Summary

  • Desjardins matters because the public record describes a financial institution where sensitive member information was copied through work pathways that were legitimate in appearance but unsafe in design.
  • The Office of the Privacy Commissioner of Canada said the breach ultimately affected close to 9.7 million individuals in Canada and abroad, and Desjardins' first public statement said the original discovery involved more than 2.9 million members whose information had been shared outside the organization.
  • The accountability question is who had practical control over employee access rights, shared-drive workflows, data-minimization boundaries, monitoring, removable-media exposure, member notice, remediation cost, and proof that the same type of copying could not recur.
  • Desjardins responded with credit monitoring, identity protection, regulator commitments, public financial provisions, and a class-action settlement process; those actions were necessary, but they did not replace the need for evidence that the access-governance conditions changed.
  • This article treats Desjardins notices, the Canadian privacy commissioner's findings, Desjardins financial reports, settlement records, privacy law, OSFI guidance, and security-governance frameworks as public evidence. It does not claim access to private police files, complete employee logs, individual member loss records, or every later internal audit artifact.

Why this case belongs in a risk and accountability file

Desjardins belongs in a risk and accountability file because the breach was not a conventional outside intrusion narrative. The public evidence describes an employee-linked extraction of financial identity records from an institution whose members had no practical way to inspect access design or retention practice. Desjardins' June 20, 2019 public statement at https://www.newswire.ca/news-releases/desjardins-statement-concerning-unauthorized-access-to-some-member-information-806079260.html said Laval police had contacted Desjardins with information confirming that personal information of more than 2.9 million members had been shared outside the organization, including 2.7 million individual members and 173,000 business members. The statement attributed the situation to unauthorized and illegal use of internal data by an employee who had been fired.

That first disclosure was already serious. The later regulatory record made it larger and more structurally important. The Office of the Privacy Commissioner of Canada's findings at https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2020/pipeda-2020-005/ said Desjardins notified the federal privacy office on May 27, 2019 of a breach of security safeguards that ultimately affected close to 9.7 million individuals in Canada and abroad. The compromised information included names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses, and transaction histories. The same report said Desjardins concluded that one employee had been exfiltrating personal information over at least 26 months.

The case belongs here because that evidence changes the problem from "an employee did something wrong" to "the organization had built a data environment where one employee could create mass identity risk." A financial institution cannot treat insider exposure as a surprise exception when sensitive information moves through data warehouses, marketing folders, workstations, and removable media. If the institution creates a workflow where employee roles can see, copy, aggregate, or export large quantities of member identity data, then access governance is a member-protection control. It is not an administrative preference.

The accountability question is direct: Who had practical control over employee access rights, data-minimization boundaries, monitoring, exfiltration detection, member notice, remediation cost, and proof that financial identity data could not be copied outside approved workflows? Desjardins leadership controlled governance, investment, and the priority of privacy controls. Business units controlled whether marketing and analysis workflows demanded broad identity files. Technology and security teams controlled access provisioning, shared-drive architecture, endpoint monitoring, logging, and removable-media controls.

Privacy and risk teams controlled retention policies, training, breach response, and regulator evidence. Members controlled almost none of that. They supplied identity information because financial life required it.

The case also fits data sovereignty and locality because the records were about Canadian and other individuals held by a Quebec-based cooperative financial institution under federal and provincial privacy oversight. It fits security automation because the control failure was partly about monitoring, automated data movement, and whether abnormal copying could be detected and stopped before it became a population-scale event. It fits public-sector continuity because financial identity records connect ordinary members to tax systems, credit systems, benefits, police reporting, and public regulatory confidence.

A private cooperative's breach can become a civic identity-risk problem when social insurance numbers, addresses, and transaction histories are involved.

The visible trigger was an employee, but the control system was broader

It is tempting to describe the Desjardins breach as an insider story and stop there. That would miss the core accountability issue. The Canadian privacy findings did identify a malicious employee and described copying of personal information from shared drives to a work computer and then onto USB keys. But the same report described business workflows that placed sensitive personal information into shared folders in the first place.

It said employees performed automated transfers of personal information from a credit data warehouse to user folders in a marketing department shared drive, and that other employees copied confidential personal information from a banking data warehouse to a shared drive. The malicious employee then copied information from those shared locations, including information he would not normally have had access to in the banking data warehouse.

That matters because the employee did not have to defeat an impenetrable system. The employee exploited a system that had already brought sensitive records into reachable work locations. In accountability terms, the organization had to explain why data that was sensitive enough to create long-tail identity risk was placed in broad or insufficiently protected operational locations. It also had to explain why the detection and prevention controls did not interrupt the copying over a long period.

The phrase "unauthorized and illegal use" is accurate as a trigger, but governance cannot end with the phrase. An insider can violate trust in any institution. The accountable question is whether the institution designed privileged workflows as if insider misuse was foreseeable. Financial institutions process social insurance numbers, names, addresses, dates of birth, account-related information, and transaction histories precisely because they support regulated credit and banking relationships.

That sensitivity creates a duty to limit who can see data, where it can be staged, how long it remains there, whether it can be copied to endpoints, whether removable storage is blocked, and whether unusual movement produces alerts.

Desjardins' public statement and the privacy commissioner's findings should therefore be read together. The public statement at the start gave members a trigger and an immediate assurance path. The regulator record gave the control anatomy. A member who reads only the first statement might imagine a rogue employee with unusual access. A reader of the regulator record sees a broader governance issue: access rights, shared-drive design, data transfer practice, retention, employee training, monitoring, and post-breach mitigation.

This is the difference between liability narration and control narration. Liability narration looks for the person who violated policy. Control narration asks why the policy and technology environment allowed the violation to scale. Both matter. The employee's conduct was central to the incident, but members needed evidence that Desjardins changed the conditions that let the conduct matter at such scale.

Data minimization was not an abstract privacy principle

Data minimization is often treated as legal language. In this case it was a practical security boundary. A financial institution can only lose or leak what it collects, retains, copies, stages, and makes reachable. The Canadian privacy findings said the age of some compromised information led the OPC to review Desjardins' data destruction practices. The report found contraventions related to accountability, retention periods, and security safeguards.

It also stated that Desjardins did not have procedures in place to destroy personal information at the end of its lifecycle and was still unable, months after the incident, to determine the retention period for compromised inactive accounts.

That is a decisive accountability point. Retention policy is not a records-management side issue when the records include identity information that can be used for fraud years later. Social insurance numbers and dates of birth do not become harmless because an account is inactive. Addresses, phone numbers, email addresses, and transaction histories can be used to build convincing impersonation attempts. The longer information remains in accessible systems after its purpose has ended, the larger the breach surface becomes.

The Personal Information Protection and Electronic Documents Act at https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html provides the federal privacy-law frame for private-sector personal information handling in Canada. The Desjardins findings applied that law's accountability, safeguards, and retention principles to the breach. The important practical lesson is that privacy law and security engineering meet inside lifecycle controls. If data is no longer necessary, it should not remain available to be copied from a shared location. If a marketing workflow needs an aggregate analysis, it should not automatically receive full identity records unless the use case demands it and safeguards match the risk. If a user folder holds sensitive extracts, that folder is not a convenience cache; it is a regulated data store.

Data minimization also changes the cost model. After a breach, an institution may pay for credit monitoring, identity protection, communications, legal process, external audit, and operational repair. Desjardins' second-quarter 2019 financial report at https://www.desjardins.com/ressources/pdf/d50-rapport-trimestriel-mcd-2019-2-e.pdf?resver=1565631033000 recognized significant expenses and provisions for protections after the privacy breach. Its 2019 annual report at https://www.desjardins.com/ressources/pdf/d50-rapport-annuel-mcd-2019-t4-e.pdf?resVer=1583954841000 and related financial statements at https://www.desjardins.com/ressources/pdf/d50-etat-financier-mcd-2019-e.pdf?resVer=1583166109000 tied the breach response to material financial cost. Those costs show why minimization is not merely a compliance preference. Excess retained data becomes a funded liability when controls fail.

The accountable repair test is therefore not "did the institution write a retention policy?" It is "can the institution prove that old and unnecessary sensitive information is no longer reachable by ordinary employees, shared folders, laptops, analytics workflows, or removable media?" A policy without destruction evidence is a promise. A deletion procedure without monitoring is a hope. Members needed proof that data minimization became operational.

Access governance failed where business convenience met sensitive records

Access governance is the heart of the case. In many financial organizations, business teams legitimately need data for product management, marketing, risk modeling, fraud prevention, operations, reporting, and service improvement. Those needs can be real. But the fact that a use is legitimate does not mean every record should be copied to broad work areas. The privacy findings described sensitive information moving from data warehouses into shared drives and user folders, where the malicious employee could copy it even when he would not normally have had access to the original banking warehouse.

That is a classic access-governance inversion: a protected source can become less protected after a business extract.

The accountability issue is not that marketing departments should never use member data. It is that access should follow need, purpose, sensitivity, and traceability at every stage. If an extract leaves a warehouse, it should inherit controls. If a user folder receives sensitive data, its permissions should be narrow, its use should be logged, its retention should be short, and its export paths should be controlled. If a shared drive is used as an intermediate workspace, it should not become a long-lived shadow data warehouse.

If identity fields are not required, they should be removed or tokenized before the extract leaves controlled systems.

Security automation is relevant because manual policy cannot watch every copy. A mature environment would look for unusual transfers, repeated export of sensitive columns, copying from shared drives to endpoints, removable-storage use, and access patterns inconsistent with role or purpose. It would also classify files by sensitivity so that a spreadsheet or data extract containing social insurance numbers and transaction histories is handled differently from ordinary business content. Endpoint controls should make it difficult to copy regulated financial identity data to USB devices without approval and logging.

Data loss prevention tools can be imperfect, but the absence or weakness of such monitoring changes the burden to members who cannot protect themselves from internal export.

OSFI's technology and cyber risk management guidance at https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/technology-cyber-risk-management is not a retroactive finding about Desjardins' 2019 controls. It is useful because it expresses the modern financial-sector expectation that technology and cyber risk be governed, managed, monitored, and made resilient in proportion to institutional risk. Insider data movement sits directly within that frame. It is not only a privacy event. It is an operational-risk event where people, process, technology, and data governance intersect.

The access-governance failure also had an institutional trust dimension. Desjardins is a cooperative financial group. Members are not just retail account holders in a distant system; they are part of a cooperative relationship that depends on trust, locality, and membership identity. A breach involving a trusted employee therefore strikes the social contract of the institution. The repair cannot be reduced to "the employee is gone." The institution has to show that member trust no longer depends on the assumption that every employee with convenient access will act correctly forever.

Detection delay changed the shape of accountability

Detection timing matters because identity data harm grows quietly. A stolen payment card can be replaced. A social insurance number and date of birth remain useful for future fraud, impersonation, and social engineering. The privacy findings said the employee-linked exfiltration occurred over at least 26 months. That long window is central to accountability because it suggests the control system did not notice or stop repeated copying of sensitive information over a period long enough for risk to compound.

The public record does not expose every monitoring log or internal alert available to Desjardins, so the article should not invent specifics. The evidence does support a narrower conclusion: the final detection and disclosure record showed that existing safeguards were not enough to prevent population-scale exposure. The OPC news release at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_201214/ described a combination of administrative and technological weaknesses. The commissioner's statement at https://www.priv.gc.ca/en/opc-news/speeches-and-statements/2020/s-d_20201214/ said Desjardins did not demonstrate the appropriate level of attention required to protect sensitive personal information, while also noting that the organization responded well after learning of the breach.

Those two points should be kept together. A strong post-discovery response matters. It can reduce member harm, support regulators, fund remediation, and improve controls. But a strong response after external discovery does not erase a weak detection posture before discovery. For members, the relevant risk was not only whether Desjardins acted once police information arrived. It was whether Desjardins could detect abnormal copying without waiting for outside signals.

Detection is not one control. It includes access reviews, data classification, shared-folder scanning, endpoint telemetry, removable-media monitoring, privileged-user analytics, role-based exceptions, alert routing, and escalation rules. It also includes the authority to stop business processes that are too broad. If a department has built recurring extracts that place sensitive data in shared drives, detection has to ask why that pattern exists, whether it is approved, whether it is still needed, and whether sensitive fields can be suppressed. Monitoring that merely logs events without governance review is weak evidence.

The long window also changes member notice. If data may have left the institution over many months, members cannot know the exact future fraud risk. The institution has to communicate uncertainty honestly. It should identify the classes of information involved, who may be affected, what protective services are available, what law-enforcement and regulator processes are underway, and what the institution will do if identity theft later appears. Notice is not only a legal step. It is the transfer of actionable knowledge to people who did not control the breach.

Remediation cost showed that identity risk outlives the incident

Desjardins' remediation record is a useful part of the evidence file because it shows that the institution treated identity risk as long term. Desjardins Identity Protection at https://www.desjardins.com/en/security/desjardins-identity-protection.html describes fraud protection, identity theft support, reimbursement for identity restoration expenses, and credit monitoring features. Desjardins financial reports recognized costs and provisions associated with breach protections, and the 2019 federation annual report at https://www.desjardins.com/ressources/pdf/d50-rapport-annuel-fcdq-2019-t4-e.pdf?resVer=1583953623000 discussed expenses to implement Desjardins Identity Protection after the privacy breach.

That response matters because identity data is durable. Credit monitoring for a short period can help, but compromised identifiers may be used later. A member may face fraud attempts years after the event, especially if data is combined with other sources. Desjardins' offer of broader identity protection and reimbursement recognized that the harm model could outlast the news cycle.

The class-action settlement record adds another dimension. Desjardins' February 2022 settlement announcement at https://www.desjardins.com/en/news/desjardins-settlement-agreement.html said a settlement agreement had been concluded with plaintiffs in class actions connected to the privacy breach. The June 2022 announcement at https://www.desjardins.com/en/news/privacy-breach-settlement-agreement.html said the Superior Court of Quebec approved a settlement allowing a maximum amount of $200,852,500 to be paid as individual recovery to eligible individuals who filed claims. The settlement site at https://desjardinssettlement.com/ and class-counsel material at https://www.siskinds.com/class-action/desjardins-privacy-breach/ became part of the public remediation map.

Settlement is not the same as a technical finding. Desjardins did not need to admit every allegation in order to settle. But settlement is accountability evidence because it shows how breach cost moved from a control failure to member compensation, claims administration, legal release, and institutional expense. It also shows the limits of post-breach money. A member who receives compensation still has to live with the fact that identity data cannot be recalled. The strongest repair is prevention and verifiable control improvement, not only reimbursement after exposure.

The remediation file should therefore ask whether the money and services were matched by control evidence. Were access rights narrowed? Were shared-drive workflows redesigned? Were sensitive extracts classified and time-limited? Were USB controls strengthened? Were monitoring alerts improved? Were retention and destruction procedures implemented? Were external auditors asked to certify the right things? Were regulator progress reports meaningful enough to prove change? The public privacy record says Desjardins agreed to recommendations and external audit reporting. Members still needed the practical assurance that the old paths were closed.

Regulator recommendations converted the case into an evidence test

The Canadian privacy findings are valuable because they did not frame the breach as a mystery. They identified weaknesses and made recommendations. The OPC said Desjardins agreed to improve its personal information protection and information security programs, provide progress reports every six months, engage external auditors, and submit assessment reports. The OPC news release also said Desjardins had agreed to recommendations related to data destruction practices and program improvement.

That is the accountability pivot. A regulator recommendation is not just a reprimand. It creates an evidence standard. Desjardins had to demonstrate that controls were implemented, that external auditors examined relevant programs, and that residual risks were identified. The OPC's findings listed assessment topics such as governance, resources, platforms used to store personal information, sensitivity of information stored in each location, safeguards, retention, destruction, de-identification, and residual risk.

Those are the right categories because the breach crossed data storage, access, endpoint, retention, and governance boundaries.

The Office of the Privacy Commissioner's breach guidance for businesses at https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/ is useful control vocabulary for response and recordkeeping. It reinforces that organizations must assess real risk of significant harm, report certain breaches, notify affected individuals, keep records, and take steps to reduce harm. In the Desjardins case, the challenge was not merely to meet notice mechanics. It was to prove that safeguards became appropriate to the sensitivity and scale of the data.

NIST's Cybersecurity Framework at https://www.nist.gov/cyberframework and CISA's secure-by-design material at https://www.cisa.gov/resources-tools/resources/secure-by-design are broader references, not Desjardins-specific findings. They are still relevant because they express the control loop this incident exposed. Identify sensitive data and business processes. Protect access and limit movement. Detect abnormal copying. Respond with clear notice and remediation. Recover trust through tested repair. Govern the whole system through named responsibility and evidence. Desjardins' case touched every part of that loop.

The public-sector continuity element appears here. Privacy regulators, police, courts, financial supervisors, credit bureaus, identity-theft responders, and class-action administrators all became part of the response ecosystem. A large financial identity breach does not remain inside the enterprise boundary. Public institutions have to absorb complaints, investigations, fraud reporting, legal process, and public-confidence work. The institution that collected the data controls the first-order safeguards; the public sector helps carry the second-order consequences.

Evidence boundaries should stay visible

The public record supports strong findings, but it has limits. It supports that Desjardins disclosed an employee-linked sharing of member information outside the organization, that the breach ultimately affected close to 9.7 million individuals according to the federal privacy findings, that sensitive data classes included names, dates of birth, social insurance numbers, addresses, contact information, and transaction histories, and that the OPC found failures related to accountability, retention, and safeguards. It supports that Desjardins funded identity-protection measures and later entered a court-approved settlement process.

The public record does not support claiming that every affected individual suffered identity theft. It does not prove the exact downstream use of every record. It does not expose all police evidence, all employee workstation logs, all USB events, all internal access reviews, all regulator submissions, or every external-audit artifact. It does not support speculation about every Desjardins employee or department. A serious accountability file has to keep those boundaries visible because overclaiming weakens the analysis.

The correct conclusion is narrower and stronger: a financial institution that holds durable identity data must not let ordinary work pathways become bulk-export paths. Insider misuse is foreseeable. Shared drives are foreseeable. Removable media is foreseeable. Data extracts for marketing or analysis are foreseeable. Retention drift is foreseeable. The accountability standard is not perfect knowledge of every future employee. It is evidence that the system limits what one role can copy, detects unusual movement, retains only what is needed, and gives affected people meaningful protection when controls fail.

The case also should not be used to claim that financial institutions can eliminate all insider risk. They cannot. Banks, credit unions, insurers, and payment firms need employees and contractors to handle sensitive information for legitimate reasons. The realistic standard is proportional control. Highly sensitive data should require stronger permissions, narrower fields, purpose binding, audit trails, segmentation, endpoint safeguards, and retention discipline. The more durable the identifier, the less tolerance there should be for casual copies.

The distinction matters for fairness. Desjardins' public response included member protection and cooperation with regulators. That response belongs in the record. It does not negate the control failures. The accountability file should evaluate both: the institution's post-discovery repair and the pre-discovery conditions that let the breach scale.

What verifiable repair would require

The durable repair test for Desjardins begins with access rights. Every recurring transfer of sensitive personal information from a controlled warehouse to a user folder, shared drive, analytics workspace, or endpoint should have a named business purpose, data owner approval, field minimization, retention limit, logging, and review date. If the purpose can be met with aggregated or tokenized data, identity fields should not travel. If identity fields must travel, the receiving location should be treated as a high-risk data store, not an ordinary department folder.

The second test is lifecycle control. Desjardins needed to know what personal information it held, why it held it, where it was stored, how long it should remain, and how it would be destroyed or de-identified when no longer needed. This is not easy in a large cooperative financial group with legacy systems, data warehouses, member products, insurance activities, cards, business clients, and analytics functions. Difficulty is exactly why the control must be governed. A retention schedule that cannot be mapped to actual repositories is not enough.

The third test is data movement detection. A modern financial institution should generate evidence when sensitive data is copied in volume, moved to a shared folder, downloaded to a workstation, written to removable media, compressed, emailed externally, or accessed outside normal role patterns. Alerts should route to people with authority to investigate. Exceptions should expire. Repeated business processes that create large sensitive extracts should be reviewed by privacy, security, and the data owner, not normalized because they have always existed.

The fourth test is endpoint and removable-media control. The public findings described copying from a shared drive to a work computer and then onto USB keys. The accountable response should prove that high-risk personal information cannot be casually exported to removable media, or that any approved export is strongly controlled, logged, encrypted, time-limited, and tied to a legitimate work ticket. Controls should also cover printing, email forwarding, cloud sync, personal devices, and other practical exfiltration paths.

The fifth test is member-facing mitigation. Identity-protection services, reimbursement, fraud support, credit monitoring, and compensation can reduce harm, but they should be connected to a clear explanation of data classes and future risk. Members should not have to parse legal documents to know what happened, what they should watch for, and what help remains available if identity theft appears later.

The sixth test is external evidence. When a regulator requires progress reports and external audits, the evidence should be specific enough to show that access governance changed. A generic statement that policies improved does not answer the breach. The evidence should show data inventory progress, access-role cleanup, shared-drive reduction, retention implementation, monitoring metrics, incident-response improvements, and unresolved residual risks. Regulators may not publish every detail, but the institution should be able to demonstrate the substance.

What other financial institutions should learn

The Desjardins case has a general lesson for financial institutions, credit unions, insurers, fintechs, and data processors: insider data exposure is not a rare category outside ordinary governance. It is the natural failure mode of broad access, unmanaged extracts, long retention, weak endpoint controls, and limited monitoring. A malicious employee can only create population-scale identity risk if the environment gives that employee a path to population-scale data.

Boards should ask for evidence, not comfort. How many employees can access raw identity fields? How many recurring extracts include social insurance numbers, dates of birth, addresses, or transaction histories? Where do those extracts land? How long do they remain? Can they be copied to laptops or removable media? Which alerts would fire if a user copied hundreds of thousands of records? Who reviews access rights for marketing, analytics, product, fraud, support, and operations roles? How quickly are exceptions removed? How is old member data destroyed? What independent test proves the answer?

Security teams should resist the narrow phrase "insider threat" if it becomes a way to individualize a design problem. Insider risk management is access governance, data classification, retention control, monitoring, endpoint design, training, investigation workflow, and business-process redesign. It is not a poster campaign asking employees to be trustworthy. Employees should be trained, but training cannot substitute for limiting the amount of sensitive data a single person can copy.

Privacy teams should treat data minimization as security architecture. When privacy records are kept too long or copied too broadly, the security team inherits a larger blast radius. When security monitoring ignores business extracts because they are formally authorized, the privacy team inherits an uncontrolled lifecycle. The two disciplines meet in the question of whether sensitive data exists where it should, for as long as it should, under controls that match its future harm.

Members and customers should ask institutions how identity data is protected after it leaves the original application. Many organizations have strong database access controls at the source but weaker controls around extracts, reports, shared drives, spreadsheets, and analytics sandboxes. The dangerous copy may not be the record in the core system. It may be the export created for convenience and forgotten.

The final accountability lesson is practical. Desjardins did not make insider access a governance test because an employee behaved badly. It made insider access a governance test because the public record showed that financial identity data could travel through ordinary work systems in a way that created mass risk. In a financial institution, member identity is infrastructure. It has to be governed with the same seriousness as money movement, because once identity data leaves the institution, the member carries the risk for years.

Cooperative trust made the proof burden higher

The cooperative structure of Desjardins makes the proof burden higher, not lower. A cooperative financial group can speak in the language of membership, local service, shared ownership, and community commitment. Those values are meaningful only if they are matched by evidence that member data is protected inside the institution. A member cannot participate meaningfully in data governance if the relevant controls are hidden in warehouses, shared drives, endpoint tools, and retention systems. The cooperative relationship therefore depends on institutional proof, not member assumption.

That proof should be readable at several levels. The board needs control evidence: data inventories, access reviews, monitoring metrics, destruction progress, audit findings, and residual risk. Regulators need enough detail to test whether recommendations were implemented rather than absorbed into general policy language. Members need plain notice about what data was involved, what protections continue, and how to get help. Employees need practical guardrails that make the approved path easier than the unsafe path.

Each audience needs a different surface, but all of them need the same underlying fact: sensitive identity data can no longer move through weakly governed work paths at mass scale.

This is also where public confidence becomes a continuity issue. Financial institutions are part of daily life. Payroll, loans, cards, tax records, retirement savings, small-business finance, insurance, and government interactions all depend on stable identity and trusted records. When a breach involves social insurance numbers and contact information, the repair burden extends beyond one institution's balance sheet. Banks, credit bureaus, police services, tax authorities, employers, and consumer help desks all become part of the harm-management environment.

That is why the article treats public-sector continuity as a controlled topic even though Desjardins is not a government agency. The breach touched identity infrastructure that public and private actors both rely on.

The most useful accountability conclusion is therefore not punitive rhetoric. It is an evidence rule. If an institution collects durable identity information, it must be able to prove where that information is, who can use it, why they can use it, how long it stays there, what happens when it moves, and what signal appears when it moves abnormally. If the institution cannot answer those questions before an incident, it will answer them afterward through notices, provisions, class actions, regulator findings, and member anxiety. Desjardins made that timing visible.