The federal government yesterday introduced much-needed identity theft legislation.  Bill C-27 includes several important provisions focusing on identity theft such as trafficking in documents and identity information.  Key provisions include:

• making, possessing, transferring, or selling "identity documents" of another person becomes an offence punishable with up to five years in jail.  This is subject to exceptions such as good faith, genealogical purposes, consent of the person, or law enforcement purposes.  Identity documents include SIN cards, driver's license, health insurance card, birth certificate, passport, or citizenship document.
• knowlingly obtaining or possessing another person's "identity information" with the inference that the intent is to commit a crime such as fraud.  Moreover, it is an offence to transmit, make available, distribute, sell or offer to sell such information knowing that it will be used to commit an offence.  Identity information includes any information commonly used to identify a person.  Examples in the legislation include fingerprint, voiceprint, retina or iris image, DNA profile, name, address, date of birth, written, electronic or digital signature, user name, credit or debit card number, bank account number, passport, SIN, health insurance number, driver's license, or password.  The penalty for these offences is up to five years in jail.
• identity fraud, namely fraudulently impersonating another person with the intent for personal gain.
• fraudulent use or possession of credit card data is added to the Criminal Code as is a provision for up to 10 years in jail for knowingly possessing, importing or exporting devices that can be used to fraudulently copy credit card data.
• theft or redirection of postal mail
• using forged documents as if they were genuine, selling/making available forged documents, possessing forged documents with the intent to sell carries a penalty of up to ten years in jail.  Dealing in devices used to create forged documents brings a possible penalty of 14 years in jail.
• up to five years in jail for falsely representing oneself as a peace office or public officer.

This is good and long overdue legislation.  It is not a complete solution, however.  While penalties for identity theft are needed, Canada also needs to take steps to allow Canadians to self-protect against identity theft, to create incentives for companies to safeguard personal information against the prospect of identity theft, and to address some of the activities used to facilitate identity theft.  There are two obvious issues that should be addressed.  First, anti-spam legislation, which would include phishing and spyware, is similarly long overdue.  Second, Canada needs a mandatory security breach notification law so that Canadians are advised when their personal information may be at heightened risk for identity theft.