Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Report of Findings # 2012-006
Failure to follow authentication procedures allowed imposter to modify client’s cellular phone contract without his knowledge or consent
A telecommunication firm’s mall kiosk was approached by the stepson of one of its account holders. While the stepson was an authorized user of his stepfather’s cell phone account, he lacked authority to modify the account. Impersonating his stepfather, the stepson had the kiosk employee modify the terms of the phone service and renew the contract. The stepfather made a complaint with the telecommunication firm upon becoming aware of the unauthorized changes. He claimed that the unauthorized changes were followed by collection agency calls about outstanding charges on his account.
The Assistant Commissioner found that the telecommunication firm had used the account holder’s personal information without his knowledge or consent to modify and renew his account. Further, she found that the firm had not maintained the safeguards necessary to protect customer personal information when the kiosk employee bypassed the company’s standard client-authentication procedures and allowed the stepson to modify and renew the contract by impersonating his stepfather. The Assistant Commissioner determined that the telecommunication firm addressed the matters at issue during the investigation by providing remedial training to the kiosk employee and reminding all customer service representative of the requirement to authenticate account holders before using or disclosing personal information.
The complaint was well-founded and resolved.
- Organizations must be vigilant in protecting customer personal information by using safeguards appropriate to the sensitivity of the information. For example, before using or disclosing to a requester any personal account information, organizations must first properly authenticate and validate the requester.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)
1. The complainant alleges that a mobile telecommunications firm (“the Respondent”) improperly used his personal information when it allowed his mobile phone contract to be altered by an unauthorized party.
Summary of Investigation
2. The complainant had a cellular telephone account with the firm. His stepson was authorized to use one of the phones registered under the account.
3. The complainant learned that his stepson had renewed the account for another three years, with revised terms and conditions, despite lacking authority to make administrative changes.
4. In setting up the new service agreement signed by the stepson, the telecommunications firm used the complainant’s personal information, specifically his name, home address, home and business telephone numbers, email address, and account password.
5. The complainant immediately raised this issue with the telecommunications firm, sending letters to the highest levels of the organization’s management. The firm replied to the complainant and proposed to reduce the amounts owing. Not satisfied with the proposal and concerned about a potentially negative impact on his credit rating, the complainant filed the current complaint with this Office, which we accepted on April 12, 2011.
6. An investigation was led by the Commissioner for Complaints for Telecommunication Services (the “CCTS”) into the same events. In the CCTS’s preliminary report, it stated that the telecommunications firm had violated the terms of the complainant’s cellular contract by permitting his stepson to modify that contract.
7. During this time, the complainant was being contacted by at least one collection agency with regard to outstanding balances on his cellular account (including late payments and other fees).
8. The telecommunications firm then informed our Office that its own investigation into the matter had concluded.
9. Its investigation determined that the stepson had misrepresented himself when he presented himself and indicated to the kiosk employee that he was the account holder. However, the firm admits that the kiosk employee did not follow the proper customer validation process and did not request identification to fully authenticate the individual. According to the firm, all authorized dealers follow the same client validation process and must request two pieces of identification from a customer who wants to access or make changes to an account.
10. Consequently, the telecommunications firm waived all outstanding charges from the complainant’s account and re-confirmed to us that the credit-reporting agency had been contacted to ensure that no mention of the incident was made on the complainant’s credit report.
11. This Office was advised by the telecommunications firm that the kiosk employee had been duly re-trained as a result of the incident. As well, a reminder was sent to all customer service representatives, advising them that identification is necessary to properly authenticate account holders.
12. In making our determinations, we applied Principle 4.3 from Part 1 of the Act. This principle requires, in part, the knowledge and consent of the individual for the use of an individual’s personal information, except where inappropriate.
13. We also applied Principle 4.7, which states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
14. Principle 4.7.1 is also relevant. It stipulates that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
July 25, 2012
15. At issue is whether the telecommunications firm used the complainant’s personal information without his knowledge and consent when it established a new mobile phone contract.
16. The investigation determined that the complainant’s stepson misrepresented himself to the kiosk employee and entered into a new mobile phone contract with the telecommunications firm. Having failed to properly authenticate the individual, the employee then used the complainant’s personal information to renew the contract. This unauthorized use contravenes Principle 4.3.
17. Furthermore, by circumventing its established security safeguards and not requesting proper identification from the stepson, the telecommunications firm did not comply with Principles 4.7 and 4.7.1.
18. In our view, the Respondent addressed the matters at issue during the course of our investigation. Specifically, the Respondent ensured that remedial training was provided to the kiosk employee in question.
19. Further, to avoid any recurrences, the firm sent a reminder to all of its customer service representatives informing that they must always authenticate account holders before making any transactions using or disclosing personal information from that individual’s account.
20. Accordingly, we conclude that the matter is well-founded and resolved.