Saturday, July 15, 2006

Edmontonian writes about his data breach experience

In today's Edmonton Sun, Timothy le Riche writes about his recent experience of having his information compromised when an investment advisor lost his laptop:

Identity indemnity

It's been a tough a day at work, traffic was crazy getting home, and there you find a letter waiting that warns: "An incident has occurred which may have compromised the security of a file containing some of your personal information."

Great. Just what you need.

The letter that arrived at my house recently was from one of my investment dealers. A laptop computer was stolen, and, unfortunately, it contained client details such as my name, age, month of birth, address, home and office phone and fax numbers, e-mail addresses and some asset information.

They note that the information did not include my day of birth, social insurance number (S.I.N.) nor any banking details.

Even if this thief is able to hack through the password protection to get at the data, I don't think he'll be too impressed with my account. What I'm more concerned about is, of course, identity theft. So that's what I set out to deal with.

Now I'm not too pleased with this investment dealer in that a sensitive laptop could go missing, but I'll give them good marks for how they moved on it. They began by establishing exactly what information was on the computer and then took a series of actions.

First, they sent out a letter to affected investors like me, beginning with apology. Apologies don't solve much but at least offer an appropriate demeanour.

NOTIFIED POLICE

Then, they notified the police - and the letter I received includes the police file number. I can refer to this number in any dispute over future fraudulent charges against me, the letter explains.

My account with the dealer has been flagged. I am assured that extra measures will be applied to ensure validity of any requests on my account.

The dealer notified TransUnion of Canada Inc., one of two main credit reporting agencies, where a fraud warning was placed on my file. This one is important. In addition, the letter suggests that I contact Equifax, the other big credit agency, and flag my name there.

With my name flagged, those agencies will contact me first before issuing any credit under any application with my name on it.

My dealer has also notified the Alberta Privacy Commissioner, and pledges a security review with outside consultation. Finally, they offer phone numbers of top staff - including the chief privacy officer - whom I immediately called the next morning. Again, kudos to them. I was called back quickly. The privacy officer offered some more details and urged me to contact Equifax.

GENERIC FILE

I also called the police. Unfortunately, no single officer is assigned to the report number - it's a generic file. I am directed to the police website for information on identity theft: http://www.police.edmonton.ab.ca/Pages/identitytheft/

Equifax, it turns out, is one of those organizations that doesn't like to talk to people; they would rather have you press a series of phone buttons to deliver information.

I keyed in my S.I.N. and other details, as requested, and then I was informed my account is flagged. A computer voice said they will send me a copy of my credit report.

It is recommended that you check your credit report at least once a year.

Even though my investment dealer had no credit card information, I decided to call MasterCard for more information on identity theft and fraud.

It turns out they provide a free legal advice service to card holders. Top marks to MasterCard as well.

It seems I've tagged all the bases.

Now all I can do is wait.

And brace myself for that credit report - and whatever bad news it might reveal.

No comments: