Risks remain in wake of mortgage broker breaches, audit shows

While mortgage brokers undertook positive steps following a series of data breaches, a privacy audit by the Office of the Privacy Commissioner of Canada highlights outstanding issues that left the personal information of both clients and non-clients at risk.

OTTAWA, June 8, 2010 – Several mortgage brokerages improved some privacy and security measures following a string of major data breaches, but failed to implement controls to raise the alarm about any future suspicious activity, a privacy audit has found.

The audit by the Office of the Privacy Commissioner of Canada (OPC) was launched after the brokerages reported 14 data breaches in the space of a few months in mid-2008.  In each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn’t even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.

“The breaches prompted the brokerages to take some positive steps to better protect personal information.  However, our audit found that those changes did not go far enough,” says Privacy Commissioner Jennifer Stoddart. 

“As a result, the personal information of clients – not to mention any number of other people with absolutely no connection to the brokerages – was left at risk.”

The audit also raised concerns about data security, haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of understanding about, and accountability for, privacy issues.

The audit is described in the Commissioner’s 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled in Parliament today.

The annual report also highlights the issue of cross-border data flows and the challenge of enforcing privacy rules in a world where these global data flows have become multipoint and multidirectional.  It summarizes a number of 2009 privacy complaint investigations, noting that a growing number of the OPC’s investigations are exploring how privacy laws apply in the virtual world.

As the report’s summary of the latest OPC private-sector audit describes, mortgage brokers represent a large and growing segment of the mortgage industry in Canada – accounting for one-quarter of all mortgage transactions.  They need to obtain credit reports from credit reporting agencies in order to assess an individual’s eligibility for a mortgage.   Credit reports contain extensive personal information that can be used by criminals to commit identity fraud.

Following the breaches, the five audited brokerages significantly tightened their practices for hiring agents.   However, the audit found there was a lack of adequate controls to restrict agents’ access to credit reports.  Specifically, the web-based tool used to obtain credit reports doesn’t allow brokers to limit the number of credit reports an agent can download.  In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity.

Among the other risks to personal information highlighted in the audit:

• Some brokers stacked files containing personal information on the floor or on desks within accessible offices.  One had overflow storage in an unsecured parking arcade.
• Brokers lacked shredders capable of securely destroying documents.  One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.
• Credit reports were sometimes obtained prior to consent from a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.
• There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question.  In one case, a broker franchisee stated that his organization’s chief privacy officer was located at the brokerages head office when, in fact, he was the chief privacy officer.

One of the five audited brokerages is no longer in the mortgage broker business.  The four others still operating stated they would implement all of the recommendations in the OPC’s audit report.

“In the wake of our audit, we have ongoing concerns about the controls and safeguards in the way in which credit reports are obtained.  We are following up with the company that provides this tool to mortgage brokers, with industry associations and with Canada’s credit reporting agencies to discuss best practices for the exchange of personal information,” says Assistant Commissioner Elizabeth Denham.

“We are also continuing to work with mortgage broker associations to develop guidance documents that will help them meet their obligations under Canadian privacy law.”

The annual report and the mortgage brokerage privacy audit report are available at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the reports:

• Annual Report to Parliament 2009 – Report on the Personal Information Protection and Electronic Documents Act
• Audit of Selected Mortgage Brokers

For more information, contact:

Valerie Lawton
Office of the Privacy Commissioner of Canada
Tel: (613) 943-5982 
E-mail: Valerie.Lawton@priv.gc.ca