PIPEDA Report of Findings #2015-007: Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach
The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.
- Adequacy of information security safeguards for sensitive personal data.
- Unnecessary retention of personal information beyond required purposes.
- Vulnerabilities in web application portal development and maintenance.
- Effectiveness of breach response and risk mitigation measures.
Complaint well-founded and resolved.
The OPC found that Peoples Trust contravened PIPEDA by failing to implement adequate safeguards and retaining personal information longer than necessary. However, the matter was resolved due to the timely and comprehensive remedial measures implemented by the institution following the breach and the OPC's intervention.
AI-generated summary for reference only. Always verify against the official decision ↗
Peoples Trust implemented credit alerts, sent notification letters to affected individuals, redesigned its online application web portal, and improved system monitoring to address the security vulnerabilities and data retention issues.
- Principle 4.7 PIPEDA
- Principle 4.5 PIPEDA
- Principle 4.1.4 PIPEDA
This summary is informational only and not legal advice.