Investigation into Brinks Home

PIPEDA Findings # 2024-002

March 28, 2024

---

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Description

The OPC found that Brinks Home (“Brinks”) had not implemented adequate safeguards, resulting in the compromise of customers’ personal information via its online portal.

The OPC also considered whether the breach presented a real risk of significant harm (“RROSH”) and whether Brinks complied with its breach notification requirements under the Act. While we concluded that the personal information involved could be considered sensitive, the probability of its misuse in the specific circumstances of this incident was low, including because only a small number of known customers, not malicious actors, were accidentally given access to the personal information of other customers. Accordingly, we determined Brinks was not required to report the incident to our Office or to notify affected individuals of the breach.

Takeaways

• When companies are alerted to a breach of security safeguards, they should act quickly to mitigate the breach.
• Companies have a responsibility to make sure they adequately safeguard customers’ personal information, including via organizational safeguards, such as (i) protocols for protecting personal information and for responding to a suspected breach, (ii) employee training, and (iii) monitoring to ensure safeguard protocols are followed.
• Organizations must report a breach to our Office and notify affected individuals where there is a real risk of significant harm (RROSH).
• Whether there is a RROSH is determined by considering both the sensitivity of the personal information involved and the probability of its misuse in the specific circumstances of the incident.

Report of findings

Overview

The complainant alleged that in 2022, Monitronics International, Inc. d/b/a Brinks Home (“Brinks” or the “respondent”) had not implemented adequate safeguards, resulting in the compromise of some customers’ personal information.

The complainant, a customer of Brinks, logged into his Brinks Home portal and noticed that he could see the personal information of several other customers. He initially notified the company of his observations, and, after noting that the issue remained unresolved approximately 10 weeks later, he notified Brinks a second time and filed the subject complaint with our Office.

Shortly after the complainant’s second notification, Brinks took measures to resolve the unauthorized access.

Brinks investigated the matter and determined that the incident was caused by employee error during the account set up process. This resulted in the personal information (including customer contact information, emergency contact information, and security system details, but not financial information) of 3,340 Brinks customers being accessible without authorization to 102 other Brinks customers for a period spanning at least several months. While it was available, Brinks was able to determine, however, that the information was only potentially accessed by approximately only 20 of those customers (those who had logged into their portal).

We found that Brinks had failed to adequately protect customers’ personal information from unauthorized access. The company subsequently implemented various technical and procedural measures to prevent such an incident from occurring again in the future, and ultimately, the company sold all of its individual customer accounts. We therefore found this aspect of the complaint to be well-founded and resolved.

We also considered whether Brinks complied with its breach notification requirements under the Act. While we concluded that the personal information involved could be considered sensitive, the probability of its misuse in the specific circumstances of this incident was low. Considering these factors, we determined that the incident did not pose a real risk of significant harm (“RROSH”), such that Brinks was not required to report the incident to our Office or to notify affected individuals of the breach. We therefore found this aspect of the matter to be not well-founded.

Background and Complaint

1. The complainant was a customer of Monitronics International, Inc. d/b/a Brinks Home (“Brinks” or the “respondent”). Brinks is an alarm monitoring company that operates across Canada and the United States. Brinks works with authorized dealers, who in turn sell and install alarm systems. At the time of the incident, Brinks had approximately 800,000 customers in North American, including more than 10,000 customers in Canada.
2. In July 2022, the complainant phoned the respondent to inform them that when logging onto his Brinks Home Portal (the “portal”), he could see the addresses of about 100 other Brinks customers. During his conversation with a customer service agent, the complainant requested to speak to a manager, and the agent informed him that a manager would call him back.
3. More than two months later, having not received a return call from Brinks, the complainant emailed the company’s Privacy Officer and phoned the company a second time to report that he could still see customer information via the portal, including what he believed to be bill payment information, name, address, certain security system details, and emergency contact information.
4. On the same day that the complainant emailed and placed the second phone call to Brinks, he filed the subject complaint with our Office.
5. Shortly after he filed that complaint, Brinks changed the settings in its online portal to prevent the information from remaining visible to unintended customers.
6. Based on the complaint, our Office investigated whether Brinks had adequate security safeguards in place to protect personal information under its control, pursuant to Principle 4.7 of Schedule 1 of the Act.
7. We also considered whether Brinks complied with breach notification requirements under section 10.1 of the Act.

Analysis

The Breach

8. Brinks did not dispute that the incident occurred. It also acknowledged that when the complainant first reported the privacy incident to a customer service representative (“CSR”), the CSR did not follow internal policies regarding escalation for reporting incidents to a supervisor, the Help Desk, Security Team, or Incident Response Team. Ultimately, however, after receiving the email and second phone call from the complainant, Brinks did change the settings in the portal to prevent the information from remaining visible to unintended customers.
9. Brinks conducted an internal investigation into the incident. It determined that the cause of the unauthorized access was employee error, and that the individuals who had been granted unauthorized access were known Brinks customers, not malicious actors. More specifically, Brinks explained that the incident occurred as a result of an employee having incorrectly entered a dealer account number during the set up of 102 customer accounts. The employee’s error resulted in those customers being granted access to account information that would be accessible to a dealer who sells and installs home alarms systems.
10. In the absence of detailed system access logs, Brinks did not have the technical capability to determine which of those 102 customers may have accessed other customers’ data via the portal. However, it was able to determine that 82 of those customers had not logged into the portal at all, such that no more than 20 customers could have accessed the data.
11. Similarly, Brinks could not establish exactly how long the information was accessible to the unauthorized customers, but acknowledged that the information would have been accessible to some individuals for at least several months before that access was removed.
12. Brinks’ investigation determined that the information of 3,340 customers (“affected customers”), including the complainant’s, had potentially been accessed by the 20 individuals who had logged into the portal. The affected customers were located in Alberta, British Columbia, Manitoba, Nova Scotia, Newfoundland and Labrador, Nunavut, Ontario and Saskatchewan.
13. Brinks explained that the information was not accessible in one file. To access the information, an unauthorized customer would need to, for each affected customer, select their address from a drop-down menu and navigate through a number of pages in the portal.
14. We determined that the following information was rendered accessible for affected customers:
    1. customer name, phone number and address;
    2. emergency contact name, phone number and whether they had a key to the house; and
    3. alarm system model type and a list of monitored devices (e.g., “door sensor”) and location (e.g., “front door”).
15. Our investigation confirmed Brinks’ explanation that the payment information, that had been rendered accessible via the incident, related to a dealer account and did not include any individual customer’s payment history or financial information.
16. Finally, Brinks explained that the only account information that an unauthorized customer would have had the ability to change on another customer’s account was in relation to the emergency contact (individual who Brinks contacts in the event that an alarm is activated and they are unable to reach the customer). According to Brinks, no other information is provided to, or collected from, emergency contacts, except with the customer’s authorization.

Issue 1: Did Brinks fail to adequately safeguard customers’ personal information?

17. Principle 4.7.1 further states, in part, that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
18. Brinks does not dispute that the breach resulted from employee error in setting up the 102 accounts in question.
19. The company further acknowledged that its CSR failed to escalate the matter upon being initially informed of the breach by the complainant. This resulted in the affected customers’ data being accessible for an additional 10 weeks, when the issue could have been, as it ultimately was, resolved quickly via an adjustment to settings in the portal. 
20. That said, in response to the breach, during the course of our investigation, Brinks:
    1. contained the unauthorized access by resetting account permissions;
    2. updated its customer portal registration process to prevent registration of a new customer portal account as a dealer account;
    3. established regular reporting to monitor newly created customer portal accounts and identify any discrepancies for further investigation;
    4. reinforced its protocols and training for the CSR whom the complainant first spoke to about the breach; and
    5. revised its instruction materials for employees, and provided associated training to prevent similar errors from occurring in the future.
21. Ultimately, Brinks sold all of its individual customer accounts in Canada, such that customers in Canada no longer have access to the Brinks Home online portal.
22. In light of the above, we consider this aspect of the complaint to be well-founded and resolved.
23. We would, nevertheless, note that Brinks had not implemented technical measures to log customer account activity on the portal. This is an information security best practice that could have assisted the company in determining specifically which accounts, if any, had been accessed by whom. Such logging also serves as a foundation for detecting and mitigating unauthorized access in combination with properly configured alerts.

Issue 2: Did Brinks comply with breach reporting and notification requirements?

24. To ensure that the Privacy Commissioner of Canada and all affected individuals are aware of, and receive consistent information about, data breaches that pose a real risk of significant harm, PIPEDA provides for mandatory breach reporting, under section 10.1, for organizations that experience a data breach (referred to in PIPEDA as a “breach of security safeguards”).^{Footnote 1}
25. Where an organization has experienced a breach of its security safeguards, it needs to assess whether that breach creates a real risk of significant harm (“RROSH”) to any affected individual. If it is reasonable to believe in the circumstances that the breach poses a RROSH to an individual, subsection 10.1(1) of PIPEDA requires the organization to report that breach to our Office. Additionally, as per subsection 10.1(3) of PIPEDA, the organization must notify any affected individual of the breach, unless otherwise prohibited by law, in order to allow these individuals to take steps, if any are possible, to reduce or mitigate the risk of harm that could result from the breach. In both cases, the organization must report and notify of the breach as soon as feasible after the organization determines that the breach has occurred.^{Footnote 2}

Did the breach meet the RROSH threshold?

26. Pursuant to subsection 10.1(8), to assess whether an incident posed a RROSH, the context surrounding an incident must be taken into consideration. The assessment considers:
    1. the sensitivity of the personal information involved in the breach; and
    2. the probability that the personal information has been, is being, or will be misused.
27. In our view, as detailed below, the personal information at issue could be considered sensitive but given the circumstances surrounding the incident, the probability of its misuse is low, such that we find that there was no RROSH.

Sensitivity of the personal information

28. While PIPEDA does not define sensitive personal information, as highlighted in our Office’s Interpretation Bulletin: Sensitive Information,^{Footnote 3} context is relevant to the assessment of sensitivity. For example, Principle 4.3.4 of PIPEDA states that “[a]lthough some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.”^{Footnote 4}
29. In this case, we found the personal information involved in the incident – name, address, emergency contact and contact information, alarm system model, and device locations (not customer financial information) - could be considered sensitive, in that it could potentially be leveraged by a malicious actor to assist in gaining unauthorized access to a customer’s home.

Probability of Misuse

30. That said, in this case, we are of the view that the probability of such misuse was low.
31. According to the OPC’s guidance,^{Footnote 5} it is important to consider factors including the following when assessing this probability of misuse: who actually accessed or could have accessed the personal information; whether there is evidence of malicious intent (e.g., hacking or theft); how much time has passed between the occurrence of the breach and its detection; and whether the information was exposed to individuals who have a low likelihood of sharing the information in a way that would cause harm.
32. In this case, there are at most 20 customers who could have gained unauthorized access to the information of affected customers. While those individuals could have had access to the data for several months or more, they were known Brinks customers who were granted such access accidentally, by no action of their own. They were not unknown third parties or malicious actors who sought out such access for nefarious purposes. The absence of any evidence of malicious intent significantly reduces the probability of misuse. In our view, the likelihood of one of those customers using the personal information in question for purposes that would cause harm is low.
33. In light of the above, we find that there was not a RROSH in this case. As such, Brinks was not required to notify affected individuals or report the breach to our Office.
34. We therefore find this aspect of the complaint to be not well-founded.

Conclusion

35. Given all of the above, and considering the respondent’s actions to address the issues that led to the breach, our Office finds:
    1. the safeguards aspect of the matter to be well-founded and resolved; and
    2. the breach notification aspect of the matter to be not well-founded.