Interview with David Elder
February 2006
Interviewee: David Elder, Vice President,
Regulatory Law, Bell Canada
Interviewer: Terry McQuay, President of Nymity
Subject: Maclean's
Ability to Purchase Jennifer Stoddart's Phone Records
February 6, 2006
In November 2005, Bell was implicated in a breach involving
the personal information of the privacy commissioner,
Jennifer Stoddart. What are the facts that lead to this
unwanted media exposure and a privacy complaint?
Elder: Thank you. Bell is extremely
proud to consistently rank so highly with respect to privacy
protection. We've worked hard to earn this reputation, maintaining
a long-standing commitment to protection of subscriber privacy.
With respect to the Privacy Commissioner's telephone records,
we understand that the journalist in question hired a company
knows as LocateCell.com through its website. The site claimed
that for a flat fee, the company could obtain call detail
records, including long distance and cellular calling records,
within 4 hours on business days. The journalist provided LocateCell.com
with certain personal information concerning the Privacy Commissioner.
We further understand that representatives or employees of
LocateCell.com then made several telephone calls to Bell Canada
's customer service call centre, from several different locations
in the United States . During these calls, the LocateCell
representatives attempted to obtain the long distance records
of the Privacy Commissioner by impersonating her, or through
other false pretences.
Apparently, LocateCell was able to obtain wireless and landline
telephone records from several Canadian companies in this
way.
Nymity: LocateCell.com contacted telecommunication
firms claiming they were the privacy commissioner to
obtain phone records. Isn't that fraud? Isn't
that illegal?
Elder: Yes, it is fraud,
and it is illegal; however, the facts of this case present
jurisdictional and enforcement challenges.
Had LocateCell been operating in Canada , this would clearly
have constituted the collection, use and disclosure of personal
information without the consent of the individual – a clear
violation of PIPEDA. Accordingly, one could seek an injunction
and damages from the Federal Court of Canada. However, the
Assistant Privacy Commissioner of Canada has previously found,
in CIPPIC's complaint respecting data broker Abika.com, that
PIPEDA did not apply to organizations located in the United
States, and that she lacked jurisdiction to compel the production
of evidence to investigate a complaint such firms.
There are also Criminal Code offences relating to personation
or obtaining an advantage through false pretence; however,
their application to cases where this sort of activity is
used to obtain telephone records (as opposed to, for example,
financial information) is unclear. And of course, the extraterritorial
issue remains.
Nymity: So, if an individual located in Canada defrauded
a Canadian organization, they would be subject to the criminal
code. But, if they are located in the USA
they can operate with immunity? Do Canadian law
authorities have the ability to pursue this matter in the
U.S?
Elder: Canadian authorities have indicated
that they lack the jurisdiction to pursue this matter directly.
There is a Mutual Legal Assistance Treaty (MLAT) between Canada
and the U.S. that covers criminal matters, which would theoretically
allow Canada to request assistance from the United States
to gather evidence to support a prosecution; however, the
process is extremely cumbersome, and tends to be used only
for high-profile cases involving significant threats to public
safety.
Nymity: Bell followed customer compliant authentication
practices, had trained employees and disclosed information
to who was thought to be the Privacy Commissioner. Is
it possible the complaint would be declared "Not Well-founded"
as Bell is compliant with PIPEDA?
Elder: Certainly, it is possible.
In all organizations, from time to time, there may be collection,
use or disclosure of personal information without consent
– notwithstanding the best efforts and diligence of the organization
in question. In the case at hand, we feel that the Privacy
Commissioner was not the only victim of fraud: Bell Canada
was as well.
Nymity: PIPEDA states in section 4.4 that "Information
shall be collected by fair and lawful means". The
U.S. data broker, LocateCell.com, collected the Privacy Commissioner's
personal information in an unlawful manner - are they in
violation of PIPEDA? Did the Commissioner's Office file
a complaint against LocateCell.com?
Elder: Not to my knowledge, no. Nor
do I think the OPC would be likely to do so, given their earlier
findings in the Abika.com complaint. But were they operating
in Canada, I'm sure they would.
That being said, Companies like LocateCell.com are certainly
attracting attention from courts, legislators and regulators
south of the border. In recent weeks, we've seen several injunctions
issued against data brokers, as well as two separate congressional
bills intended to explicitly target the data broker industry.
Nymity: Do you believe that Maclean 's obtained
the Commissioner's personal information in an unlawful manner?
Are they subject to a commissioner's investigation?
Elder: That's an interesting one.
Under PIPEDA, even if Maclean's were to be found to have collected
personal information without consent, the magazine would not
have violated the Act, since it contains an explicit exemption
for collection, use and disclosure that is solely for journalistic,
artistic or literary purposes.
Similarly, under the Criminal Code, Macleans and its reporter
might be found to lack the necessary intent to attract criminal
liability.
Nymity: You refer to this data broker collection
activity as "Pre-texting". In fact the
USA Gramm-Leach-Bliley Act has a section on "Pre-texting". Please
define "Pre-texting" for our subscribers and whether
this could be an ongoing risk to corporate Canada?
Elder: In simplest terms, pre-texting
means misrepresenting who you are and why you are seeking
the information. It is sometimes known as “social engineering”.
It is all about manipulating people - through whatever means
necessary - to trick them into providing you with the information
you desire. At a minimum, it is lying; in practice, it may
also include tactics such as intimidation or playing on the
sympathies of customer representatives who are trained to
provide good customer service. It is a lot like the tricks
used every week on all those 70's detective shows – only when
it comes to real people and real information, it's much more
sinister.
This is an ongoing risk for any business that does business
with their customers over the telephone and that retains data
of interest to third parties. That being said, while the risk
is there, we are not aware of many instances in which personal
information has, in fact, been disclosed by Canadian organizations,
including telephone carriers, to data broker firms such as
LocateCell.com.
Nymity: Why did Bell issue a news release? Is that
a standard practice for breach incident management?
Didn't that draw more attention to the situation?
Elder: We felt it was important to
ensure that our story was adequately told, in order to assure
our subscribers that their personal information continued
to be well-protected. I don't think that ultimately it did
draw more attention to the situation, although that is something
we did think hard about when we were considering the release.
We certainly didn't want to inadvertently provide free advertising
to the likes of LocateCell.com.
Nymity: Bell , and other telecommunication firms,
have enhanced their customer authentication processes as a
result of this incident. How has this impacted costs
and customer service?
Elder: Yes, it has. Any time you add
to the length of a customer interaction, you increase both
customer irritation and cost. Protecting customer privacy
and providing prompt, hassle-free customer service can sometimes
be a fine balance.
We have actually had complaints from a number of customers
respecting our enhanced verification procedures. Some were
offended that we were “giving the third degree” to long standing
and loyal customers. Others incorrectly believed that we were
needlessly collecting new personal information, rather than
what we were doing: verifying what was already on record.
Still others were simply frustrated with the delay in getting
to the real purpose of their call, which they perceived to
be a simple and routine request.
As to cost -- as they say, time is money. Any extension to
our average call handle time means increased costs. So the
enhanced verification procedure added to AHT, as did responding
to the consequent customer complaints and questions and explaining
how this procedure was intended to better protect subscriber
privacy.
Nymity: In USA laws dealing with privacy,
for example, Gramm-Leach-Bliley Act and the Children's
Online Privacy Protection Act, if the organization makes disclosures
due to fraudulent activities, the organization didn't violate
the law. Do you expect to see changes in PIPEDA in the
2006 PIPEDA review that would protect corporations from being
found non-compliant when subject to illegal activities?
Elder: PIPEDA is supposed to be about
providing guidance to organizations to improve their fair
information practices, rather than being a punitive statute.
It is supposed to provide incentives for Canadian organizations
to respect the privacy of the individuals with which it does
business and to periodically amend its practices as necessary
to deal with an ever-changing reality. Of course, it's difficult
to speculate on what the Privacy Commissioner will do, but
I just can't see what purpose would be served by sanctioning
an organization that exercised all due diligence, but was
still the victim of fraud. I can't see the OPC taking this
approach.
Nymity: Are there other organizations in Canada that
run the risk of this form of fraud?
Elder: Emphatically, yes. Any organization
– including a government agency - that retains information
of potential value to third parties (for purposes of identity
theft, blackmail, matrimonial litigation, etc.), and that
does business over the telephone or the Internet is at risk.
Banks, investment dealers, medical facilities, telephone providers
- this is a pan-industry problem.
Nymity: In closing, what are some measures that corporate
Canada can take to protect itself from becoming a victim
of "Pre-texting"?
Elder: First, revisit your policies
respecting the provision of information via telephone or electronic
means. What information really needs to be provided in this
way in order to provide acceptable service to your customers?
Can the information be provided in a less risky way, such
as by mailing the information only to the billing address
of record?
Next, have a hard look at your identity verification procedures.
Do you have enough information on file about your customers
to be able to reliably verify their identity? You may wish
to consider implementing a numeric or alphanumeric password
for some or all accounts; however, remember that people often
forget their passwords, so you will need to have alternate
verification methodologies for such cases. Ensure that the
information you request to verify identity is information
that is likely to be known only to the subscriber or their
authorized representatives. If a neighbour or friend is likely
to be able to answer your identity verification questions,
you know you have a problem. Do a little “mystery shopping”
now and again to test your own defences.
Finally, the best defence is often a good offence. Push responsible
authorities to take action against the pre-texters and provide
them with assistance in their investigations. Maintain internal
tracking systems to be able to track and record suspicious
transactions and attempts to obtain information, in order
to build evidence for prosecutions or other legal action.
|
|
|
