Incident Summary #12: Break with security procedures exposes financial planner’s client to privacy breach
An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.
- Adequacy of security safeguards for personal information
- Effectiveness of employee training on privacy and security procedures
- Appropriateness of the organization's response to a data breach
The Office considered the firm's response to the incident appropriate after the firm implemented corrective measures.
The firm appropriately investigated the incident, took corrective actions including additional employee training, reinforced account security, and offered credit monitoring to the client. The investigation traced the root cause to employee training and confirmed the firm's overall response was appropriate.
AI-generated summary for reference only. Always verify against the official decision ↗
The firm reinforced security on the client's account, offered free credit monitoring, provided apologies, and took disciplinary actions against responsible employees, along with additional privacy training for all staff.
- Principle 4.1 PIPEDA
- Principle 4.4 PIPEDA
- Principle 4.7 PIPEDA
This summary is informational only and not legal advice.