Bank implements significant measures to address unauthorized access of client information for non-business purposes by bank employee

PIPEDA Report of Findings #2015-011

July 20, 2015

---

After placing a block on her account to limit access of her financial information to employees at her branch location, a banking customer became concerned that her financial data had been inappropriately accessed by an employee from another branch. The employee was also a family member with whom the customer had a contentious history and she feared that the employee may have disclosed her financial information to a third party.

After the bank's internal investigation, access logs revealed that an employee had in fact inappropriately accessed the account information four times. The bank confirmed that the employee was able to temporarily remove the block and to access account numbers, balances, transaction history, access cards and contact information. While the bank was unable to conclude that the information accessed was subsequently shared with a third party, it confirmed that the employee had been reprimanded.

During our Office's investigation, the bank outlined the safeguards it had in place to prevent unauthorized access, including physical security controls, an employee logging and monitoring system, and an established privacy management program. The bank also confirmed that it had a code of ethics stressing the importance of protecting client information, including strict rules on access, use and disclosure of client information. Furthermore, the bank advised our Office of its employee training program, which includes role-based training and knowledge testing with respect to the protection of customer information.

Our investigation found that the complainant's personal information was inappropriately accessed and used for a purpose other than that for which it was collected. However, it found no evidence that the information was disclosed to a third party.

In addition, our Office's investigation found that the bank lacked the appropriate safeguards to protect the complainant's personal information from unauthorized access by employees. Specifically, its measures were insufficient to make employees aware of the seriousness of accessing customer information without authorization and breaching customer confidentiality. Our Office also found that the bank lacked appropriate technological safeguards, given the ease with which the customer's block was circumvented and this breach left undetected.

During the course of our investigation, the bank voluntarily revised its enterprise privacy training program and enhanced its review of employees who had previously inappropriately accessed customer information. It also reformed how it communicates with customers whose banking information has been accessed or disclosed without authorization and made privacy-related information more readily available to employees via its Intranet. The bank also implemented the requirement for a manager to approve changes to a customer's block. Finally, the bank also agreed to implement measures to deter and proactively detect unauthorized access by employees.

As a result, our Office found the complaint to be well-founded and conditionally resolved.

Following the conclusion of this investigation, our Office confirmed that the bank had implemented proactive measures to deter and proactively detect unauthorized access by employees and it will continue to explore opportunities for additional measures in the future.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”)

1. The complainant alleges that the bank used and disclosed her personal information for a purpose other than that for which it was collected. Specifically, she alleges that a bank employee accessed her bank account information for non-business reasons. She further alleges that the bank employee disclosed this information to a third party and that the bank has not taken steps to ensure that the bank employee does not disclose her personal information to a third party in the future.
2. The complainant further alleges that the bank does not have appropriate safeguards in place to protect her personal information against unauthorized access. Specifically, the complainant alleges that the bank did not protect her bank account information from unauthorized access by one of its employees, despite the block placed on her bank account, and that the bank has not implemented safeguards to prevent a recurrence.
3. The bank confirmed that the complainant's bank account was accessed by a bank employee without a valid business reason.
4. It is our Office's finding that the bank used the complainant's personal information for a purpose other than that for which it was collected and did not have adequate safeguards in place to protect the complainant's personal information from unauthorized access by its employee. However, the evidence does not establish that the bank employee disclosed the complainant's personal information to a third party.
5. In response to our investigation, the bank has made significant changes to its privacy program and has undertaken to implement further changes to prevent the unauthorized access by employees.
6. We thus found the matter to be well-founded and conditionally resolved.

Summary of Investigation

Timeline

Below is a chronology of the events that occurred over a period of seven months within a one year period.

7. The complainant had a block placed on her bank account because she feared that a bank employee, who is a family member with whom she has a history of conflict, would access her account inappropriately.
8. This block, which is a privacy preference safeguard available to customers upon request, restricts access to a customer's profile so that only certain limited groups within the bank have access to the customer's account information and balance. In the complainant's case, only the branch where her account was held had access to her account information and balance while other bank branches could only see her name and other non-financial customer information.
9. The complainant was advised by her local branch that a bank employee from a different location had accessed her bank account for "maintenance".
10. The complainant filed a complaint with the bank two months later.
11. Subsequently, a Manager, Customer Services for the bank advised the complainant that, following an investigation, it could confirm that her personal information had been accessed by a bank employee without a valid business reason. The bank indicated that it regretted this situation and had taken appropriate action.
12. The complainant sent an email to the bank outlining her concerns.
13. The complainant received a letter from a District Vice President for the bank.
14. The complainant was unsatisfied with the responses provided by the bank because it refused to provide the following information: (i) which bank employee had accessed her bank account; (ii) the duration and scope of the inappropriate access; (iii) what the bank employee did with the information accessed; and (iv) reassurance that this would not happen again.
15. The complainant sent an email outlining her concerns to the Office of the Ombudsman for the bank.
16. The Office of the Ombudsman for the bank issued a letter to the complainant with its findings, which the complainant was not satisfied with.
17. Three months later, our Office accepted the complainant's complaint.
18. Given her history of conflict with a certain family member who is also a bank employee, the complainant believes that this individual is the bank employee who accessed her bank account inappropriately. Moreover, the complainant believes that the bank employee disclosed her personal information to a third party in light of this past conflict.

Use and disclosure for a purpose other than for which it was collected

19. In response to the complaint, the bank provided our Office with a copy of its investigation report, access logs and interview notes. The bank confirmed that a bank employee made changes to the complainant's profile to temporarily remove the block and accessed screens displaying the complainant's account numbers, balances, transaction information, address, telephone number, email address and access card (debit card) numbers on four separate dates.
20. As part of its investigation, the bank's Human Resources department conducted an interview with the bank employee, who confirmed that they were aware of their obligations under the bank's code of conduct ("Code of Conduct") and had completed their annual attestation. Specifically, the bank employee indicated an understanding of the obligation to protect customer information under the Code of Conduct.
21. Our Office was provided with a copy of the notes from this interview. These notes indicate that the bank employee denied accessing the complainant's account despite being advised that access logs showed that they had viewed the complainant's bank account. According to the bank, there was no evidence to conclude that the bank employee had disclosed the complainant's personal information to a third party.
22. The bank advised its employee that any further violation of their obligations under the bank's Code of Conduct and/or privacy policy would result in the immediate termination of their employment for cause. According to the bank, the bank employee acknowledged these obligations both verbally and in writing, and confirmed having read and understood these policies.
23. According to the bank, the bank employee was reprimanded in accordance with Canadian employment law, taking into account a number of factors, including the bank employee's length of tenure and any prior discipline. The bank was able to confirm that the bank employee did not access the complainant's account following this reprimand.

Safeguards

a) Physical measures

24. The bank confirmed that it has physical safeguards in place, including physical security control, and policies and procedures governing premises controls, to ensure the security of its physical assets and the personal information contained therein.

b) Organizational measures

i. Governance Structure

25. According to the bank, it has a mature global privacy management program, which aims to proactively protect personal information and mitigate privacy risk. It holds quarterly privacy committee meetings and has a network of privacy designates in its business areas to support and influence a culture of privacy compliance within its organization.

ii. Bank's Code of Conduct

26. The bank advised that its Code of Conduct forms an integral part of the terms and conditions of employment and all employees are required to review and attest to compliance with its Code of Conduct on an annual basis. It states that compliance with its Code of Conduct is a condition of employment with the bank, and failure to comply can result in disciplinary action up to and including termination of employment for just cause. Its Code of Conduct is reviewed and updated annually to address regulatory changes, evolving best practices, and to assist employees in better understanding their job requirements.
27. Specifically, the section about protecting customer information in the bank's Code of Conduct states:
    
    [Omitted]
28. The Code of Conduct also addresses computer systems security and describes the bank's approach to role-based access and monitoring. Specifically, the Code of Conduct states:
    
    [Omitted]

iii. Training

29. According to the bank, mandatory privacy training must be completed by all employees upon hiring, with annual refresher privacy training, including a mastery test requiring a particular score to pass. Completion rates are tracked centrally with follow-up at the manager level. This training includes "real-life" scenarios based on day-to-day activities and interactive exercises to highlight the bank's commitment to and methods of protecting customer information.
30. The bank explained that its online privacy training is updated yearly to reflect changes in legislation, internal policies and privacy trends. The bank was able to confirm that "inappropriate access" has been a topic in the bank's mandatory privacy training for several years.
31. Role-based training is also provided to the bank's compliance, risk and customer resolution officers annually.

iv. Communications

32. The bank communicates with its employees using a variety of methods, in order to promote a privacy-respectful culture. For example, the bank's privacy intranet site provides its employees with access to privacy resources, including the bank's privacy newsletters and a fact sheet to support employees' understanding of their obligations when accessing a customer's account.

c) Technological measures

33. The bank has a program on access controls to establish and reinforce policies and standards to guard against inappropriate employee access based on the "need to know" principle.
34. The bank's standard on logging and monitoring also mandates appropriate controls to review and protect its systems and to ensure appropriate audit logs are maintained. In this policy, the bank's employees are told:
    
    [Omitted]

Application

35. In analyzing the facts, our Office applied Principles 4.5, 4.7, 4.7.1, 4.7.3 and 4.7.4 of Schedule 1 of the Act.
36. Principle 4.5 stipulates that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
37. Principle 4.7 requires that personal information be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 stipulates in part that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Specifically, Principle 4.7.3(b) suggests that the methods of protection should include organizational measures such as security clearances and limiting access on a "need-to-know" basis, while Principle 4.7.3(c) suggests that methods of protection should also include technological measures.
38. Principle 4.7.4 states that organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

Analysis

Use for a purpose other than that for which it was collected

39. The first consideration is whether the bank employee used the complainant's personal information for a purpose other than that for which it was collected.
40. The bank employee accessed the complainant's bank account inappropriately and as a result of a weakness with the bank's privacy preference safeguard, the bank employee was able to bypass the block and access the complainant's personal information. Consistent with the bank's investigation, the evidence demonstrates that the bank employee did not have a business purpose to access the complainant's bank account and therefore, the personal information accessed was used for a purpose other than the reason for which it was collected.
41. It is our Office's finding that the bank contravened Principle 4.5.

Disclosure for a purpose other than that for which it was collected

42. The second consideration is whether the bank employee disclosed the complainant's personal information for a purpose other than that for which it was collected.
43. During its investigation, the bank did not find any evidence that the bank employee disclosed the personal information of the complainant to a third party. Although the complainant expressed strong concern that the bank employee with whom she had a history of conflict might have disclosed her personal information to a third party, no additional evidence was provided to support this allegation. Moreover, our Office's investigation did not reveal any evidence of disclosure of the complainant's personal information.
44. Without actual evidence of disclosure, our Office is unable to find that the bank contravened Principle 4.5.

Safeguards

45. The final consideration is whether the bank had adequate safeguards in place to protect the personal information of the complainant from the unauthorized access of its employees and whether the bank made its employee aware of the importance of maintaining the confidentiality of personal information.

a) Organizational measures and the importance of maintaining confidentiality

46. Despite the bank employee's assertion that they were aware of, and even understood, obligations for protecting customer information under the Code of Conduct, as well as the fact that she had completed her annual attestation, the evidence clearly demonstrates that the bank employee deliberately changed the privacy preference, removed the block and viewed the complainant's bank account several times.
47. Even with the organizational measures in place at the bank to protect personal information against unauthorized access, the bank employee clearly disregarded these measures and still accessed the complainant's personal information without authorization. The development of a culture of privacy within any organization is dependent on the level of awareness beyond policies and training, where employees have a solid appreciation of the consequences of unauthorized access and the importance of maintaining the confidentiality of personal information.
48. It is our Office's finding that while the bank does have organizational measures in place, these measures did not sufficiently make employees aware of the seriousness and consequences of accessing customer information without authorization and not maintaining the confidentiality of personal information pursuant to Principles 4.7.3(b) and 4.7.4.

b) Technological measures

49. Our investigation revealed that while the bank had a mechanism by which customers were able to block access to their bank account information outside of their bank branch, the bank employee was still able to circumvent this block by changing the complainant's privacy preferences. The ability to change a customer's privacy preferences was not protected by security safeguards appropriate to the sensitivity of the information given the ease with which a customer's privacy preferences could be changed by a bank employee, acting alone and without appropriate oversight.
50. Audits are essential technological safeguards to protect sensitive financial information, to deter and detect unauthorized access to personal information and to maintain the integrity and confidentiality of personal financial information stored in electronic information systems. While the bank does maintain access logs, which detail what information an employee has accessed, the bank currently does not employ a technological measure to proactively detect unauthorized access by employees. It is our Office's position that reactive auditing in response to an allegation of unauthorized access is, on its own, inadequate to meet the bank's obligations under the Act.
51. It is our Office's finding that the bank lacked the appropriate technological measures to safeguard the complainant's personal information, pursuant to Principle 4.7.3(c).
52. Accordingly, it is our Office's finding that the bank contravened Principles 4.7 and 4.7.1 as it did not have the appropriate safeguards in place to protect the complainant's personal information from unauthorized access by its employees. The bank's employees, as authorized users of its systems, pose a risk to customers' privacy given the potential for abuse of access privileges. Financial institutions must identify such risks and implement measures or safeguards that are reasonable in the circumstances and appropriate to the sensitivity of the information to eliminate or reduce these risks. Moreover, measures or safeguards made available by a financial institution, like the bank's privacy preference safeguard (block), should respect the choices made by its customers in terms of how their personal information is controlled and should impress upon employees the importance of maintaining the confidentiality of its customers' personal information.

Improvements to the bank’s privacy program

53. During the course of our Office's investigation, the bank voluntarily undertook to improve its privacy program and has implemented improvements, as detailed below. In order to implement these improvements, the bank established a working group, which meets on a regular basis and is comprised of bank employees from various departments related to managing fraud, investigations, and human resources.

a) Revised enterprise privacy training

54. The bank revised its mandatory enterprise privacy training course and launched it in 2014 and confirmed that virtually all of the bank's employees have completed their annual privacy training. The revised privacy training course includes an example of inappropriate access to customer information and outlines that an employee must only access and use customer information for legitimate business purposes. It also outlines that compliance with the Code of Conduct is a condition of employment and failure to comply can result in disciplinary action up to and including termination of employment for just cause (without payment).
55. During the course of this investigation, the bank provided our Office with the new content added to its privacy training, including a list of useful reminders when employees handle customer and employee information and sample questions and answers used as part of its test.

b)Implemented enhanced monitoring of employees who have accessed customer information inappropriately in the past

56. The bank advised that it had enhanced its reviews of employees who have accessed customer information inappropriately (in cases where their employment is not terminated). The bank provided our Office with details on how it conducts these reviews and what these reviews entail.

c) Reviewed customer responses following an investigation into an allegation of unauthorized access

57. The bank also undertook a review of how it communicates with a customer whose banking information has been accessed and/or disclosed by an employee without authorization, in order to balance the customer's desire for information with an employee's right to privacy. As a result of this review, the bank has made changes to the letter it sends in order to provide the customer with additional details and greater transparency about the unauthorized access, including duration and scope, and to better reflect the circumstances of the inappropriate access and/or disclosure by a bank employee.
58. In the year following the complaint to our Office, the bank sent a letter to the complainant, providing the complainant with additional information regarding the inappropriate access, including the dates and times when the bank employee accessed her personal information and the type of information accessed by the bank employee.

d) Implemented additional measures to encourage the bank employees’ privacy awareness on the intranet

59. The bank implemented additional measures to encourage privacy awareness on its intranet. For example, the bank has placed banners on its retail branch intranet home page to promote privacy awareness among its employees.

e) Held a session emphasizing the importance of privacy

60. In the same year, a session with the bank's Chief Compliance Officer stressed the importance of privacy processes and controls and is now available to all employees on the bank's intranet. Further sessions featuring employees of the senior executive and compliance leadership teams are targeted for completion in 2015, which will emphasize the importance of privacy.

f) Improved the bank's privacy preference safeguard (block)

61. The bank investigated ways in which it could enhance the privacy preference safeguard given that the bank employee in this instance was able to remove the block from the complainant's bank account and access her personal financial information. The bank confirmed that a bank manager's approval is now required for a bank employee to change a customer's privacy preference.

Recommendations made in Preliminary Report of Investigation ("PRI")

62. Our Office recognizes that the bank has taken significant positive steps to address the concerns raised as a result of this investigation, as outlined above. Our Office is pleased that these changes have been made so that employees are made aware of the seriousness and consequences of accessing customer information without authorization and of not maintaining the confidentiality of customers' personal information. Our Office also notes that the bank continues to make additional efforts in this regard.
63. Our Office issued aPRI, which recommended that the bank:
    1. Implement measures to conduct proactive audits of employees' access of the bank's electronic information systems with further investigation where audit results dictate, in addition to the current reactive audits; and
    2. Extend the measure of enhanced monitoring of employees so that monitoring will commence upon receipt of a complaint from a customer alleging unauthorized access to their information.

Response to PRI

64. In response to our first recommendation, the bank advised that it had implemented measures to proactively identify certain outlier employee behaviour, where instances of unusual access are flagged by the bank's systems for investigation.
65. For example, with respect to the movement of records outside its organization, the bank advised that it had upgraded its data loss prevention technology to flag if a bank employee sends an email outside of the bank that included a large number of credit card numbers. The bank indicated that it continues to enhance its data loss prevention process and technology and will provide our Office with an update in January 2016.
66. By way of another example, with respect to employee surveillance, the bank advised that it had implemented a new "out-of-province view" flag for specific bank employees, which would flag when an employee accesses a record of an out-of-province customer and lead to an investigation of excessive or prima facie unauthorized viewings. The bank indicated that it will provide our Office with an update on the deployment and efficacy of this flag in January 2016.
67. It also advised that the bank's working group continues to investigate additional measures to proactively audit its employees' access to the bank's electronic information systems. The bank provided our Office with details about this group's mandate and process.
68. In response to our second recommendation, the bank explained that it must take into account many considerations before monitoring employees, as it must balance employment and privacy law considerations. Given such balancing and its commitment to promptly investigating complaints from customers alleging unauthorized access to their information, our Office is satisfied with the implementation of enhanced monitoring of the employee's access following an investigation, as opposed to upon receipt of a complaint from a customer.
69. The bank also advised that it had reached a mutually agreeable settlement with the complainant.

Conclusion

70. The bank has agreed to provide our Office with an update in January 2016 on the measures implemented to proactively audit its employees' access to the bank's electronic information systems. Our Office is also requesting that the bank provide an update in January 2016 with respect to any additional measures implemented or being considered. We are confident that the implementation of such measures will meet our Office's recommendations.
71. Accordingly, we find this matter is well-founded and conditionally resolved.