Brokerage reprimanded for handling of privacy breach

B.C.’s broker regulator has reprimanded an unnamed brokerage and ordered its nominee to take courses on how to handle a privacy breach, after a stash of client documents was recovered by a third party and returned to the insurance company.

Insurance Council of B.C.’s decision redacted the names of the brokerage and its nominee [a Level 3 broker with more than 27 years of experience]. The council was “concerned” the brokerage and its nominee did not appear to have any policies and procedures in place for the safe handling of its clients’ private information. Nor did it notify clients of a potential breach or work with the Privacy Commissioner’s office once the documents were found.

On Jan. 17, 2019, the Insurance Council of B.C. heard from an insurance company manager that an unidentified third party found insurance documents containing personal information from various insurance transactions belonging to the brokerage. The third party returned the documents to the insurance company.

The documents were traced back to the brokerage because the agency’s broker number was stamped on the papers. The stash included photocopies of various insurance forms, credit card payment printouts, and policy declaration documents containing partial credit card numbers, along with the expiry dates and clients’ names.

The brokerage nominee “was unsure why the insurance documents were taken outside of the agency,” Council’s decision said.

“In terms of aggravating factors, the nominee did not appear to understand the significance of the potential privacy breach or understand the importance of the agency’s role in creating policies to ensure the safekeeping of agency records,” the council ruled in a decision released in October. “Council is concerned by the inability of the nominee to advise of any of the procedures and policies the agency has regarding privacy matters and safeguarding client information.”

In addition, the council was “troubled” the brokerage did not report the potential privacy breach to anyone.

“Council was further troubled that the agency did not take any steps to notify any of the clients that there might have been a potential privacy breach, including failing to advise the OPIC [Office of the Privacy Commissioner]. The nominee should, as a best practice, be aware of the agency’s obligations under the Personal Information Protection Act and should have known to seek guidance or consult with the OIPC about the potential privacy breach.

“Council concluded that the agency did not take any proactive steps to rectify the situation.”

Related: Hub privacy breach affects “limited” amount of Canadian data

The brokerage does not conduct insurance business outside the agency and it is “strictly a walk up business,’” the nominee told the regulator. Moreover, the council’s decision said, “the nominee further clarified that there would be no need for an employee to take photocopies of insurance transactions outside of the office.”

The insurer’s investigation dealt directly with the person who took the documents out of the brokerage but did not deal with the brokerage itself, the council found. It wasn’t clear if the insurer had contacted the brokerage directly about its discovery of the missing documents, or just reported the missing contents to council directly without contacting the brokerage first.

Council’s decision does not say how the documents came into the possession of the third party, other than to say it was through “an unbroken chain of custody for the insurance documents.” Council added “it did not appear that the third party provided the documents to any other parties or used the information in any way that exposed the client information other than returning the documents to the insurer.”

The brokerage nominee said the brokerage’s documents for the insurer’s transactions are stored in an alarmed, offsite secure warehouse and the nominee brings the documents to that location himself. The decision does not identify the third party that found the documents, nor explain how the documents came into its possession. The nominee said the documents were originals, and none were reported missing.

“Council is satisfied that the insurance documents were returned to the insurer by the third party shortly after the discovery so that there was a low risk of client harm,” the council’s decision read.

Feature image courtesy of iStock.com/davewhitney