Insurance company overhauls its security safeguards following privacy breach

PIPEDA Report of Findings #2014-003

March 3, 2014


An applicant received a letter from his group insurance company informing him that his file was among over one hundred that had gone missing while being transferred between the company’s offices located in two different cities. Although the letter informed him of certain actions taken by the company, the individual wanted to know more about the circumstances of the incident and what could be done to protect him from any fallout. His file contained a significant amount of personal information, including his salary, signature and sensitive medical information.

At about the same time, the company sent security breach notices to our Office and several provincial privacy commissioners.

The individual eventually filed a complaint with our Office about the level of safeguards the insurance company had in place at the time of the incident.

During our investigation, the insurance company established that it had pro-actively initiated security improvements following the incident, which began as soon as the company was made aware of the incident. Apart from its initial letter, the company offered affected individuals free access to a credit-monitoring service and the opportunity to contact a company representative. It also conducted full searches of both of its offices involved in the breach. Further, it conducted an in-depth internal investigation, including interviews with key employees and couriers, in part to shed light on any potential misconduct or fraudulent behaviour. That investigation was documented in a detailed report, which our Office reviewed.

The company also put into place significant remedial safeguard measures. It first implemented a system of tracking applicants files sent to underwriters. This was soon augmented by a new process of electronically transferring applicant files between offices, replacing paper files with scanned versions and relying on a secure Web site accessible only by certain key company employees.

As a result of our investigation, our Office concluded that the insurance company’s security safeguards in place for the control and tracking of sensitive group insurance files at the time of the incident were inadequate and did not meet the requirements of Principles 4.7 and 4.7.1 of Schedule 1 of PIPEDA. However, in light of the breadth of scope and the overall timeliness of all the company’s actions to make improvements — not the least of which was an all-inclusive review and eventual overhaul of its safeguard measures — our Office found that the matter was well-founded and resolved.

Lessons Learned

  • Organizations must protect personal information by implementing security safeguards appropriate to the sensitivity of the information.
  • Organizations must have security safeguards that protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. More sensitive information should be safeguarded by a higher level of protection.
  • In the future, organizations handling personal information can benefit by becoming familiar with our Office’s published document Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

  1. The complainant raises the issue as to whether an insurance company (the “Respondent”) had in place appropriate security safeguards to protect personal information sent between two of its offices.
  2. Specifically, the complainant claims that the Respondent lost his personal information in his insurance file when it went missing in transit between the Respondent’s offices, located in two Canadian cities.
  3. As a result of the complainant’s experience, the Respondent re-assessed its processes and implemented a more secure process for the registration and transfer of insurance files.
  4. Based on our investigation, and for the reasons that follow, we find the complaint to be well-founded and resolved.

Summary of Investigation

  1. The complainant submitted an application to the Respondent to increase the amount of his existing life insurance coverage under his employer’s group insurance policy.
  2. A few months after submitting the application, he received a letter from the Respondent. The letter informed him that his personal information (including sensitive medical information) had been misplaced while in transit between two of the Respondent’s offices, located in different cities. The letter advised the complainant that misplaced information may have included his name, address and date of birth as well as his medical, employment and insurance information.
  3. In addition to details of the loss, the Respondent’s letter described how it was responding to the incident, including how it was working to increase the security of its customers’ files to prevent the recurrence of such an incident.
  4. The complainant followed up with a complaint to the Respondent’s privacy officer. At the same time, he filed a complaint with our Office, which we accepted on March 28, 2013.
  5. In his complaint to our Office, the complainant expressed interest in obtaining a better understanding of the root cause of the incident, the safeguards in place at the time of the incident and what could be done to minimize any damage resulting from the exposure of his personal information.

The Respondent’s reply to the complainant

  1. After its letter advising the affected participants of the incident, the Respondent replied to the complainant’s email request for additional information. In its reply, the Respondent offered the complainant a credit monitoring service, as it did to all participants affected by the incident within the complainant’s employer group insurance policy.
  2. The Respondent believed that it had advised the complainant that a customer service representative would contact him with more details of the incident. However, this did not actually occur, due to what the Respondent now considers to be a miscommunication. The Respondent stated that it was entirely unaware of this miscommunication and that it was only brought to light during our Office’s investigation.
  3. One month later, the complainant asked the Respondent to provide an update of its internal investigation into the matter. He was informed the next day that he could call the Respondent for further details. The Respondent reports that no further correspondence or communication was received from the complainant.

Our Office’s investigation

  1. The Respondent’s underwriters are located in a different city than some of the Respondent’s other operations.
  2. The complainant’s file was among a group of insurance files which went missing in transit between the two cities. Most of these files were never located.
  3. The complainant’s file was received by the Respondent’s underwriters one week after being sent to them.
  4. However, after the underwriters sent the file back, it went missing.
  5. The Respondent determined that the following personal information of the complainant was included in his file: name; address; date of birth; height/weight; salary; a copy of his signature; life insurance amounts (current coverage and requested coverage); medical information declared on the application form; medical information declared on a paramedical exam; results of a medical test; and an underwriter’s notes and decision on the application. The complainant’s social insurance number was not part of his file.
  6. A complete search of relevant floors in both the Respondent’s premises was conducted in an effort to locate the files. A small number of the missing files were located as a result.
  7. The Respondent also conducted an extensive investigation of the incident. This included interviews with key employees in both its offices (e.g., mailroom staff and underwriters) and drivers with two private courier companies involved. The emails of a key underwriter were also reviewed.
  8. The Respondent reported to our Office that one of the couriers confirmed that it would return any envelopes with no addresses that it found to the organization.
  9. The Respondent provided our Office with a copy of its investigation report. We examined the report which fully documented the investigation and concluded that no employee misconduct or fraudulent misappropriation could be detected. However, the report notes several changes in mailing resources and operations that occurred prior to the incident as well as previous issues related to not having a file tracking system in place, which in our view, contributed to the breach.

Procedures for handling files at the time of the incident

  1. Based on the information we received from the Respondent, we were able to establish the following about its procedures for the underwriting, transferring and tracking of files before the files went astray. These are described below.
  2. All group insurance applications (including medical reports and other supporting documents) were sent by private courier from one office to the underwriters in the office in the other city. The mailroom staff in the sending office would insert the envelopes into the courier’s bin, which would then be sealed. Another private courier company would be used to transport the bin.
  3. The sending mailroom did not keep a log of what was put into the courier’s bin and the group insurance administration team did not keep a log of what was sent to the underwriters.
  4. Once at the underwriters’ offices, the local mailroom staff would open the sealed courier bins and distribute the envelope to the underwriters.
  5. The underwriters kept an electronic log of what they received, entering the date that a file was received, the file number and the individual’s name.
  6. After an underwriter reviewed and assessed a file, he or she would insert the file into an envelope and the mailroom staff would pick it up so it could be sent back to the first office, again via courier.

Procedures for handling files post-incident — file registration and transfer

  1. As a result of the incident that precipitated the current complaint, the Respondent re-assessed its processes and implemented a more secure process for the registration and transfer of participant files. Notably, this occurred even before the complainant filed his complaint with our Office.
  2. Specifically, the Respondent’s group insurance administration services first began by assigning a tracking number to files processed by the two offices. Senders and recipients are now aware of the quantity of files being sent for underwriting, which are all individually identified by a tracking number.
  3. To better manage the transfer of files, the Respondent implemented a new electronic process about two months later. All files are now imaged before being scanned to a secure Web site. Certain staff members in the two offices have access to the Web site in order to perform their reviews and analyses. This replaces the carriage of paper files that previously took place between the two offices.
  4. Consequently, it is now possible to document when files are electronically received by the underwriters and received back by the group insurance administration team. The Respondent reported to our Office that no files have gone missing since the new processes were adopted.

Application

  1. In making our determinations, we applied Principles 4.7 and 4.7.2 of Schedule 1 of the Act.
  2. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  3. Principle 4.7.1 states that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. More sensitive information should be safeguarded by a higher level of protection.

Findings

  1. At issue is whether appropriate security safeguards were in place at the time that the complainant’s personal information was sent for processing between the respondent’s offices in January 2013.
  2. Our investigation revealed a loss of sensitive medical and other personal information under the control of the Respondent. In our view, the Respondent’s measures in place for the control and tracking of sensitive group insurance files at the time of the incident were inadequate and did not meet the requirements of Principles 4.7 and 4.7.1 of Schedule 1 of the Act.
  3. We note that, following the incident, the Respondent pro-actively sent security breach notices to our Office and several provincial privacy commissioners. It also notified the affected participants. Furthermore, the Respondent conducted a detailed and comprehensive internal investigation, which included interviewing employees at both offices, interviewing the third party couriers and searching the premises for the missing files. The investigation was documented in a detailed report that we were able to examine. The investigation established that the disappearance of the files was most likely due to inadequate controls and changes to its mailing system.
  4. Before our Office’s investigation, the Respondent took pro-active steps to adopt stricter safeguard measures to better manage the tracking, scanning and transferring of files and to prevent any recurrences.
  5. Personal data from group insurance files are now imaged and transferred to authorized employees via an encrypted Web site. It appears that no subsequent breaches have occurred since these new measures were implemented.
  6. We also note that the Respondent offered a credit monitoring service to participants affected by the breach, including the complainant. This is an initiative of merit that can minimize potential negative outcomes caused by personal data exposure.
  7. Our Office is thus satisfied with the Respondent’s measures to address the security safeguards issues raised by this incident.

Conclusion

  1. Accordingly, we conclude that the matter is well-founded and resolved.

Date modified: