Daughter racks up long-distance charges; mom blames phone company

PIPEDA Case Summary #2003-254

[Principles 4.7 and 4.7.2 of Schedule 1]

Complaint

An individual made two allegations against a telecommunications company:

1. that it disclosed her long-distance calling card personal identification number (PIN) to her daughter, via her telephone's call display screen; and
2. that a company representative disclosed her subsequent PIN to her daughter over the telephone.

Summary of Investigation

After the complainant became aware that her daughter, who resides with her, was making numerous long-distance telephone calls from her home, she contacted the company for assistance in preventing her daughter from running up huge bills. (The complainant stated that although she had told the girl to stop, her daughter was ill and was unable to keep herself from making these calls.) While she was initially told that there was nothing the company could do, short of removing her long-distance service, she was later informed that a calling card, protected by a PIN, could help her.

When the complainant received another substantial long-distance bill, she found out that her daughter had obtained her PIN from the telephone's call display screen by pressing the "last number dialed" feature on the set. The complainant contacted the company but was not satisfied with its response.

The company stated that with respect to this particular feature, the data in question is collected, retained, and subsequently displayed by the telephone set, without the company's involvement. The type of telephone used by a subscriber, including its features and capabilities, is selected and operated by the user, and is beyond the company's control. The company does not sell telephone sets.

Following this incident, the complainant ensured that her PIN could not be obtained from the call display screen. She also changed the PIN several times. Nevertheless, her daughter, who found the calling card in the family kitchen, used it and obtained the PIN again — this time from one of the company's customer service representatives. The daughter stated that she dialed the calling card number and an automated attendant asked her to enter the PIN. Since she did not know it, a live operator came on the line and asked if she was trying to change her PIN or if she had forgotten it. The girl stated that she had forgotten it. The operator then asked for the cardholder's name, telephone number, and date of birth to verify that she was the cardholder. As the daughter was able to provide this information, and she was calling from the cardholder's residence, the representative gave her the complainant's PIN. The daughter was then able to make long-distance calls with the complainant's calling card.

The company has a process in place whereby customers can be reminded of their forgotten PINs. When the call originates from the billing telephone number, before concluding that the caller is the cardholder, the customer service representative is required to pose questions to the caller relating to information retained on the customer's profile. The questions will vary according to the circumstances, but generally relate to personal information that would likely be unknown to persons other than the customer. The PIN is only provided when the representative is reasonably satisfied as to the identity of the caller.

If the call does not originate from the billing number, the same types of questions are posed but the PIN is not provided to the caller at that time. Rather, it is left on the billing number's voicemail or the customer is requested to call back from the billing telephone at a later date.

The company's terms of service state that customers are responsible for paying for all calls originating from, or accepted at, their telephones, regardless of who made or accepted them. The company took the position that the customer is responsible for guarding against unauthorized access to telephone service on the customer's premises and for protecting personal and account information. The company was also of the view that it was unrealistic to expect that it accept responsibility for preventing impersonation when it has so little control over such activity.

The company added that a calling card is no different from any other type of debit card, and customers must be vigilant when using one. In cases where the customer knows the perpetrator, the company stated that the fraud was committed against the customer. The customer is not held responsible for payment if charges are laid against the perpetrator. In this instance, although the mother was willing to press charges, the police officer who took the report was not willing to do so.

The company stated that in cases where there exists heightened security or privacy concerns, account password protection is available. While it maintained that access to a calling card PIN is unlikely unless the caller has considerable knowledge about the customer and has unrestricted access to the customer's telephone service calling card and personal information, the use of a password may offer added protection. Accordingly, after the complaint was filed, the company added a password to the complainant's records. She since decided to use pre-paid phone cards for long-distance calls, which solved this problem to her satisfaction.

Findings

Issued December 23, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because a telecommunications company is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.2 notes that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.

The Assistant Commissioner deliberated as follows:

• Regarding the first allegation, she was satisfied that the company was not responsible for this matter. Firstly, the company did not sell telephone sets. The subscriber selects whatever set he or she wants, and it is that individual's responsibility to operate the set. Such a matter was therefore outside of the company's control. Secondly, the Assistant Commissioner was satisfied that the data that is collected, retained and later displayed by the set does not involve the company. Thus, she concluded that the first allegation did not fall under the Act's purview.
• As for the second allegation, there was no dispute that the customer service representative disclosed the PIN to the daughter, who was impersonating the complainant. The question to consider was whether this unauthorized disclosure could have been prevented.
• The Assistant Commissioner noted that the mother shared some of the responsibility for this incident. Although she had taken steps to change her PIN and erase it from her call display screen, her daughter nevertheless had free access to the calling card, which she found in the family's kitchen.
• The Assistant Commissioner was satisfied that the company had procedures in place that appeared to constitute reasonable security safeguards, appropriate to the sensitivity of the information in question. The safeguards appeared to provide reasonable protection, balanced against the desire of users to retrieve forgotten PINs, without requiring additional privacy-intrusive verification procedures or undue inconvenience or delay.
• However, the Assistant Commissioner considered the questions posed by the representative in this instance to be inadequate. Although the company stated that it asks callers questions that only the authorized user would be likely to know, the representative instead posed questions that would likely be known by other household members, not to mention friends and more distant relatives. In the Assistant Commissioner's opinion, asking for an individual's name, telephone number and date of birth did not meet the company's own standard for protection, or indeed any reasonable standard.
• She was also of the view that, given the difficulties that the complainant had been experiencing — problems that the company ought to have known about since the complainant had previously brought the matter to its attention, the company should have made sure that her PIN was protected by posing more difficult questions or by applying a password (a step it eventually took).
• Thus, while the Assistant Commissioner was satisfied that the company had appropriate procedures in place to safeguard an individual's PIN, they were clearly not properly applied in this case. She thus found the company in contravention of Principles 4.7 and 4.7.2.

The Assistant Commissioner concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner suggested that, as a way of improving its procedures, the company consider involving the customer in determining the questions that should be asked to confirm customer identity before a PIN is disclosed. Such an approach, she suggested, might be useful in strengthening the protection of customers' personal information.