To answer your question "why only Quebec", it seems it's a law in response to the major data breach of Groupe Desjardins in 2019.

So basically, a law written in "blood".

It's amazing our system for identity theft is "discover incident yourself, prove there's damage, get a police report, then we'll think about giving you a new SIN but it restarts your credit history"

In today's day and age the SIN should be morning more than a unique identifier for your identity, and should only be trusted when accompanied by a unique SIN authorization token:

1. You have a new job or tax situation, or need proof of eligibility to work in Canada, or need to satisfy KYC for a bank or financial institution.
2. You visit Service Canada or the CRA and revalidate your identity, then you may request a new Social Insurance Authorization Token.
3. You provide the unique token and your SIN number to the employer/bank/etc.
4. The bank or company verifies the token and your identity with Service Canada. A stolen SIN no longer proves authorization, it simply identifies you.
5. All tax forms from that institution, and all banking details must be submitted with the SIN and token.

This would not prevent a SIN + token pair from leaking, but they could only be abused within one institution, which is generally the same surface area as however your token leaked in the first place. Plus the source of the leak becomes immediately clear.

If there is a leak, you can report it and reauthorize a new token for whatever you need.

You could go further with this concept to improve it by adding a handshake with org level certificates and keys required to verify a token.

For situations where one company must verify your identity to another (e.g. an employee wants to submit your info for insurance purposes, or a bank wants to work with a partner bank), this is where a business entity level key could come into play. It wouldn't be sufficient for the original auth token to propagate to the partner because that increases exposure during a leak.