Wednesday, February 09, 2005

Alberta Commissioner finds three businesses failed to protect personal information from identity thieves

The Alberta Information and Privacy Commissioner has released three investigation reports, castigating three Alberta businesses for failing to protect personal information from identity thieves.
Investigations find Alberta businesses failed to protect personal information from identity thieves

Recent investigations by the Office of the Information and Privacy Commissioner (OIPC) found that three Alberta businesses failed to protect personal information in their custody.

On November 24, 2004, Edmonton Police Service (EPS) notified the OIPC that documents containing personal information from a number of Alberta businesses were found during a police investigation. Some of the records were found in a motel room; others were subsequently turned over to police by two individuals charged with credit card fraud. The records included return of goods slips, debtor account files from a collection agency, and cell phone contracts. Personal information in the records included Social Insurance Numbers, bank account information, credit card numbers, and customer signatures.

In response to the information from EPS, Information and Privacy Commissioner Frank Work initiated investigations of Linens ‘N Things, Nor-Don Collection Network Inc., and Digital Communications Group Inc., under the Personal Information Protection Act (PIPA).

PIPA applies to private sector organizations in Alberta, and requires them to protect personal information against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.

The investigators found that these businesses failed to protect personal information in their custody.

Recommendations from the investigations required all three organizations to contact the individuals whose information was, or may have been, exposed to identity theft. In at least one case this meant contacting hundreds of customers. Additional recommendations required the organizations to:

  • ensure all records containing personal information are stored securely,
  • limit access to personal information to staff on a “need-to-know” basis,
  • develop procedures for storage, retention and destruction of personal information, and
  • provide privacy and security training/awareness for employees.

One organization was also required to obtain computer equipment to obscure credit card numbers printed on receipts and return slips. Along with the affected individuals, these three businesses were victimized in these incidents, but each is responsible under PIPA for securing personal information.

The OIPC is advising other businesses not to put themselves in the same situation.

To obtain a copy of an Investigation Report, click the following links:

Investigation #P2005-IR-001 (Linens ‘N Things)

Investigation #P2005-IR-002 (Nor-Don Collection Network Inc.)

Investigation #P2005-IR-003 (Digital Communications Group Inc.)

No comments: