Credit card fraud victim questions bank's use of first-class mail as privacy safeguard

PIPEDA Case Summary #2002-43

[Principle 4.7, Schedule 1; section 2]

Complaint

An individual complained that his bank was inappropriately continuing to use first-class mail to deliver credit cards and personal identification numbers (PINs) to customers even after learning of a rash of fraud involving mail theft of such items. The complainant, who himself had been a victim of the fraud, suggested that delivery by registered mail would be a more appropriate safeguard for personal information of such sensitivity.

Summary of Investigation

An RCMP investigation concluded that the complainant had been among the victims of a rash of fraud ensuing from thefts of credit cards and PINs during mail delivery in certain postal-code areas of a province. By their first account, the RCMP suggested that a ring of fraudsters had been targeting Canada Post mail boxes and mail trucks. Later the RCMP became less certain of the point at which and method by which the mail had been intercepted. In the complainant's case, their latest account suggested that a thief or thieves might have obtained duplicate keys to residents' mail boxes at his condominium complex. In the end, the RCMP closed the investigation without reaching any specific conclusion about how the thefts and fraud had occurred.

The bank in question had a strict policy of demanding "due diligence" from its credit cardholders and of assuming, unless proven otherwise, that the individual was at fault for any compromised card or PIN. Pending the results of the RCMP investigation, the bank continued to hold the complainant liable for the charges in question and to press him for payment. The bank also notified two credit reporting agencies that he had not discharged the debt.

On receiving the RCMP's conclusion of fraud, the bank agreed that the complainant was not at fault, accepted its own liability for the fraud, restored the complainant's account to good standing, and corrected the derogatory history with the credit reporting agencies.

Even though he was satisfied with this outcome, the complainant pursued his complaint with the Office of the Privacy Commissioner out of concern that others not have to suffer similar violation of personal privacy and similar treatment from the bank. From the RCMP's original account, he had formed the impression that the use of first-class mail had been a significant contributing factor in the rash of theft and fraud and had thus been shown to be inadequate as a security safeguard for personal information. His aim was to have his bank and other credit card issuers change their standard industry practice of sending out cards and PINs by first-class mail. He suggested that delivery by registered mail (now known as Priority Post) would be a more appropriate safeguard for information of such sensitivity.

The bank disagreed, submitting five main arguments in support of its position:

1. The information at issue should not be considered personal information for purposes of the Personal Information Protection and Electronic Documents Act because (a) the PIN was generated by the bank using a proprietary algorithm and is thus not tied to information provided by the complainant and (b) PINs and credit cards are by convention the exclusive property of the bank.
2. Sending out credit cards and PINs by first-class mail is "common industry practice".
3. Owing to extra measures it takes to secure customers' personal information, the rate of fraudulent use of the credit cards the bank issues is at the lower end of the range of fraud among all issuers of the card in question.
4. The bank's policy is to assume liability for losses due to fraud.
5. Use of registered mail would increase the bank's mailing costs five-fold, and the increases would have to be passed on to the consumer through increased user fees or interest rates.

Commissioner's Findings

Issued April 4, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Section 2 defines personal information to be ". information about an identifiable individual." Principle 4.7, Schedule 1, states that an organization must protect personal information by security safeguards appropriate to the sensitivity of the information.

The Commissioner determined firstly that the information at issue was personal information for purposes of the Act, since it clearly identified individuals. He noted that the section 2 definition in effect obviates questions of ownership. No matter who might be said to own the complainant's credit card and PIN or how they were generated, they became his personal information simply on being assigned to him and put into envelopes addressed to him.

Regarding Principle 4.7, the Commissioner sympathized with the complainant and commended him for the manner in which he had pursued his complaint, but found no evidence conducive to a conclusion that the Act was being violated. He noted that not only did the RCMP's investigation into the matter remain inconclusive, but his own investigation had also been unable to establish that the complainant's predicament had been the result of the bank's use of first-class mail. He also noted that his Office had examined the industry practice and likewise found no evidence that the use of first-class mail was a factor in inappropriate disclosure of personal information. He determined that the facts afforded no grounds for concluding that first-class mail is not an adequate safeguard or that banks should not keep using it as their standard method of delivering credit cards and PINs.

Having no reason to find the bank to be in contravention of Principle 4.7, the Commissioner concluded that the complaint was not well-founded.

Further Considerations

1. As a result of press coverage, six other victims of the same rash of fraud had contacted the complainant, including two other customers of the bank in question. In presenting his findings, the Commissioner was pleased to confirm that the bank had likewise compensated other victims for their losses and reversed their negative credit reports. He commended the complainant for his kind concern for his fellow victims, which had proved instrumental in resolving their problems.
2. On concluding, the Commissioner commented as follows:

Nevertheless, I would caution [the bank] and the banking industry at large. My conclusion derives solely from the lack of solid evidence, and not from the bank's general representations, which I must say I did not find to be sufficiently persuasive. Should there arise in future another set of circumstances in which I was presented with evidence of the inadequacy of first-class mail as a privacy safeguard, that would be an entirely different matter.