Security of a bank's automated telephone service

PIPEDA Case Summary #2001-5

[Principle 4.7, Schedule 1]

Complaint

Citing several provisions of the Personal Information Protection and Electronic Documents Act, an individual complained that a bank was not taking adequate security measures to safeguard customers' information disclosed via its automated telephone service.

Summary of Investigation

The bank in question offers an automated telephone service for Visa customers who do not have other dealings with the bank. Users of this service cannot conduct transactions, but can gain limited access to their Visa account information by providing the 16-digit Visa account number and, at the random selection of the system, either the last four digits of the cardholder's home telephone number or the cardholder's year of birth.

Commissioner's Findings

Issued July 23, 2001

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.7, Schedule 1, states that an organization must protect personal information by security safeguards appropriate to the sensitivity of the information.

On consideration, the Commissioner deemed the complainant's concern to be valid. He determined that a coding procedure relying so much upon a cardholder's telephone number or year of birth was not adequate to prevent unauthorized persons from gaining access to users' sensitive personal information. He found that the bank in question was not in compliance with Principle 4.7.

Nevertheless, the Commissioner noted that the bank had proposed and initiated a detailed three-phase action plan to address the security concerns raised in the complaint. He also noted both he and the complainant found all aspects of this plan satisfactory.

The Commissioner concluded therefore that the complaint was well-founded and resolved.

Further Considerations

The action plan proposed by the bank comprises three-phases as follows:

Immediate: All automated access to the complainant's Visa account is disabled, so that any unauthorized attempt to obtain the complainant's personal information will fail. The complainant himself will be able to access his account through an agent by reference to a preselected password.

Short-term: By October 31, 2001, the bank's Visa-only customers will be allowed to disable their automated telephone access upon request and likewise deal directly with an agent, if they so choose. This phase includes a communications strategy for informing the customers.

Long-term: The bank has agreed to implement a new telephone bank solution addressing the privacy and security concerns of customers within three years and to report on progress to the Privacy Commissioner no later than July 31, 2002.

The Commissioner has commented: "I am satisfied that the measures [the bank] has put in place to resolve the security safeguard issues identified . are acceptable."