Identity Theft: What Advisors Need to know - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Identity Theft: What Advisors Need to know

Description:

Office of the Information and Privacy Commissioner of Alberta. Conal Archer, NWR Counterfeit ... WEP encryption protocol in place; known to have weaknesses. ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 22
Provided by: WorkD
Category:
Tags: advisors | identity | know | need | theft | wep

less

Transcript and Presenter's Notes

Title: Identity Theft: What Advisors Need to know


1
  • Identity Theft What Advisors Need to know
  • presented to
  • Independent Financial Services Advisors
  • Linda Sasaki, Portfolio Officer - PIPA
  • Office of the Information and Privacy
    Commissioner of Alberta
  • Conal Archer, NWR Counterfeit Currency
    Coordinator, RCMP
  • Ted Mieszkalski, Senior Representative
    (Currency), Bank of Canada
  • April 22, 2009

2
Session Overview
  • Awareness and prevention of identity theft and
    security of payment options
  • The roles and responsibilities of OIPC, RCMP and
    the Bank of Canada
  • Real life examples of identity theft
  • Tools and resources

3
Identity Thieves
  • Cloaked in your stolen identity, a fraudster can
    cash your cheque, raid your bank accounts, use
    your credit card, and even load a big mortgage on
    your house
  • Fraudsters have a knack for spotting opportunity
  • Lost or stolen laptops, hacked and lost
    databases, stealing old bills or credit card
    receipts discarded in waste and recycling bins

4
Identity Thieves
  • Many opportunities involve personal information
    collected by private sector organizations in the
    course of carrying out their everyday business
  • Credit card numbers, expiry dates, employee
    databases, social insurance numbers, debt
    collection account files, customer databases

5
PIPA
  • Personal Information Protection Act effective
    January 1, 2004 (5 years now)
  • Provides rules for collection, use and disclosure
    (CUD) of personal information (PI)
  • Applies to organizations - provincially-regulate
    d private sector businesses in Alberta
  • Applies to personal information - information
    about an identifiable individual

6
Safeguarding
  • Section 34
  • An organization must protect personal
    information that is in its custody or under its
    control by making reasonable security
    arrangements against such risks as unauthorized
    access, collection, use, disclosure, copying
    modification, disposal or destruction

7
Office of the Information and Privacy Commissioner
  • Commissioner is an Officer of the Legislative
    Assembly - independent of government
  • Oversight for
  • FOIP (Freedom of Information Protection of
    Privacy Act)
  • HIA (Health Information Act)
  • PIPA (Personal Information Protection Act)
  • Essentially the same safeguarding requirements in
    each statute

8
Case Files
  • Approx. 1270 formal case files opened in 5 yrs.
  • Request for Review 30
  • Complaint 70

9
Safeguarding and Self-Reported Breaches
  • 1270 formal case files opened 135 (11)
    theft/loss of personal information or inadequate
    safeguards
  • Starting mid-2005, approx. 60 self-reported
    breaches
  • 2005 4
  • 2006 10
  • 2007 12
  • 2008 28

10
Safeguarding/Self-Reported Breaches
  • Break-in/theft (includes stolen laptops) 26
  • Mailing error (sent to wrong address, wrong
    person, include SIN or other PI on mailing
    address) 20
  • PI missing during courier/mailing transmission
    10
  • Former employee misuse of PI 10
  • Lost DVD/memory stick 6
  • System hack, email, unauthorized disclosure 4
    (each)

11
Self-Reported Breaches
  • Financial institutions (22)
  • Insurance (10)
  • Private medical (8)
  • Professional associations/professional regulatory
    bodies (8)
  • Retail (7)
  • Non-profit organizations (7)

12
Key Investigations
  • TJX/Winners (September 2007)
  • January 2007 OIPC and OPC notified that TJX
    suffered network computer intrusion. Joint
    investigation initiated.
  • December 2006 TJX learned of suspicious
    software on portion of computer system.
    Investigated found intruder.
  • Believed intruder gained access through wireless
    local area networks at two US stores.

13
Key Investigations
  • Personal information
  • credit card numbers and expiry dates from payment
    processing
  • customer names and contact information
  • Canadian drivers licenses and other provincial
    identification numbers, collected to prevent
    fraud
  • Estimated 45 million payment cards
  • Issues for investigation collection, retention
    and safeguarding practices of organization.

14
Key Investigations
  • 10 individuals were arrested in Florida using
    information from the organizations data base
  • A Ukrainian man is suspected of selling some of
    the credit and debit card numbers stolen in a
    data hack of TJX customers
  • There was also an arrest in Turkey
  • None of these individuals are believed to be the
    hackers

15
Recommendations
  • Summary of Investigative Findings
  • Too much PI collected, retained too long
  • No evidence that data segregated so that
    cardholder data stored on secure server
  • WEP encryption protocol in place known to have
    weaknesses. TJX in process of converting to WPA
    (started in 2005, completed January 2007). TJX
    should have converted by late 2006.
  • Cost of preventative measures arguably less than
    cost of responding to breach of this size.
  • Policies and procedures in place

16
Key Investigations
  • Monarch Beauty Supply (P2006 IR 003)
  • A beauty trade company with operations across the
    USA and Canada
  • Improperly disposed of 2600 customer credit and
    debit card sales receipts by placing them in an
    unlocked dumpster
  • These receipts were stolen and (in least one
    case) used to commit credit card fraud

17
Key Investigations
  • Notify all Edmonton based customers about the
    security breach and provide assistance
  • Develop new security disposal policies and
    procedures
  • Conduct a privacy and security training/awareness
    for employees
  • Implement more rigorous safeguards, and regularly
    monitor the effectiveness of these safeguards

18
What does PIPA mean for IFS Advisors?
  • Important role for IFS advisors in preventing
    identity theft
  • Conduct an inventory and assess risk
  • Develop and implement security policies and
    procedures
  • Raise awareness amongst staff

19
What does PIPA mean for IFS Advisors?
  • Implement technical and physical safeguards
  • Ensure secure information transmission
  • Address the security of information outside the
    office
  • Ensure contract provisions include security
    practices of the third party providers

20
Resources
  • PIPA Advisory 8 Implementing Reasonable
    Safeguards
  • Reporting a Privacy Breach to the OIPC
  • Key Steps in Responding to Privacy Breaches

21
PIPA Resources
  • OIPC
  • Tel. (403) 297-2728
  • Fax (403) 297-2711
  • Toll Free 1-888-878-4044
  • www.oipc.ab.ca
  • Access and Privacy Branch, Service Alberta
  • www.pipa.alberta.ca
  • Information Line (780) 644-PIPA (7472)
Write a Comment
User Comments (0)
About PowerShow.com