Language selection

Telecommunications company accused of not protecting account against unauthorized access

PIPEDA Case Summary #2003-137

[Principle 4.7 of Schedule 1]

Complaint

An individual complained when her estranged spouse accessed her cellular phone account on the Internet, without her permission.

Summary of Investigation

The complainant's cell phone account was protected by two passwords and contained a notation that her husband was not to have access to the account. She had never used the Internet to retrieve her account information, preferring to use the telephone instead. Her husband, however, accessed her account via the Internet and printed copies of the account activity. He had access to the complainant's home, and she had reason to believe that he had read her account statement and used it to gain access electronically to her account.

The company confirmed that it was possible to establish Internet access by using information that appears on the account statement. The client would have to create a customer profile, which required the name of the client, the client number, postal code, and either the personal identification number (PIN) used for telephone access or the amount of the last bill. With the exception of the PIN, which the complainant had never shared with her husband, all of this information was available on the account statement.

The investigation confirmed that it is impossible to create a profile without having the required information to verify one's identity as a customer. Since the husband had access to the complainant's home, he had access to all of the personal identifiers required to impersonate her.

When informed of what happened, the company gave the complainant a new account, which is protected and contains a notation that the husband should not have access to any information.

Commissioner's Findings

Issued March 6, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a telecommunications company is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

While the Commissioner agreed that the husband likely used the statement to access the account and that an organization is responsible for protecting personal information against unauthorized access, he did not think the company could have done anything more to prevent a situation in which a husband impersonated his wife to gain access to her account. He was satisfied that, under normal circumstances, the only way that Internet access for the cellular account could be established was by providing account information that typically only the client and the company would know. He therefore found that the company had met its obligations under Principle 4.7.

The Commissioner concluded that the complaint was not well-founded.

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):

Note

Date modified: