"Identity Thief", a movie about – what else, identity theft – opens in theatres this February; but will it make the Privacy Commissioner's list of "top 10" privacy films?
Most Canadians have some awareness of identity theft, and there are resources – including online tip sheets prepared by the offices of the federal and provincial privacy commissioners – available to help individuals take steps to protect themselves.
In 2010, Bill S-4 amended the Criminal Code of Canada to create 3 new offenses related to identity theft: obtaining and possessing identity information of another person with the intention to commit an offence; trafficking in identity information; and unlawfully possessing or trafficking in government-issued identity documents.
Notwithstanding the high level of awareness surrounding identity theft – so well-established as a cultural phenomenon that it forms the premise of a Hollywood movie – situations arise that remind us how easy it can be to assume another person's identity, and how important it is for us to be careful and for the companies we share our personal information with to be diligent about proper disclosure.
In an August 2012 finding (#2012-004 ) under the Personal Information Protection and Electronic Documents Act (PIPEDA) ,the Privacy Commissioner of Canada considered a situation where a victim's cell phone company had disclosed his billing and call history information to a female caller who – while impersonating the victim –was able to change the victim's basic account information including his name, his gender and his personal identification number. The company's standard protocols, including proper authentication procedures, were ignored by its representative during the call.
The victim learned of the disclosure and made an access request to the company for his personal information and a transcript of the phone call. The company's initial response was slow, citing "confusion" as the reason for delay.
The company eventually sent the victim a transcript of the call and the Commissioner was satisfied the access issue was resolved. To address the non-compliant disclosure, the Commissioner directed the company to review "Getting Accountability Right with a Privacy Management Program" (April 2012), a joint document of the Privacy Commissioners of Canada, Alberta and BC:
The Report of Finding #2012-004 sends a message that companies must take active steps to prevent identity theft and to respond in a timely manner to an access request.
The report also includes a "Lessons Learned" section (excerpted below) which is a good reminder for companies and their employees:
Some Lessons Learned (emphasis added)
Disclosing the personal information of an account holder requires the consent of that individual.
Before discussing or divulging any personal account information, organizations must first properly authenticate and validate the identity of the requester.
Access to personal information requests must be responded to by the organization no later than 30 days after receipt of the individual's request. If the organization requires an extension to fulfill the request, it must send a notice of extension to the individual no later than thirty days after the date of the request.
While security policies and procedures are essential, their effectiveness depends on how diligently and consistently an organization follows them.
About BLGThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
