Customer protests when company says it gave away his e-mail account

PIPEDA Case Summary #2002-41

[Principles 4.3, 4.7 and 4.7.1, Schedule 1; section 5(1)]

Complaint

A customer complained that his internet service provider had failed to institute appropriate safeguards to protect his personal information. Specifically, he alleged that the company, by reassigning his e-mail address to another customer, had enabled a third party to gain access to his personal information without his knowledge and consent.

Summary of Investigation

The complainant subscribed to two main services with the company in question. Under his internet service, he had a primary and two secondary e-mail accounts. After an absence of several days, he found that he was unable to connect to one of his secondary accounts. A customer service representative for the company told him that the e-mail address for the account in question had been reassigned to another customer. A supervisor confirmed the reassignment and maintained that such practice was allowable under the customer service agreement the complainant had signed. When the complainant protested, the supervisor agreed to return the e-mail account to him.

The complainant remained concerned about the possibility that while reassigned his account had been accessed and his e-mails intercepted. He initiated correspondence with various company representatives with a view to determining to what extent if any his personal privacy had been breached. When he could not obtain a satisfactory response from the company, he filed his complaint under the Personal Information Protection and Electronic Documents Act.

After conducting an internal inquiry, the company reported that the reassignment of the complainant's account had been the result of a clerical error. During a change of residences, the complainant had requested a transfer of service, but it had been recorded instead as a disconnection of service. The Office of the Privacy Commissioner suggested that this explanation did not seem reasonable on two counts: (1) the complainant's change of residences and transfer of internet service had occurred a full three months before the disruption in service to the account in question; and (2) there had been no similar disruption in service to the complainant's other two e-mail accounts.

After conducting further inquiries, the company came back with a more plausible explanation, relating to a request the complainant had recently made for combined billing of both main services to which he subscribed. Combining service accounts for billing purposes involves a complex technical procedure whereby e-mail accounts are detached and kept in a "holding tank" pending linkage of the main service accounts. Ordinarily, once linkage occurs, the e-mail accounts are then taken out of the holding tank and reassigned to the account holder. In the complainant's case, two of his e-mail accounts were duly taken out of holding and reassigned to him, but the third was overlooked and remained in the tank until the complainant drew attention to it.

The investigation confirmed that this anomaly had indeed occurred, that the third account had remained inaccessible while in holding, and that it had at no time been reassigned or released to any customer, despite the customer service staff's original report.

Commissioner's Findings

Issued March 15, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because internet service providers are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3, Schedule 1, states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7, Schedule 1, states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 stipulates that the safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Section 5(1) states that every organization shall comply with the obligations set out in Schedule 1.

The Commissioner was satisfied that no improper disclosure of the complainant's personal information had occurred. He determined that the company had not by any failure on its part enabled a third party to gain access to the complainant's personal information. Since no breach of security had been demonstrated, he could not conclude that the company had failed to institute appropriate safeguards. Nor did the circumstances warrant his consideration of any exception to the requirement for the individual's knowledge and consent. He found therefore that the company had not been in contravention of Principles 4.3, 4.7 and 4.7.1 and section 5(1).

The Commissioner concluded therefore that the complaint was not well-founded.

Further Considerations

At a meeting with company officials, the complainant accepted the company's explanation and was satisfied that his personal information had not been disclosed to any third party. He also accepted the company's apology for poor initial customer service, which the company insisted was not typical but rather well below its usual standard. The complainant was very pleased with the outcome of this meeting and considered his complaint thereby resolved, as the Commissioner was pleased to note in presenting his findings.