In a 2009 case , an accounting firm provided a divorcing husband’s investment and tax information directly to his wife’s legal counsel after it received a summons requesting the organization appear in court with the financial information in order to give evidence. Upon the man’s complaint, it was found that the accounting firm had misinterpreted the Act, not respected the intent of the summons, and inappropriately disclosed his personal information.
It is all too easy to see how a compliance department of a securities firm, feeling it is required by law to divulge personal account information under similar circumstances, could fall into the same trap.
The lessons learned in that case:
- A Summons to Witness can be considered a subpoena in certain circumstances for the purposes of paragraph 7(3)(c) of the Act.
- No disclosure of personal information without an individual’s consent is allowable under paragraph 7(3)(c) unless the legal writ (e.g. subpoena, warrant) specifically requires the disclosure to a named party or parties.
- The information disclosed in compliance with the legal writ under paragraph 7(3)(c) must be limited to that which is specifically requested by the writ and released only to the party or parties named therein.
CIBC also came under scrutiny by the Commissioner when a package supposedly containing a portable computer disk drive holding personal information of more than 400,000 current and former clients of Talvest Mutual Funds (Talvest) had been land-shipped by the bank from Montreal to Markham and had arrived undamaged but empty. The data in question had not been encrypted. Talvest Mutual Funds were at that time a family of CIBC Mutual Funds.
The Assistant Commissioner found that CIBC had contravened PIPEDA’s safeguards principles by failing to execute appropriate policies and procedures governing the data transfer. Although the Assistant Commissioner “was satisfied on the whole with CIBC’s response to the incident, particularly its notification of affected clients, and generally with the remedial measures that the bank had taken to address the problems it had identified in its own investigation of the incident”, she remained troubled that “CIBC had been unable in the end to establish whether or not a data transfer to a portable disk drive had even been made.”
From the case summary we learn:
- “The Assistant Commissioner expressed her concern about CIBC’s lack of technical accountability. She made a recommendation that the bank research the available application software offerings on the market with a view to incorporating into its network one that would enable it to determine whether, when, and by whom copies of data onto portable storage devices are made.”
- ”In response, CIBC notified the Office that it had initiated a search for a suitable product and would assess the feasibility of implementing such a solution in the Windows environment in which the data transfers in question had been attempted. The bank also said it was investigating the deployment implications of disabling the attachment of portable storage devices to Windows servers.”
- ”Once again, in the financial services world where firms are often responsible for housing client data and sending it on when advisors change firms and are legally entitled to take such data with them, the potential for a privacy violation is real and the business costs and ramifications (i.e. notifying clients of the loss and the possibility of identity theft resulting from info falling into the wrong hands) are significant. “
In that case, the following lessons were learned:
- Security policies and procedures are essential but are not in themselves sufficient to protect personal information from loss or theft. The effectiveness of security safeguards depends on the organization’s diligent and consistent execution of policies and procedures.
- Diligent and consistent execution of security policies and procedures depends to a large extent on ongoing privacy training of staff and management, so as to foster and maintain a high organizational awareness of informational security concerns.
- Attention to security safeguards becomes all the more important in situations where an organization decides for whatever reason to deviate from its normal information-handling policy and practices. Before any such deviation, the organization must conduct careful risk assessment and implement appropriate preventive measures.
- In cases of suspected theft or fraud, an organization should inform the police as soon as possible, so as to prevent evidence from becoming stale or contaminated.
Finally, in case summary #2009-012 a fraudster used forged identification of an individual to open a bank account in the individual’s name. When the victim realized what had happened and that the fraudster had used an incorrect telephone number and address to open the account, the bank was brought to task for allegedly failing to verify this personal information before opening the account.
It was found that under normal circumstances, address and telephone number verification is not required and here the bank had no reason to believe the provided information was fraudulent. As a result, the bank was not held responsible for a personal information protection failure. The case summary points out the three lessons learned:
- Organizations must collect only the information that is necessary for a specific purpose or transaction.
- In circumstances where it is believed there is a higher risk of either actual or potential fraudulent activities, financial institutions may request more personal information from individuals to confirm their identity. (Query whether this applies to securities dealers as well).
- For identity thieves, personal information is a highly valued commodity. Both organizations and individuals must be vigilant in protecting personal information and report it when it is lost, stolen, or used fraudulently.
Yes, Personal Information Protection laws remain alive and well in the financial services in Canada. We need to follow them to the best of our ability.