Laptop theft at bank and long delay before informing victims were both avoidable

PIPEDA Case Summary #2008-393

[Principle 4.7.1]

A complainant’s personal information was likely contained on a laptop computer that was stolen from a bank employee’s office. The employee had not followed company security procedures. Over 870 other individuals were potentially affected by the theft. The office had not been locked and could easily be entered during business hours through another unlocked door connecting to a public area. There were no security cameras trained on the area. The complainant claimed that the bank had not taken proper security measures to prevent the theft and protect her information. She also believed that the bank took an extraordinarily long time to inform her of the theft (i.e. three months), which dramatically increased the risk of her stolen information being used for criminal purposes. The laptop and the information were never recovered. The bank tightened its office and electronic-information security systems and re-informed employees of relevant practices to be followed. The Assistant Commissioner made several recommendations to the financial institution regarding how to more expediently inform affected parties after an information security breach.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The complainant’s personal information (e.g. name, address, telephone number, date of birth, social insurance number) may have been contained on a laptop computer belonging to a bank employee that was stolen from the employee’s office. The bank duly reported the theft as an incident to the Office of the Privacy Commissioner. The computer contained the personal information of approximately 872 individuals.

Over three months later, the complainant received a letter from the bank in which she was merely advised to contact the institution about a “current matter”. Only when she called the bank was she informed of the theft and the potential security risk to her information. She was then advised to contact two credit bureaus and have an alert put on her file. The complainant believed that the bank should have informed her sooner of the possibility of her personal information being stolen, given the potentially negative consequences.

Regarding the circumstances of the theft, the bank reported that the laptop had been left unattended in the employee’s office and that the office door did not have a lock on it. Further, the employee’s office was located on a corridor accessible to a public area by a door that was always unlocked during business hours. After the incident, the bank ensured that this connecting door was locked at all times and that locks were installed on all employee offices located along the corridor.

The bank admitted that its employee (a financial planner) had not followed the company’s data back-up requirements nor its security procedures regarding laptop computers. After the theft, the bank re-stated its data back-up requirements and security procedures to its financial planners, particularly to the employee involved in the incident. As well, all data on financial planners’ laptops were formatted consistently by means of encryption. The bank also modified all financial planners’ laptops so that their data-gathering software could no longer collect either dates of birth or social insurance numbers.

Regarding the complainant’s dissatisfaction with the length of time it took to inform her, the bank responded that the delay was due to the lack of back-up data available for the laptop, which made ascertaining its contents and properly identifying and notifying the 872 individuals impacted by the theft that much more difficult. Some of them were not yet clients of the bank.

Beginning six weeks after the theft, the bank began calling those affected (a maximum of three attempts each) to inform them of the breach . However, because the bank opted not to leave any telephone messages whatsoever on customers’ voice messaging systems (for “privacy reasons” and to avoid any implication of “a relationship between the customer and the bank”) the complainant could not successfully be contacted this way. Instead, individuals that the bank failed to reach by telephone were notified by letter to contact the bank (no other details provided). The bank sent these letters three months after the date of the theft.

Findings

Issued June 11, 2008

Application: Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

In making her determinations, the Assistant Commissioner deliberated as follows:

• This Office has developed and communicated recommendations intended to prevent laptop computer thefts and protect personal information. Particularly, we advise laptop owners to keep them in a locked space and out of view when unattended. We also recommend the use of pass codes and encryption software to thwart unauthorized attempts to access data.
• Our investigation of the present case revealed that the bank did have security procedures in place, but that they were not adhered to by the employee in question. Compounding the employee negligence was the surprising ease of access by anyone to the unlocked office.
• The Assistant Commissioner noted that, since the incident, the bank secured access to the financial planners’ offices as well as access from a public area to the office corridor. The bank also followed up on the consistent use of encryption software for financial planners’ laptops and reiterated to those employees its data back-up and security procedures.
• Thus, while office security practices may not have been as stringent as they could have been, adequate security procedures were in place and there was an expectation that employees follow them. Although Principle 4.7.1 was not upheld to the fullest extent possible, the Assistant Commissioner was satisfied that the bank conscientiously and adequately addressed the situation to avoid a reoccurrence.
• Regarding how and when potential victims of the theft were ultimately notified of the security breach, the Assistant Commissioner appreciated the challenges faced by the bank in, firstly, drawing up a comprehensive list of all those whose personal information may have been contained on the stolen laptop (since it appeared that no back-up data existed) and, secondly, accurately matching up their names to correct telephone numbers and addresses. This would be especially difficult in cases where those affected by the theft were not already bank customers and did not have a client profile in the bank system.
• The Assistant Commissioner made two important recommendations that would expedite the process of notifying the individuals whose personal information may be compromised by a security breach, thereby allowing them to put an earlier alert on their credit file:
  • A generic voice message left by the organization for the individual on an electronic voice message system would be acceptable and would not potentially disclose any personal information (e.g. “Ms. Smith, please call the X Bank at 1-800…”). This type of message could significantly reduce call-backs and the time spent notifying individuals—to the benefit of both the bank and the individual.
  • The organization should ensure that its current practices include contacting potential breach victims by using both the primary and back-up telephone numbers made available to it by the individual (i.e. home, cellular and office numbers). The onus should be on the individual to ensure that his or her contact information is always current. 

The Assistant Commissioner concluded that the complaint was well-founded and resolved.