Stolen laptop engages bank's responsibility

PIPEDA Case Summary #2005-289

(Principles 4.5 and 4.7 of Schedule 1)

Complaint

An individual complained that his bank failed to safeguard his personal information after a laptop computer containing his personal information was stolen. He also expressed concern about the amount of personal information that might have been compromised, as well as the reason the bank had his personal information on a laptop in the first place.

Summary of Investigation

In early 2004, a laptop computer containing the personal information of 960 bank clients was stolen from an employee's locked vehicle while it was parked in her home's underground garage. The theft was reported to the police, as well as to the Office, prior to the complainant filing a complaint with us. The bank contacted the complainant to advise him that the personal information on the laptop consisted of his name, address, telephone number, and his mutual funds account number (but no balance). The bank also informed the complainant that the laptop had been in the custody of a financial planner/advisor, who was using the information to set up appointments with clients to provide them with information about other bank products and services.

The complainant, however, indicated that he did not have a financial advisor at the bank and that he did not understand why his information would be on a client contact list since he had never sought the bank's advice. He did not believe that the planner needed to have the client account numbers on the computer for the purpose of contacting clients. In his opinion, a financial planner would need a lot more information about the accounts in order to provide sound financial planning advice than merely the account number. He believed that on principle account numbers should not be outside of the bank, contained on laptops that might be stolen. He also suspected that the laptop likely contained more information than the bank was admitting to.

Our Office reviewed the job description for the bank's financial planner. The planner's role is to increase the bank's market share in retail investments. One of the means of doing so is by calling on existing clients, and meeting with them at their convenience. This could mean meeting at the client's residence or place of business. Using mobile technology is part of such a scenario.

According to the bank, the complainant's name was included on the list of clients for two reasons: the value of one of his accounts met or exceeded a pre-set target, and the account was not managed by a "relationship" manager, such as a bank advisor.

The financial planner's list did not include the names of any clients who had requested that they not be solicited for other bank products and services. In January 2001, the bank had mailed a privacy disclosure notice to all of its existing customers advising that on occasion, it would communicate with the client to offer products or services that might be of interest to them. The notice also stated that if the client was not interested in receiving the direct marketing service, he or she could have his or her name removed from the bank's marketing lists.

The complainant also received a copy of the bank's privacy code after he had requested assistance with respect to another banking service. At the time that the financial planner's list was compiled, the complainant had not requested that his name be suppressed from marketing lists. After the incident, he made this request, which was honoured by the bank.

The bank's established security standards for its laptop computers set out general precautions that a user should take, such as passwords, and physical security measures. The standards quite specifically advised against leaving a computer in the car.

The bank also posted information on its intranet site to build employee awareness of the importance of protecting laptop computers. This information warns against leaving laptops unattended or in a car where they can be seen. The financial planner was aware of the bank's expectations, and the laptop was password protected. Nevertheless, the laptop was left on the seat of the planner's car.

Findings

Issued February 3, 2005

Application: Principle 4.5, which states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law; and Principle 4.7, which stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

On the matter of inappropriate use of his personal information, the Assistant Privacy Commissioner noted that the reason the complainant's personal information was on the laptop was that the bank intended to market other bank products and services to him. The bank had sent the complainant two privacy notices that described this practice and offered clients the opportunity to have their names suppressed from the bank's marketing lists. As the complainant had not requested suppression, it would appear that the bank had his implied consent to include his name on such a list, and was acting in accordance with Principle 4.5. When the complainant informed the bank after the theft of the laptop that he wanted his name removed from the list, the bank suppressed it.

She therefore concluded that the use complaint was not well-founded.

As for the safeguards, the Assistant Commissioner noted that, with respect to laptop computers, the bank had policies and procedures in place that required passwords and safe physical storage of the computers. Although these policies and procedures appeared to meet the requirements of Principle 4.7, the financial planner in this instance did not follow the bank's recommendations regarding physical security, and left the laptop unattended on the seat of her vehicle. The Assistant Commissioner therefore found the bank in contravention of Principle 4.7.

The Assistant Commissioner concluded that the safeguard complaint was well-founded.

Further Considerations

In reviewing the bank's privacy policy, the Assistant Commissioner noted that it requires the customer to obtain and complete the appropriate form to have his or her name suppressed from the bank's marketing lists. In previous complaints dealing with the issue of opt-out consent to use personal information for secondary purposes (such as marketing), the Office determined that the organization must provide for an immediate and convenient method whereby customers can opt-out, such as a 1-800 number or a check-off box. The Assistant Commissioner commented that requiring a customer to fill out an application form did not meet the reasonable expectations of most individuals, namely, that an immediate, easy and inexpensive means of withdrawing consent to the optional collection, use and disclosure of their personal information be provided. She therefore recommended that the bank review its opt-out procedures with a view to ensuring that they fully meet the guidelines established by this Office and report back to her on its progress in this regard.