penalty should increase with repeated violations.

"We've got some repeat offenders here and repeat offenders should be dealt with more severely," he said, without naming names.

Cran said the newly issued creditcards, and the security breach at TJX, the parent of Winners and HomeSense, point to the extent of the problem.

"I think it's a very big wake-up call."

Banks reluctant to speak of potential breach: Cran

He said banks are often reluctant to tell cardholders about a potential breach of security, and have reasons for their silence, but "I think the interests of consumers and assuaging their anxiety should come first."

The new cards may be good for consumers, but "it's certainly good for the banks because the banks are responsible for the financial losses that are incurred."

The banks told the association that they were kept in the dark by the retailers, which Cran foundsurprising, he said.

The recall of cards by the Bank of Montreal was "massive," although the bank has not revealed the extent. The Canadian Imperial Bank of Commerce and credit unions have also recalled cards.

"This type of thing could happen again tomorrow afternoon and maybe it will," Cran said.

The University of Ottawa's Canadian Internet Policy and Public Interest Clinic produced a report in 2006on retailers' compliance with the federal requirement toprotect personal information thatconcluded there was"widespread non-compliance."

Compliance with Canadian Data Protection Laws: Are retailers measuring up? looked at 136 online and offline retailers.