Roseman: RBC client sees others’ private data online

Ava Wong had her identity stolen in 2008. She spent the next year trying to get her financial life in order again.

So, she was upset to log into her RBC banking account last month and find someone else’s confidential information there.

“On Nov. 27, I discovered that all the line of credit statements belonging to a couple in Saskatoon had been linked to my client profile,” she said.

“I was able to see every statement belonging to their RBC Homeline Plan, starting from July 2007, when they first opened the account.”

She reported the incident to a senior account manager that day. On Nov. 30, she followed up to say she could still see the information.

On Thursday, she found RBC had stopped her from getting online access to her accounts. When she complained about not getting notice, she heard from an apologetic supervisor in technical support.

“We had to take action to protect that client’s information,” he said. “I’m sure you would want to have your information protected as well, if the roles were reversed.”

Then, he minimized the importance of the incident: “Seeing someone else’s e-statements ‘can’ happen. It would be the equivalent of the mailman putting someone else’s postal mail in your box by mistake.”

Wong was keen to know if any of her own banking information was visible to the couple in Saskatoon. She wanted someone to take her seriously.

As an information technology consultant with 25 years’ experience, she had another concern.

Why was an old Visa account showing up in her online access? She closed it in 2002 and never saw it displayed until the privacy breach.

When she contacted me this week, she could still see the old Visa account — despite her requests to remove it.

Matt Gierasimczuk, an RBC spokesman, quickly responded to my inquiries. He set up a conference call with Jeff Green, RBC’s chief privacy officer and vice-president of global compliance.

Green said a processing error, involving an automated systems fix, had led to a privacy breach that affected four clients in total. He was made aware of the problem when it was reported to the customer care centre.

RBC notified the clients whose information was disclosed in error, he said, adding that Wong’s data was not seen by another client.

Companies aren’t required to report privacy incidents to the affected people or to the Office of the Privacy Commissioner of Canada (OPC).

“This is currently voluntary, but is expected to change when Bill C-12 comes into effect. There is a provision for mandatory breach notification,” says Scott Hutchinson of the OPC.

Clients should try to resolve things directly with an organization they feel is not safeguarding their privacy. They can make a formal complaint to OPC if they’re not satisfied.

RBC’s confidential data exposed online did not include anyone’s birth date or social insurance number, Green said. But it did have the addresses of the people involved.

Wong’s old Visa account will be purged, he promised. This was less serious since only her own information, not someone else’s, could be seen.

“These situations happen very rarely. We take them very seriously,” he said.

“The first contact with client care was not handled the way it should have been handled. We have circled back to the person for remedial training.”

RBC could have kept this incident quiet if it had taken Wong’s concerns more seriously. She has accepted the bank’s offer of $250 for inconvenience and is now preparing to move her accounts elsewhere.

The lesson: Organizations are judged less harshly for their mistakes than for how they recover from their mistakes. Grace under pressure is a key value to teach your staff.

Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca.