Introduction - The Canada Revenue Agency (CRA) and the Privacy Act

When taxpayers use the Canada Revenue Agency's (CRA) online services, they want assurance that the agency will handle their personal information with the utmost security measures and respect for privacy. All personal information collected by the CRA is governed by the Privacy Act. Under the Privacy Act, the CRA is obligated to inform taxpayers of the purpose for which their personal information is collected and their right to access the information (Privacy Act, subsection 5(2) and section 12). Pursuant to section 7 of the Privacy Act, the CRA is also obligated to detect and prevent unauthorized access or disclosure of personal information pertaining to taxpayers under its control and possession. However, the recent CRA shutdown of its online services after thousands of taxpayer accounts were breached in two different cyberattack incidents force us to question (1) the impact of these attacks on taxpayers, and, (2) CRA's obligation with respect to protecting taxpayers from threats and cyberattacks against its online services.

An overview of the August 2020 CRA Cyberattacks

In mid-August 2020, the CRA confirmed that it has been affected by two cyberattacks that compromised a total of 5,500 taxpayer accounts and 9,000 GC Key accounts linked to its services. In addition, over 900 social insurance numbers and fragments of data were also removed from CRA's system.

These cyberattacks are described by the CRA as "credential stuffing" schemes, in which case the hackers use stolen usernames and passwords from previous third-party data breaches in order to access the CRA accounts. According to the CRA, participants in these types of cyberattacks often take advantage of the fact that many Canadians use the same username and password for multiple accounts.

As a result, the CRA temporarily suspended its online services connected to My Account, My Business Account and Represent a Client as a safety measure for Canadian taxpayers. For additional safety measures and the security of taxpayers and their personal information, the CRA disabled access to all accounts that were targeted by the two cyberattacks. According to the CRA, it is mailing out letters to taxpayers who have been affected by these cyberattacks explaining how to confirm their identity with the agency in order to regain access and control to their accounts. Taxpayers whose accounts have been compromised can also contact the CRA, via telephone, and select the "report suspected fraud or identity theft" option to report any fraudulent activities.

According to the CRA, it is conducting an ongoing analysis of the two attacks. The Royal Canadian Mounted Police (RCMP) has also initiated an investigation into the cyberattacks. In addition, the Office of the Privacy Commissioner of Canada is monitoring fraudulent activities. However, no information has been released pertaining to the investigation of the cyberattacks by the CRA or the RCMP.

The CRA has expressed that if a taxpayer's account was compromised by the above mentioned cyber attacks and as a result, the taxpayer is unable to comply with their tax obligations pursuant to the Income Tax Act, the taxpayer may be eligible for taxpayer relief or any consequent interest or penalties. However, the CRA has discretion to determine the taxpayer's eligibility for taxpayer relief or any consequent interest or penalties.

The Concerns of Cyberattacks on Taxpayer Accounts

Cyberattacks on taxpayer accounts can create harmful consequences for taxpayers, the CRA, our economy and national security. Despite ongoing efforts of the CRA, the Royal Canadian Mounted Police and the Office of the Privacy Commissioner of Canada to combat fraudulent activities against their online services, cyberattacks against government institutions and their systems are evolving, and they can have devastating effects on taxpayers including, but not limited to, financial hardships and identity theft.

As previously mentioned, as a result of the two most recent cyberattacks, the CRA temporarily suspended access to its online services and disabled access to all targeted accounts as a safety measure for taxpayers and their personal information. However, this meant that taxpayers attempting to access CRA's online services to apply for the Canada Emergency Response Benefit or the Canada Emergency Student Benefit were unable to do so during the online service suspension. Some taxpayers whose accounts were targeted by the cyberattacks did not receive their expected monthly benefit payments and many of them are still awaiting written instructions from the CRA on how to regain access to their disabled accounts. This is problematic because lack of benefit payments could create financial burdens for taxpayers and their families. Other taxpayers whose accounts were also targeted by the cyberattacks confirmed receiving benefit payments from the CRA, which they did not apply for and are presently awaiting written instructions from the agency on how to return to the CRA the benefit payments received. This further demonstrates the obvious need for security systems that are focused on detecting external threats and advanced preventive measures. Temporarily suspending online services and disabling access to a taxpayer's account after the cyberattack occurred demonstrates the lack of detective and preventative safety measures in the current system.

As previously mentioned, over 900 social insurance numbers were also removed from CRA's system as a result of the cyberattacks. Removed and stolen social insurance numbers (SIN) could lead to fraudulent tax returns, damage to a taxpayer's credit and identity theft since the SIN is the key information required to obtain identification and therefore identity theft. In addition, taxpayers who were assigned a social insurance number that was removed from CRA's system as a result of the cyberattacks will likely have to rebuild their credit history and this could take years to reestablish. Unauthorized access to personal information and social insurance numbers is also problematic because no one has knowledge of when and how the hackers in possession of the information will attempt to use it. Consequently, unauthorized access to and the use of personal information can create stress on taxpayers for many years after the breach occurred. Cyberattacks can also lead to business financial loss arising from unauthorized access to and the misuse of corporate information including financial statements and credit card numbers.

CRA's decision to mail out letters to taxpayers whose accounts have been targeted by the cyberattacks explaining how to confirm their identity with the CRA and regain control of their accounts is problematic. Presently, Canada Post services are delayed due to the COVID-19 pandemic. Consequently, unprecedented delays in mail services could mean that taxpayers will have to wait longer to confirm their identity with the CRA in order to regain access to their online accounts. This could also mean that taxpayers who are affected by the cyberattacks may not receive or be able to apply to any government benefit payments before confirming their identity with the CRA. Further, this could create financial hardships for taxpayers especially those who are relying on government benefit payments to meet their financial obligations. The CRA should be more proactive to take the necessary steps to notify all taxpayers whose information and accounts have been impacted by these cyberattacks. Moreover, the CRA must implement effective safety measures that detect and prevent cyberattacks against its online services, as well as protect taxpayers from unauthorized access to and the misuse of personal information.

My Account, My Business Account and Represent a Client are used by millions of taxpayers who reasonably assume that the CRA will deal with their information with the utmost security and respect of privacy. In addition, the GC Key accounts are used by "approximately 30 federal departments" all of whom also trust that the CRA will restrict threats to their confidential information. Cyberattacks will lead to a decline in taxpayers' trust and confidence in CRA's current online services as well as online services offered through other government institutions. The CRA must be held accountable for protecting taxpayers from threats against its online services and implementing effective safety measures focused on the security of taxpayers and respect of their privacy. Further, the CRA should also use the two recent cyberattacks as opportunities to increase its proactive safety measures as well as prevent unauthorized access to and the misuse of information.

Taxpayers whose accounts have been targeted by the cyberattacks can submit their inquiries, concerns or complaints against the CRA and its administration of the Privacy Act may be directed to the Access to Information and Privacy Coordinator via mail, email or telephone. If the taxpayer is still not satisfied with CRA's response to their privacy concerns, they (the taxpayer) may escalate their concern or complain by contacting the Office of the Privacy Commissioner by telephone. Further, taxpayers who suffer actual damages as a result of the cyberattacks can sue the CRA in civil courts.

Taxpayers' Ability to Sue the CRA

Taxpayers who suffer actual damages as a result of the cyberattacks have the right to commence a lawsuit against the CRA for negligence and damages. Under the provisions of the Crown Liability Act, the federal government can be sued for negligence and damages resulting from the actions of its employees and officers. In order for CRA to be liable, the taxpayer must establish that the CRA owed a duty of care to the taxpayer, breached that duty of care, and caused the loss. In Ontario, the Proceedings Against the Crown Act govern the procedure for suing the CRA for damages. At least 60 days before commencing an action against the CRA, the taxpayer must serve on the Canadian tax lawyer representing the CRA a notice of the claim containing the relevant particulars.

Pro Tax Tips - Cyberattacks against Taxpayers Accounts

Under the Privacy Act, the CRA has an obligation to detect and prevent unauthorized access and the misuse of any information that is in its control and possession. If you suspect that you might be a victim of the recent cyberattacks against the CRA accounts or if you have concerns with how the CRA is handling your personal information and or administering the Privacy Act, please contact our Canadian tax law office to speak with one of our experienced Certified Specialist in Taxation Canadian tax lawyers.