Bank leaves computer logged on in public area; customer obtains sensitive personal account information without password

PIPEDA Case Summary #2003-177

[Principle 4.7, Schedule 1]

Complaint

A customer complained that a bank had failed to institute appropriate safeguards to protect her personal information at an in-store kiosk branch.

Summary of Investigation

While waiting for service at a bank's kiosk branch in a supermarket, the complainant had noticed a computer terminal in an open area. Seeing a live monitor and assuming that the computer was for use by the public to obtain general banking information, she keyed in her name and address as prompted. The computer responded by displaying a screen of information pertaining to her accounts with the bank, including credit card numbers, limits, and balances. Since she had not been asked for any password or user ID, she was concerned that anyone knowing her name and address could just as easily have obtained the same sensitive personal information about her, possibly for improper purposes such as identity theft. She was further disenchanted with security procedures when the branch's on-duty employee later allowed her to see him entering his password, which she said appeared on screen in clear text, as he logged on to another computer.

The location was a typical kiosk branch of the bank, comprising an ABM for public use, an enclosed business office containing a computer terminal for employee use only, and one other computer terminal situated in an open area but also intended for employee use only, although no sign was posted to that effect. Two employees were working at the branch on the day in question, but one was away at the time of the incident, and the other was busy with another customer in the enclosed office.

The bank explained the incident as a simple case of employee error. The last employee to use the open-area computer terminal had neglected to log off before leaving it unattended. Such neglect constituted an infraction of the bank's own security policy and procedures. Specifically, there was an instruction in the security manual to the effect that computers should be logged off when not in use.

In response to the complaint, the bank took two main remedial measures. Firstly, it undertook to raise employee awareness by various means, notably by sending advisories to employees in in-store offices, maintaining a message on its intranet site, and including some formal guidelines in the training manuals for new hires. Secondly, the bank installed a new computer system with a built-in security feature - a password-protected screen-saver that activates automatically if the keyboard remains untouched for 15 minutes.

As for the complainant's allegation that she had been able to recognize clear-text characters in the bank employee's password, the bank advised that, with the computer system in use at the time of the incident, passwords had appeared on screen in the form of symbols, not recognizable clear-text characters. The bank suggested that the complainant either had mistaken the employee's user ID or other log-on information for his password or had recognized clear-text characters from the keyboard rather than from the computer screen. The complainant took the position that, regardless of how she had recognized the characters, bank employees logging on to computers should not allow customers to see either the computer screen or the keyboard.

Commissioner's Findings

Issued June 5, 2003

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because the bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information.

The Commissioner began by noting that, by its very practice of installing in open areas of its kiosk branches business computers that were often left unattended, the bank had created a considerable risk of unauthorized access to customers' sensitive personal information. The question he had to consider was whether the bank had instituted appropriate safeguards to mitigate this risk and protect the information in question. He determined as follows:

• At the time of the incident, the primary safeguard upon which the bank relied to protect the complainant's sensitive account information was an instruction in a security manual to the effect that employees should log off when about to leave a computer unattended.
• A bank employee's simple neglect to follow this instruction in fact resulted in unauthorized access by the complainant to sensitive personal information. Though it was her own information that she inadvertently obtained, she had not been authorized to use the means by which she obtained it.
• Although no improper disclosure to a third party actually occurred, the same neglect by the employee to follow the instruction had also created a significant potential for such disclosure.

It was plain that in the circumstances the safeguard upon which the bank relied was neither effective nor appropriate for protecting the complainant's sensitive personal information. The Commissioner found therefore that the bank had been clearly in contravention of Principle 4.7.

He also considered the question whether the bank, through its subsequent remedial measures, had succeeded in bringing itself into compliance. In practical terms, would the complainant's original experience be likely to prove substantially different with the safeguards now in place at the kiosk branch?

Regarding the automatic shutoff, the Commissioner noted that this measure, though undoubtedly representing an improvement of sorts, would not in itself prevent access during the 15-minute delay and therefore could not be said to be an adequate safeguard to protect sensitive personal information. In his view, any period of time during which a computer was left on and unattended - whether 15 minutes or one minute - remained an ample window of opportunity for unauthorized access to information. What was needed was a safeguard that would protect sensitive personal information at all times, not one that would kick in after 15 minutes.

Regarding the second remedial measure, the Commissioner noted that an employee having knowledge of the rule had neglected for reasons unknown to follow it in the circumstances. He doubted whether any other employee, no matter how frequently or strongly reminded of the rule, would be any less subject to the circumstances of the moment or any less susceptible to whatever factors influenced the original neglect. Taking the human factor into account, the Commissioner was not persuaded that a reinforced instruction that employees should log off their computers was likely to prove any more effective than the original. It seemed far more likely to him that reliance on the new automatic 15-minute cutoff would incline employees toward complacency and diminish their incentive to follow the rule of logging off manually.

In sum, it was the Commissioner's view that, despite the remedial measures taken, there remained at the location in question and at other kiosk branches of the bank an unacceptable potential for unauthorized access to customers' sensitive personal information via computers placed in areas open to the public. He determined that the remedial measures taken by the bank in response to the complaint did not in themselves constitute appropriate safeguards. He found therefore that the bank remained in contravention of Principle 4.7.

He concluded that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the bank

1. review its informational security policy and procedures specific to the operation of its kiosk branches and take appropriate measures to ensure that access to any computers whereby customers' personal information may be obtained is restricted to authorized bank employees; and
2. take appropriate measures to ensure that customers are prevented from seeing passwords and other identifiers used by employees to log on to computers.