Public Safety committee  Yes, it would. Banks, like any other organization that's governed under PIPEDA, the federal privacy legislation, are obligated in the event of a breach of their security safeguards to notify the Office of the Privacy Commissioner and any impacted individuals.

Public Safety committee  They are not wary of disclosing the fact that they've been attacked. It's a statutory obligation. In addition to that, because of the trust that the customers have placed in the bank, they want to make sure their customers are aware in the rare circumstance that there's been a cyber-attack.

Public Safety committee  The banking industry takes its responsibilities for protecting clients' information extremely seriously. We appreciate the trust that customers have put in us to protect their personal information. In terms of a strategy, the banks—in addition to protecting their own systems and infrastructure—are contributors to ensuring cyber-resiliency across Canada as well.

Public Safety committee  As I mentioned at the outset, banks take their responsibilities to protect the personal information of their clients very seriously. They do provide products and services to their clients to help ensure that their personal information remains safe. I can't speak to exactly the economic model you're referring to of charging extra for personal identification monitoring specifically.

Public Safety committee  Absolutely.

Public Safety committee  Thank you very much. Good afternoon. I would like to thank the committee for the opportunity to speak with you today about cybersecurity in the financial sector. My name is Charles Docherty. I am the assistant general counsel for the Canadian Bankers Association, or CBA. Joining me is my colleague Andrew Ross, director, payments and cybersecurity.