Bank employee uses customer's information to commit fraud

PIPEDA Case Summary #2003-121

[Principles 4.3, 4.5, Schedule 1]

Complaint

An individual complained that a bank employee had used his personal information without his knowledge and consent to commit identity theft and fraud.

Summary of Investigation

While doing some personal banking at his local branch, the complainant noticed a suspiciously large balance owing on his personal line of credit. The bank investigated and discovered that, following a telephone conversation with the complainant, an employee had accessed the complainant's account without his knowledge and consent, had used his name and telephone banking password to enrol in internet banking, had changed his mailing address in the bank's database, had issued cheques to the fraudulent address, and had written several cheques on the line of credit.

The bank subsequently closed the complainant's line-of-credit account, cancelled the debt incurred, and opened a new account for the complainant. The bank offered the complainant a monetary settlement, which he rejected as disproportional to the seriousness of the incident.

The bank's investigation revealed the identity of the employee in question, who was dismissed. This employee had been hired less than a year before the incident, but had passed a criminal record check and had participated in the privacy training that all new employees receive.

The bank acknowledged that, despite its best and most diligent efforts and its aggressive commitment to continuing development of counter-measures, the possibility might remain for a determined individual with criminal intent to circumvent security temporarily and defraud the bank.

Commissioner's Findings

Issued January 23, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner has jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

The Commissioner observed that the bank did not dispute that one of its employees had used the complainant's personal information, without his knowledge and consent, for purposes other than those for which it was collected - specifically, to commit fraud. Given that the bank had to accept responsibility for the behaviour of its employees in respect of its customers, the Commissioner found that the bank had thus been in contravention of Principles 4.3 and 4.5.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner noted that the bank offered the complainant compensation, which appears to be appropriate in the circumstances.

On review of the bank's fraud detection and prevention initiatives, the Commissioner did not find it necessary to recommend remedial measures in this case. He regarded the identity theft and fraud in question not as evidence of remediable systemic failure, but rather as a willful and unpredictable act of deceit on the part of an employee who had had no prior criminal record and who, through her knowledge of the system, had succeeded temporarily in circumventing security. He agreed with the bank that no security system, no matter how sophisticated and effective, may ever completely eliminate the possibility of such an act. He was reassured to see that, despite the temporary breach, the bank's security system had enabled the bank to quickly confirm and stop the fraudulent activity and to identify and deal expeditiously with the guilty party.