Montreal, December 14, 2020 -- Desjardins has received and reviewed the report from the Office of the Privacy Commissioner of Canada (OPC), as well as the orders from the Commission d'accès à l'information du Québec (CAI) and the Autorité des marchés financiers (AMF) following the privacy breach that was announced in June 2019. Desjardins cooperated fully with the regulatory authorities throughout the entire process, and over the last year it has developed strategies that are in line with their recommendations. These strategies have already been implemented or are being implemented right now.
The privacy commissioners have acknowledged Desjardins's efforts, highlighting several of the initiatives that have already been put into place. The AMF stated that the measures implemented so far are a clear improvement and show that Desjardins wants to maintain the trust of its members and clients. The AMF also emphasized that Desjardins's solvency, capital base, liquidity and profitability are not being called into question.
The privacy commissioners state that the breach affected 9.7 million individuals. This number corresponds to the number of active and inactive files that the ill-intentioned ex-employee had access to within Desjardins's banking systems. These files belonged to individuals who at that time were caisse members or who were clients with a credit card or in-store financing, as well as former members and clients with those financing products, as announced in December 2019. Subsidiary databases were not affected. The information held by Desjardins suggests that the personal information of 4.2 million banking members who had active accounts at the time may have been disclosed to a third party. There is nothing that confirms that the ex-employee shared anyone else's personal information with third parties. Desjardins began offering protection to all of these individuals in December 2019.
Desjardins's actions in response to the report from the Office of the Privacy Commissioner of Canada and the order from the Commission d'accès à l'information du Québec
Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices.
Over the next few years, Desjardins will continue to work with other partners to create a digital identity platform for Canadians. This will allow information to be shared more securely and give people more control over their own information.
Actions taken by Desjardins regarding security
To prevent and detect data breaches, organizations need a wide range of personnel, technical and procedural security measures in place. The entire security program as a whole--including people, processes and technology--is what helps protect organizations from fraud and information security threats.
That's why, as soon as the situation came to light in May 2019, Desjardins stepped up its efforts to create one of the most secure environments of any financial institution. It also stepped up the pace of implementing personal information protection measure initiatives that were already underway, including:
- The Desjardins Group Security Office was created in December 2019.
- It has an investment budget of more than $150 million, which will increase to more than $250 million in 2021--a testament to the importance that Desjardins places on security and personal information protection.
- The office brings together nearly 900 experts in cybersecurity, fraud prevention, personal information protection, anti-money laundering and financial crimes, from teams across four executive divisions.
- One of its mandates is to keep implementing best practices to protect personal information and enhance information security.
- A Chief Data Officer was appointed to oversee information security, data security and data warehousing best practices.
- Work to review data retention timeframes was accelerated based on the applicable regulations.
- New custom data monitoring products were developed in partnership with local businesses.
- A new restricted analysis environment was created that governs, limits and monitors data use and extraction.
- The data protection program was enhanced, and a data loss prevention solution was implemented.
- Policies and guidelines regarding the security and use of confidential data were reviewed to reflect best practices.
A security intelligence centre to be created
Desjardins has also announced that the Desjardins Fusion Centre will be up and running in early 2021. This new security intelligence centre will provide fast and efficient protection for members and clients. It will focus primarily on prevention, detection and incident management. The Fusion Centre will be integrated with the Desjardins Group Security Office and will bring together experts in cybersecurity, fraud prevention, personal information protection and anti-money laundering and financial crimes. It will take action whenever specialists from at least two of these fields are required, and artificial intelligence will feature prominently. The Fusion Centre's creation reflects the increasingly pivotal role that data analysis plays in preventing and detecting security incidents and financial crime. This will make Desjardins one of the first organizations in Canada to fully integrate all areas of its security management.
Desjardins's actions in response to the order from the Autorité des marchés financiers
Since June 2019, Desjardins has responded positively to the AMF's requests, beginning by working on obtaining a full and detailed report of the situation. External firms helped determine everything that needed to be done to keep strengthening Desjardins's governance and risk management practices.
In December 2019, while Desjardins continued to build more effective defences against both internal and external threats, it also formed a special committee comprised only of independent members of its board of directors. This special committee was created at the request of the AMF and was tasked with supervising the management of the privacy breach. It will remain in place to oversee the rollout of subsequent measures. The board also enhanced its group profile by adding four new external directors, two of whom have strong backgrounds in information technology and cybersecurity.
Desjardins members and clients are protected
Desjardins Identity Protection remains one of the best available protection programs in Canada. The Office of the Privacy Commissioner of Canada has stated that Desjardins Identity Protection provides substantially better protection than what has been offered by other organizations after major breaches. All Desjardins members and clients benefit from the four components of Desjardins Identity Protection:
- Protection: Accounts and assets at Desjardins are fully protected against unauthorized transactions.
- Support: If a member or client's identity is stolen, Desjardins can provide individual support through every step of the identity recovery process.
- Reimbursement: Members and clients may be reimbursed up to $50,000 for expenses they incur to recover their identity, such as notary or attorney's fees and lost wages.
- Monitoring: Members and clients can sign up for five years of Equifax credit monitoring free of charge. This service includes daily access to credit scores on Equifax's website, as well as credit report monitoring and alerts of key changes.
Former members, as well as former clients who had a credit card or in-store financing, can also get free Equifax credit monitoring upon request, which includes credit report monitoring, identity theft assistance and insurance to cover some expenses.
By November 30, 2020, 1.9 million people had signed up for the Equifax monitoring service. By that same date, 1.4 million people had used the TransUnion Credit Score feature on AccèsD to check their credit report. Eligible individuals can request their activation code for the Equifax credit monitoring paid for by Desjardins by visiting www.desjardins.com/desjardins-identity-protection. The deadline is December 31, 2022.
Caution concerning forward-looking statements
Certain statements made in this press release may be forward-looking. By their very nature, forward-looking statements involve assumptions, uncertainties and inherent risks, both general and specific. It is therefore possible that, due to many factors, the assumptions made may be incorrect, or the predictions, forecasts or other forward-looking statements, as well as Desjardins Group's objectives and priorities, may not materialize or may prove to be inaccurate and that actual results may differ. Various factors that are beyond Desjardins Group's control, and whose impacts are therefore difficult to predict, could influence, individually or collectively, the accuracy of the forward-looking statements in this press release. Additional information on these and other factors are available under the risk management section of Desjardins Group's 2019 annual MD&A report. Although Desjardins Group believes that the expectations expressed in these forward-looking statements are reasonable and based on a solid foundation, it cannot guarantee that these expectations will materialize or be proven correct. If Desjardins Group does not comply with the order from the Autorité des marchés financiers or the order from the Commission d'accès à l'information du Québec, Desjardins Group may be subject to the measures set out in applicable legislation, including penal or administrative sanctions. Desjardins Group cautions readers against placing undue reliance on these forward-looking statements when making decisions since actual results, conditions, actions or future events could differ significantly from the targets, expectations, estimates or intentions advanced in them, either explicitly or implicitly. Desjardins Group does not undertake to update any verbal or written forward-looking statements that may be made from time to time by or on behalf of Desjardins Group, except as required under applicable securities legislation.