Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Break with security procedures exposes financial planner’s client to privacy breach

Incident Summary #12

February 24, 2016

Lessons Learned

  • Ignoring internal privacy and security procedures can have serious consequences, which may threaten or affect assets and reputations.
  • Employee training in privacy is very important and should be reinforced regularly as part of a perennial training regime.
  • Strong breach response is necessary to mitigate harm and prevent recurrence.

Incident

Several months apart, employees of a financial management firm had breached internal security procedures by sending a client’s detailed financial plan and federal income tax notice of assessment to her personal email account without secure messaging tools, such as password protection or encryption.  The financial plan contained details of the client’s net worth and personal mailing address; while the notice of assessment contained her social insurance number. 

The client believes that an unauthorized person then hacked into her email account and accessed those documents.  The alleged hacker then contacted an employee of the firm and, using some of the client’s personal information obtained from the documents, posed as the client to request a transfer of a significant amount from the client’s investment account to her bank account.  The employee processed the transfer, ignoring the firm’s established procedures for authenticating clients when liquidating their assets.  

The client noticed the transfer of money from her investment account to her bank account and realized something was amiss.  She alerted the firm and asked for its security unit to investigate. As such, the client’s money was not stolen. 

Outcome

The firm investigated and quickly realized the severity of the situation.  It strongly advised the client to change her passwords and also advised the RCMP of the events.

The client received an apology and was informed that security had been reinforced on her account as a result of the incident.  She was also offered free credit monitoring, provided by a major credit reporting agency.

Following the breach, the firm took specific and appropriate measures with the employees who were responsible.  Since the firm traced the root cause of the incident to employee training, it also ensured that its staff completed additional privacy training as a result.  Further communications to its entire staff on privacy and processes were also planned.  In addition, the firm reviewed its internal processes to identify and mitigate gaps in its incident-intake process.

Overall, our Office considered the firm’s response to this incident appropriate.

Date modified: