The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, April 11, 2005

Aeroplan rapped over data security 

Aeroplan is once again in the privacy hot-seat, according to this article from the Globe and Mail. This time, it is for inadequate security that allowed an Aeroplan member's boss to review and modify his account information. The article has some pretty strong words from Heather Black, the Assistant Privacy Commissioner of Canada:

The Globe and Mail: Aeroplan rapped over data security:

"By PAUL WALDIE

Monday, April 11, 2005 Page B1

The Office of the Privacy Commissioner has sharply criticized security at Air Canada's popular Aeroplan frequent-flyer program and told the airline to better protect members' account information.

"On the whole, there was a clear lack of diligence on the part of Air Canada with respect to its handling and protection of customer personal information," Heather Black, assistant privacy commissioner, said in a recent ruling involving a Vancouver businessman whose Aeroplan account was accessed, and changed, by his former boss.

While noting the airline has taken some steps to tighten security, she said key data is still too easily available. "If someone with access to an account number calls the system, he or she [is able to access] the account holder's name, the number of miles recently credited to the account, and the account balance."

"This information is not password protected. I remain concerned about the accessibility to the information that is still on the system."

Aeroplan has six million members and has reward program partnerships with retailers such as Future Shop Ltd., Imperial Oil Ltd.'s Esso gasoline chain and Bell Canada's phone services.

Michele Meier, an Aeroplan spokeswoman, said the company has already acted on recommendations made during the investigation, "We're in the process of evaluating whether any further measures will be taken or will be necessary," she said.

The case dates back to March 14, 2002, when the businessman, Danny Yehia, received a duplicate copy of his previous Aeroplan statement.

When he contacted Aeroplan for an explanation of why he was sent the additional statement, he was told that someone had requested the information and changed the e-mail address on his account.

At the time, Mr. Yehia was involved in a lawsuit with his former boss, Joel Berman, a Vancouver glass designer. Mr. Berman alleged Mr. Yehia and his partner had taken company secrets when they left his glass business months earlier. Part of the lawsuit centred around a trip Mr. Yehia took to Australia allegedly to meet a rival glass company.

Mr. Berman admitted to the privacy officer that he obtained detailed information about Mr. Yehia's account from Aeroplan's computerized telephone information system and through an Air Canada agent. "Air Canada states that he could do this because there was no personal identification number required," Ms. Black said in her decision.

She said Mr. Berman did not misrepresent himself or pretend to be Mr. Yehia. In fact, he provided the agent with his name in order to pay a processing fee to change the account.

The lawsuit was eventually dropped, but Mr. Yehia complained about Aeroplan's actions to the privacy commissioner.

In her decision, released last week, Ms. Black said she was "disturbed by Air Canada's lack of co-operation with respect to [Mr. Yehia's] complaint."

She also said the agent who changed the account had not been properly trained in privacy issues and "it did not appear to concern her that she was not speaking to the account holder." The agent "did not even seem to be aware of the importance of maintaining the confidentiality of personal information."

She added that, given the number of people who have access to Aeroplan members' numbers, such as employers, travel agents, and Aeroplan workers, "I do not believe that having account information readily available, without any protection on it, constituted an adequate safeguard."

Ms. Meier said Aeroplan regrets "this unfortunate incident," and noted that it has restricted the information on the automated phone service. It has also updated privacy procedures and introduced more training for staff.

But Ms. Black questioned whether the changes go far enough. She said the automated system still provides access to account holders' names, the number of miles recently credited to the account and the account balance.

"Many individuals have credit cards that are partnered with Aeroplan. Anyone with access to the Aeroplan account number could potentially know from the number of miles credited to the account how much money was charged against the account holders' credit card in a month."

She recommended password controls should be placed on all account information that is accessible though the automated system.

Mr. Yehia said Aeroplan should be doing much more to protect information.

"You'd think that after [the Sept. 11, 2001 terrorist attacks] security would be an important issue," he said.

When asked if he is still an Aeroplan member, he laughed and replied: "I am. Because where I travel, I don't really have much choice."

Presently, passwords are required to view and modify account information. Also, phone agents are requiring more proof of identity before assisting Aeroplan members.

Labels:

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs