Search

ARCHIVED - Telecom Commission Letter

This page has been archived on the Web

Information identified as archived on the Web is for reference, research or recordkeeping purposes. Archived Decisions, Notices and Orders (DNOs) remain in effect except to the extent they are amended or reversed by the Commission, a court, or the government. The text of archived information has not been altered or updated after the date of archiving. Changes to DNOs are published as “dashes” to the original DNO number. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Archived

This page has been archived on the Web.

Letter

Ottawa, 24 April 2006

Sent by facsimile and electronic mail

David Elder
Vice President Regulatory Law
Bell Canada
110 O'Connor Street
7 th Floor
Ottawa, Ontario
K1P 1H1

Dear Mr. Elder:

This is further to Bell Canada 's letter dated 28 November 2005 in response to Commission staff's request that the company report to the Commission outlining the specific details surrounding alleged incidents of disclosure of confidential customer information. Commission staff also requested that Bell Canada describe the safeguards that were in place at the time the alleged incidents took place as well as any additional safeguards that have been or will be implemented.

In regards to this same subject matter, Bell Canada is requested to file with the Commission, within 20 days of this letter, responses to the enclosed questions.

A copy of this letter and of Attachment 2 will be made publicly available. In addition, an abridged version of Attachment 1 will be made publicly available.

Regards,

Gerry Lylyk
Director, Consumer Affairs
Telecommunications Branch

c.c. Renée Gauthier, CRTC (819) 994-5174

Attachment 1: Questions for Bell Canada
Attachment 2:   Questions for Bell Canada

Attachment 1

Questions to Bell Canada

1. Please refer to page 2, fourth full paragraph of your letter dated 28 November 2005 in which you state that "it would appear that partial call detail information was fraudulently obtained over the telephone through 'pre-texting', a form of impersonation to fraudulently obtain billing and calling details."

a)  Please provide a full explanation as to how Bell Canada determined that the alleged incident involved 'pre-texting'.

b)  Please provide a full report of the investigation conducted by Bell Canada with respect to this matter, including but not limited to what information was divulged, by what means, how the customer's identity was validated, etc.

2.   Please refer to page 2, second full paragraph of your letter dated 28 November 2005 in which you state that a multi-department Critical Incident Response Team (CIRT) confirmed that the company's information technology systems had not been breached. Provide full details, including the terms of reference, when and what was done and the results, analysis and recommendations, if any. Provide copies of all related documentary reports.

3.   Please refer to page 3, first paragraph of your letter dated 28 November 2005 in which you indicate that you are "monitoring the effectiveness of and reaction to these new procedures in order to gauge the impact on customer service and their effectiveness in protecting the unauthorized disclosure of customer information". Provide full details of the monitoring activities referred to above, including when and what was done and the results, analysis and recommendations, if any. Provide copies of all related documentary reports.

4.   What changes, if any, have been made to Bell Canada 's practices and procedures, as a result of the monitoring activities referred to above?

5.   Please refer to pages 1 & 2, third and fourth paragraphs of the attachment to your letter dated 28 November 2005, which is the 14 November 2005 Communiqué to call center employees, which indicates that: ##  

...................................... " ##

a)   ##

.............................. . ##

b)   ##

............................................................ ? ##

6.   If your company does not prohibit CSRs from volunteering any confidential customer information, please comment on the appropriateness of establishing such a safeguard. If your company does prohibit CSRs from volunteering confidential customer information, provide a copy of any written guidelines outlining this procedure.

7.   Consider a situation where an individual identifies himself/herself as an employee of the company or an agent of the company, prior to requesting confidential information from a CSR.

a)   Describe the procedures in place for CSRs, at the time the alleged incident took place, to safeguard against an individual falsely identifying himself/herself as an employee of the company or an agent of the company.

b)   Describe the procedures currently in place for CSRs to safeguard against an individual falsely identifying himself/herself as an employee of the company or an agent of the company.

c)   Describe the circumstances, both before and since the alleged incident, in which CSRs are required to re-validate the identity of a customer and what this entails.

d)   If CSRs rely on information provided by call display service, describe whether identification by that methodology may be inaccurate and therefore unreliable.

8.   In the 28 November 2005 issue of Maclean's, it was reported that there exists a computer software that enables a caller to assume another person's identity by making that person's telephone number appear on call display, regardless of where the call is really coming from.   Provide your company's view as to whether this is possible. If it is possible, indicate the appropriateness of relying on call display information to validate a customer's identity.

9.   Describe the safeguards in place to protect against unauthorized electronic access to your company's information technology systems (internal databases, communications networks, web-enabled customer interfaces, etc.) at the time the alleged incident took place. Identify any changes made to the safeguards subsequent to the alleged incident.

10.   Please explain why the safeguards in place to protect against unauthorized electronic access are considered appropriate. Include in your answer a description of what your company a) has done and b) is doing on an ongoing basis to verify the adequacy of the safeguards and to ensure adequate protection against evolving methods of unauthorized electronic access.

11.   For each acceptable piece of identification required to validate the identity of a customer, listed in the chart contained in Attachment 2, indicate to what extent that information is publicly available.   For example, name, address and postal codes are readily available on the Internet.   In addition, the Maclean's article dated 21 November 2005 stated that the Privacy Commissioner of Canada 's date of birth was obtained from publicly available property deed and mortgage papers in Montreal .   To the extent that any of the pieces of identification is publicly available, explain and justify the appropriateness of using such identification to validate the identity of a calling party.

12.   Provide your view as to whether customers should be allowed to request that their confidential customer information not be disclosed by specified methods, such as over the phone, by facsimile, etc.

13.   Apart from what is referred to in other questions, since the alleged incident, has your company or any third party engaged by your company done any investigations, mystery shopper calls, audits, reports, etc. related to the accessibility of confidential customer information?   If so, provide full details, including the terms of reference, when and what was done and the results, analysis and recommendations, if any.   Provide copies of all related documentary reports.

14.   If your company has undertaken any of the activities referred to in question 13, what changes, if any, were made to the company's processes and practices as a result?

15.   Please provide any and all written policies and procedures with respect to the confidentiality of customer information that a) were in force at the time of the alleged incident and b) which are currently in force.

16.   On 10 February 2006 , the Federal Communications Commission (FCC) launched a proceeding, with a Notice of Proposed Rulemaking (NPRM) [1] , to examine whether additional security measures could prevent the unauthorized disclosure of sensitive customer information held by telecommunications companies.   Among other items, the FCC seeks comment on the feasibility and advisability of: 1) requiring carriers to adopt a consumer-set password system to protect access to confidential customer information; 2) requiring carriers to establish audit trails that record all instances when a customer's records have been accessed, whether information was disclosed, and to whom; 3) data stored by the carrier being encrypted; 4) whether confidential customer information should be deleted when it is no longer needed and, if so, how long it should be kept; 5) whether certain types of requests for the release of confidential customer information should trigger an advance notification requirement; 6) whether customers should be notified after the release of their confidential customer information; 7) requiring carriers to permit customers to put an absolute 'no release' order on their confidential customer information.

If it is not your company's policy to a) require all customers to password-protect their account; b) establish an audit trail that records all instances when a customer's records have been accessed, whether information was disclosed, and to whom; c) encrypt stored data; d) delete confidential customer information when it is no longer needed; e) notify the affected customer if a request for the release of that customer's confidential customer information has been received; f) notify customers after release of their confidential customer information; and g) permit customers to put an absolute 'no release' order on their confidential customer information, address the feasibility and appropriateness of establishing such a policy for each of a) - g).

17.   With respect to d) in question 16 above, list by item the company's retention periods for confidential customer information.

18.   If it is not your company's policy to notify customers when their account information has been modified, comment on the feasibility and appropriateness of establishing such a policy.

19.   If it is not your company's policy to encourage customers to password-protect their accounts, comment on the feasibility and appropriateness of establishing such a policy.

20.   If it is not your company's policy to notify customers when their passwords have been changed, comment on the feasibility and appropriateness of establishing such a policy.  

21.   If it is not your company's policy to place a limit on the amount of confidential customer information, such as the number of calls for which call detail is provided, that may be distributed a) during one session, b) in total, comment on the appropriateness of establishing such a policy.

22.   For each type of confidential customer information that is allowed to be divulged, address why each method (e.g. mail, fax, etc.) chosen to distribute confidential customer information ensures that such information is likely to reach the real customer.

23.   If your company faxes copies of customer bills on request, please comment on the appropriateness of establishing a safeguard that would require such information to only be mailed to the listed mailing address.

24. Please fill in the chart contained in Attachment 2.

[1] Federal Communications Commission, Notice of Proposed Rulemaking, CC Docket No. 96-115; RM-11277, FCC 06-10, adopted February 10, 2006 (RM-11277).


Attachment 2

Company Name:

   
Customer Service Representative / Client Care Representative / Call Centre (collectively CSR)
Interactive Voice Response System (IVR)
Website
1. Establishment/Modification of Account
Prior to the Alleged Incident
Current
Prior to the Alleged Incident
Current
Prior to the Alleged Incident
Current
a. What is the process to establish a customer account, including what information/identification is required from the customer?            
b. What is the process to modify account information, for example billing/mailing address, name of account holder, etc., including what information/identification is required from the customer?            
c. Does your company notify customers when their account information has been modified?   If so, provide details, i.e. how this is communicated, during what time frame, whether it is done before the modification is made, etc.              
2. Password/PIN (collectively password)            
a. Is it technologically feasible to offer customers passwords?            
b. Are customers informed that they can password-protect their accounts? If so, how and when are customers informed?            
c. Is it your policy to encourage customers to password-protect their accounts? If so, how and when are customers encouraged to do this?            
d. Provide the percentage of your customers that have password-protected their accounts.            
e. f customers have password-protected their accounts, can they access their accounts without their passwords?            
f. If a customer has password-protected his/her account and forgets his/her password, what is the process to create a new password, including what information/identification is required from the customer, whether the customer must visit a retail outlet in person, etc.?            
g. If a customer has password-protected his/her account, is the password the sole piece of information required to access the account? If not, what pieces of identification are required?            
h. Does your company notify customers when their passwords have been changed?   If so, provide details, i.e. how this is communicated, during what time frame, whether it is done before the password is changed, etc.            
3. Validation Methods            
a. How many pieces of identification are required to validate the identity of a customer a) if a person calls from what appears to be the account billing telephone number, b) if a person calls from any other telephone number.            
b. Provide a complete list of the acceptable pieces of identification required to validate the identity of a customer where a) a person calls from what appears to be the account billing telephone number, b) a person calls from any other telephone number.            
c. List the order of preference, if applicable, of the acceptable pieces of identification required to validate the identity of a customer a) if a person calls from what appears to be the account billing telephone number, b) if a person calls from any other telephone number.            
d. When and how are each of the pieces of identification listed above placed on the customer's file?            
e. When a person calls from a telephone number that appears to be different from the account billing telephone number, and the person is requesting confidential customer information, does your company require explicit consent for the disclosure through a separate customer contact, e.g., a telephone call? If so, please provide the details as to how this is done.            
f. Does your company notify customers when their confidential customer information has been requested? If so, provide details, e.g. how this is communicated, etc.            
4. Distribution of Confidential Customer Information            
a. List all of the confidential customer information that is allowed to be divulged, e.g. account balance, account contracts, call details, credit details, etc.            
b. List all of the confidential customer information that is never allowed to be divulged.            
c. For each type of confidential customer information that is allowed to be divulged, list all methods by which it can be distributed, e.g. over the phone, by facsimile, by mail, over the internet, etc.            
d. Does your company notify customers after their confidential customer information has been provided? If so, provide details, i.e. how this is communicated, how soon notice is given after the information has been provided, etc.            
e. Is there a limit on the amount of confidential customer information that may be distributed a) during one session; b) in total? If so, what are the limits?            
5. CSR Related Questions            
a. List and describe all of the confidential customer information that is accessible to the CSR.            
b. For each piece of confidential customer information listed above, is the information a) partially or b) fully accessible to the CSR?            
c. If any of the pieces of confidential customer information listed above, is a) not accessible or b) partially accessible to the CSR, how is this information used by the CSR to validate the identity of a customer?            
d. Does the CSR have access to a customer's password?            
e. List and describe all of the confidential customer information that a CSR is prohibited from volunteering to a caller in order to validate a customer's identity.            
f. List and describe all of the confidential customer information that a CSR is allowed to volunteer to a caller in order to validate a customer's identity.            
g. List and describe the steps that a CSR is required to follow when she/he becomes suspicious about the identity of a caller.              
h. List and describe the steps that management follows when made aware that a CSR is/was suspicious about the identity of a caller.            
Date Modified: 2006-04-24
Date modified: