Pension and benefit provider agrees to revamp authentication and address-change procedures after misdirected mailings

PIPEDA PIPEDA Case Summary #2015-014

December 15, 2015

Lessons Learned

  • Organizations must keep the contact information of their clients accurate and up-to-date. Organizations that use this information to send documents containing sensitive and/or confidential information to their clients should be particularly mindful.
  • One of the more serious consequences of not keeping up-to-date contact information is the increased risk of sending (and possibly disclosing) clients’ personal information to unauthorized parties. As well, clients themselves may miss out on important correspondence from the organization, which could ultimately impact the services they receive.
  • Carefully authenticating clients at the get-go ─ i.e., before discussing any of their personal information with them ─ is essential to maintaining the accuracy of their clients’ personal account information. By first verifying the client’s identity, unauthorized changes made to their personal account information, including their contact information, can be prevented. For additional information on identification and authentication, see “Guidelines for Identification and Authentication”.

Complaint

An employee complained that her employment pension and benefit provider: (i) disclosed her unique identifier to a third party without her consent; (ii) failed to keep her address information accurate; and (iii) failed to implement appropriate safeguards to protect her personal information from unauthorized disclosure and modification.

Summary of Investigation

In our investigation we found that another member of the complainant’s pension and benefit plan, who had the same name as the complainant, had telephoned the plan provider, asking that a document be re-sent to her at her new mailing address. However, to change a member’s address on file required a written request, including the individual’s unique ID number. In this case, the woman indicated that she did not know her ID number and so the provider performed a search to retrieve it and gave her the complainant’s ID number in error.

The provider then made the address change. Consequently, the complainant’s mailing address was changed to the address of the woman who shared her name.

This resulted in five subsequent mailings from the provider to the complainant ─ some containing a considerable amount of potentially sensitive personal information ─ being sent to the wrong address. One of these contained time-sensitive insurance-related forms for the complainant to fill out and return.

Several months later, the provider recognized and corrected its error, after receiving back the envelopes from the post office one by one and then verifying the complainant’s address with her.

Sometime thereafter, the complainant received a notice stating that she had, for all intents and purposes, lost her life insurance coverage after failing to return certain forms. This caused the complainant to look into the matter more closely, eventually leading to her filing a complaint with our Office.

The provider gave the complainant a summary of its own internal investigation, which concluded that her address had been incorrectly changed and her ID number given to the other woman.

The provider confirmed that all five misdirected mailings had been returned unopened, showing no evidence of any disclosure of the information they contained. It also confirmed that a member’s ID number alone could not be used to access an account.  

The provider agreed to reinstate the complainant’s cancelled insurance retroactively, subject to her reimbursing the unpaid fees associated with the period during which she had lost her coverage.

Outcome

Our Office questioned why proper authentication of the caller had apparently not taken place before the complainant’s ID number was given out to the plan member with an identical name. This was in contravention of Principles 4.7 and 4.7.1.  In addition, it was of concern to us that the five envelopes addressed to the complainant ─ returned to the provider over a period of several months ─ did not trigger a review of her inaccurate contact information sooner along with a suspension of mailings to her. This was a contravention of Principles 4.6 and 4.6.1.

The provider admitted that the complainant’s ID number was disclosed to a third party without her consent (contravening Principle 4.3) and that its authentication procedures had not been followed in this case. Accordingly, it agreed to make changes to its customer identification and authentication policies and practices by the end of 2016. These changes include: (i) developing a privacy plan; (ii) reviewing its address change process; (iii) improving forms and training; (iv) improving privacy incident response procedures; and (v) providing associated training to employees.  

The provider stated that it had already updated and improved its mailing processes, in light of its failure to detect and correct the complainant’s erroneous address. 

Lastly, the provider agreed to submit to a third-party privacy audit to confirm that all the changes it agreed to make to its customer identification and authentication policies and practices are implemented and PIPEDA-compliant. It also agreed to forward our Office a copy of the auditor’s report for our review and acceptance by the end of the first quarter of 2017.

Consequently, we found the matter to be well-founded and conditionally resolved, based on the provider’s commitment to implement our recommended changes by the end of the first quarter of 2017.

Date modified: