Life insurance company employs best practices in responding to mass mailing error that risked exposing personal information

Incident Summary #5

Incident

A life insurance company became aware that the personal information of 53 of its pension plan members may have been exposed to others through the mail. The insurance company was using a new type of window envelope to mail plan members their options statement document. The window of the new envelope was larger than that used previously for the same document.

As a result, ten days after the mailing, the insurance company realized that certain personal information printed on the statements below a members’ addresses could be visible  if the statement shifted during mailing.

That personal information  was the following:  the certificate number; social insurance number (SIN); date of birth; spouse’s name and named beneficiary.

Outcome

Once aware of the incident, the company began notifying affected individuals with a letter in which it apologized for the incident and explained:

  1. how and when the incident occurred;
  2. what personal information may have been compromised and who it may have been exposed to;
  3. that there was an internal investigation;
  4. the name and phone number of a contact person where questions could be directed;
  5. that a one-year credit monitoring service was being offered by the insurance company for free; and 
  6. what the company was doing to prevent a reoccurrence, including ceasing to use the problematic envelopes, adding a security alert to all affected accounts and inviting the member to add a security question to strengthen authentication.

Because the members’ SIN could have been exposed, the company also suggested in its letter that those affected take harm-reducing steps recommended by Service Canada on its website.

In addition to ceasing the use of the problematic envelopes that resulted in this incident, the company also stated that it was exploring the possibility of reformatting the statements to better conceal the personal information included or removing included personal information altogether unless legally required.

The company also notified our Office with details about the incident and its magnitude while illustrating how it had responded.

Final Comment

The insurance company showed clear evidence of having implemented best practices to respond to this incident.

Date modified: