A privacy audit by the Office of the Privacy Commissioner of Canada says several mortgage brokerages “failed to go far enough” to protect the personal information of their clients.
The Office of the Privacy Commissioner of Canada (OPC) says the audit was launched after the brokerages reported 14 data breaches in the space of a few months in mid-2008. In each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn’t even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.
“The breaches prompted the brokerages to take some positive steps to better protect personal information. However, our audit found that those changes did not go far enough,” says Privacy Commissioner Jennifer Stoddart. “As a result, the personal information of clients – not to mention any number of other people with absolutely no connection to the brokerages – was left at risk.”
The audit also raised concerns about data security, haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of understanding about, and accountability for, privacy issues.
The audit is described in the commissioner’s 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA).
Mortgage brokers obtain credit reports from credit reporting agencies in order to assess an individual’s eligibility for a mortgage. Credit reports contain extensive personal information that can be used by criminals to commit identity fraud.
Following the breaches, the five audited brokerages significantly tightened their practices for hiring agents, says OPC in a news release. “However, the audit found there was a lack of adequate controls to restrict agents’ access to credit reports. Specifically, the web-based tool used to obtain credit reports doesn’t allow brokers to limit the number of credit reports an agent can download. In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity,” says the release.
The OPC says among the other risks to personal information highlighted in the audit:
- Some brokers stacked files containing personal information on the floor or on desks within accessible offices. One had overflow storage in an unsecured parking arcade.
- Brokers lacked shredders capable of securely destroying documents. One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.
- Credit reports were sometimes obtained prior to consent from a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.
- There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question. In one case, a broker franchisee stated that his organization’s chief privacy officer was located at the brokerages head office when, in fact, he was the chief privacy officer.
One of the five audited brokerages is no longer in the mortgage broker business. The four others still operating stated they would implement all of the recommendations in the OPC’s audit report.
“In the wake of our audit, we have ongoing concerns about the controls and safeguards in the way in which credit reports are obtained. We are following up with the company that provides this tool to mortgage brokers, with industry associations and with Canada’s credit reporting agencies to discuss best practices for the exchange of personal information,” says Elizabeth Denham, the assistant commissioner. “We are also continuing to work with mortgage broker associations to develop guidance documents that will help them meet their obligations under Canadian privacy law.”
The Canadian Association of Accredited Mortgage Professionals (CAAMP) said it “acknowledges and supports the findings, and is committed to working closely with the OPC to investigate and resolve these problems.”
“CAAMP’s membership takes privacy policies very seriously and intends on following the important recommendations put forward by the OPC,” says Jim Murphy, president and CEO. “CAAMP has an ongoing commitment to improving the information-handling procedures of mortgage brokers and their agents to ensure continued client protection.”
CAAMP says “The vast majority of mortgage professionals have implemented stringent and effective privacy standards.”
————————————————————————————————————–
Contact the Jeffrey Team for more information - 416-388-1960
————————————————————————————————————–