|
Letter
Ottawa, 24 April 2006
Sent by facsimile and electronic mail
Drew McArthur
Vice President Corporate Affairs and Compliance Officer
TELUS Communications Inc.
5-3777 Kingsway Avenue
Burnaby , B.C.
V5H 3Z7
Dear Mr. McArthur:
This is further to TELUS Communications Inc.'s (TELUS) letter dated 28 November 2005 in response to Commission staff's request that the company report to the Commission outlining the specific details surrounding alleged incidents of disclosure of confidential customer information. Commission staff also requested that TELUS describe the safeguards that were in place at the time the alleged incidents took place as well as any additional safeguards that have been or will be implemented.
In regards to this same subject matter, TELUS is requested to file with the Commission, within 20 days of this letter, responses to the enclosed questions.
A copy of this letter and of Attachment 2 will be made publicly available. In addition, an abridged version of Attachment 1 will be made publicly available.
Regards,
Gerry Lylyk
Director, Consumer Affairs
Telecommunications Branch
c.c. Willie Grieve, TELUS
Renée Gauthier, CRTC (819) 994-5174
Attachment 1: Questions for TELUS
Attachment 2: Questions for TELUS
Attachment 1
Questions for TELUS Communications Inc. (TELUS) [1]
A. Details of Incident
1. Please refer to page 2, third full paragraph of your letter dated 28 November 2005 in which you indicate that the "impostor" ##
............ . ##
2. Refer to page 2, last paragraph and page 3, first and second paragraphs of your letter dated 28 November 2005 in which you state that ##
.............................................."##
a) ##
..........................................? ##
b) ##
................................................................................ ##
B. Safeguards in place at the time of the incident
3. Refer to page 3, sixth paragraph of your letter dated 28 November 2005 .
Explain how TELUS Mobility reached the conclusion that there was no external electronic access to the cell phone records in question.
4. Provide copies of the three e.learning programs referred to in page 3, last paragraph of your letter dated 28 November 2005 .
C. How TELUS Mobility validates the identity of a party requesting customer information
5. Confirm whether the measures listed under this heading refer to what is currently in place. If so, please indicate whether these same measures were in place at the time of the alleged incident. If the measures differ indicate how they differ.
D. The means by which confidential customer information is provided
6. Confirm whether the measures listed under this heading refer to what is currently in place. If so, please indicate whether these same measures were in place at the time of the alleged incident. If the measures differ indicate how they differ.
E. Description of additional safeguards TELUS Mobility has taken and will be taking
7. ##
...................... . ##
8. Please refer to page 5, second to last paragraph of your letter dated 28 November 2005 in which you indicate that TELUS ##
.............................................. ##
9. ##
............................................................................... . ##
Other -
10. If your company does not prohibit CSRs from volunteering any confidential customer information, comment on the appropriateness of establishing such a safeguard. If your company does prohibit CSRs from volunteering confidential customer information, provide a copy of any written guidelines outlining this procedure.
11. Consider a situation where an individual identifies himself/herself as an employee of the company or an agent of the company, prior to requesting confidential information from a CSR.
a) Describe the procedures in place for CSRs, at the time the alleged incident took place, to safeguard against an individual falsely identifying himself/herself as an employee of the company or an agent of the company.
b) Describe the procedures currently in place for CSRs to safeguard against an individual falsely identifying himself/herself as an employee of the company or an agent of the company.
c) Describe the circumstances, before and since the alleged incident, in which CSRs are required to re-validate the identity of a customer and what this entails.
d) If CSRs rely on information provided by call display service, describe whether identification by that methodology may be inaccurate and therefore unreliable.
12. In the 28 November 2005 issue of Maclean's, it was reported that there exists a computer software that enables a caller to assume another person's identity by making that person's telephone number appear on call display, regardless of where the call is really coming from. Provide your company's view as to whether this is possible. If it is possible, indicate the appropriateness of relying on call display information to validate a customer's identity.
13. Describe the safeguards in place to protect against unauthorized electronic access to your company's information technology systems (internal databases, communications networks, web-enabled customer interfaces, etc.) at the time the alleged incident took place. Identify any changes made to the safeguards subsequent to the alleged incident.
14. Please explain why the safeguards in place to protect against unauthorized electronic access are considered appropriate. Include in your answer a description of what your company a) has done and b) is doing on an ongoing basis to verify the adequacy of the safeguards and to ensure adequate protection against evolving methods of unauthorized electronic access.
15. For each acceptable piece of identification required to validate the identity of a customer, listed in the chart contained in Attachment 2, indicate to what extent that information is publicly available. For example, name, address and postal codes are readily available on the Internet. In addition, the Maclean's article dated 21 November 2005 stated that the Privacy Commissioner of Canada 's date of birth was obtained from publicly available property deed and mortgage papers in Montreal . To the extent that any of the pieces of identification is publicly available, explain and justify the appropriateness of using such identification to validate the identity of a calling party.
16. Provide your view as to whether customers should be allowed to request that their confidential customer information not be disclosed by specified methods, such as over the phone, by facsimile, etc.
17. Apart from what is referred to in other questions, since the alleged incident, has your company or any third party engaged by your company done any investigations, mystery shopper calls, audits, reports, etc. related to the accessibility of confidential customer information? If so, provide full details, including the terms of reference, when and what was done and the results, analysis and recommendations, if any. Provide copies of all related documentary reports.
18. If your company has undertaken any of the activities referred to in question 17, what changes, if any, were made to the company's processes and practices as a result?
19. Please provide any and all written policies and procedures with respect to the confidentiality of customer information that a) were in force at the time of the alleged incident and b) which are currently in force.
20. On 10 February 2006 , the Federal Communications Commission (FCC) launched a proceeding, with a Notice of Proposed Rulemaking (NPRM) [2] , to examine whether additional security measures could prevent the unauthorized disclosure of sensitive customer information held by telecommunications companies. Among other items, the FCC seeks comment on the feasibility and advisability of: 1) requiring carriers to adopt a consumer-set password system to protect access to confidential customer information; 2) requiring carriers to establish audit trails that record all instances when a customer's records have been accessed, whether information was disclosed, and to whom; 3) data stored by the carrier being encrypted; 4) whether confidential customer information should be deleted when it is no longer needed and, if so, how long it should be kept; 5) whether certain types of requests for the release of confidential customer information should trigger an advance notification requirement; 6) whether customers should be notified after the release of their confidential customer information; 7) requiring carriers to permit customers to put an absolute 'no release' order on their confidential customer information.
If it is not your company's policy to a) require all customers to password-protect their account; b) establish an audit trail that records all instances when a customer's records have been accessed, whether information was disclosed, and to whom; c) encrypt stored data; d) delete confidential customer information when it is no longer needed; e) notify the affected customer if a request for the release of that customer's confidential customer information has been received; f) notify customers after release of their confidential customer information; and g) permit customers to put an absolute 'no release' order on their confidential customer information, address the feasibility and appropriateness of establishing such a policy for each of a) - g).
21. With respect to d) in question 20 above, list by item the company's retention periods for confidential customer information.
22. If it is not your company's policy to notify customers when their account information has been modified, comment on the feasibility and appropriateness of establishing such a policy.
23. If it is not your company's policy to encourage customers to password-protect their accounts, comment on the feasibility and appropriateness of establishing such a policy.
24. If it is not your company's policy to notify customers when their password has been changed, comment on the feasibility and appropriateness of establishing such a policy.
25. If it is not your company's policy to place a limit on the amount of confidential customer information, such as the number of calls for which call detail is provided, that may be distributed a) during one session, b) in total, comment on the appropriateness of establishing such a policy.
26. For each type of confidential customer information that is allowed to be divulged, address why each method (e.g. mail, fax, etc.) chosen to distribute confidential customer information ensures that such information is likely to reach the real customer.
27. If your company faxes copies of customer bills on request, please comment on the appropriateness of establishing a safeguard that would require such information to only be mailed to the listed mailing address.
28. Please fill in the chart contained in Attachment 2.
[1] For ease of reference the headings are those used by TELUS in its 28 November 2005 letter to the CRTC except for the heading entitled Other.
[2] Federal Communications Commission, Notice of Proposed Rulemaking, CC Docket No. 96-115; RM-11277, FCC 06-10, adopted February 10, 2006 (RM-11277).
Attachment 2
Company Name
|
|
|
Customer Service Representative / Client Care Representative / Call Centre (collectively CSR)
|
Interactive Voice Response System (IVR)
|
Website
|
|
1.
|
Establishment/Modification of Account
|
Prior to the Alleged Incident
|
Current
|
Prior to the Alleged Incident
|
Current
|
Prior to the Alleged Incident
|
Current
|
|
a.
|
What is the process to establish a customer account, including what information/identification is required from the customer?
|
|
|
|
|
|
|
|
b.
|
What is the process to modify account information, for example billing/mailing address, name of account holder, etc., including what information/identification is required from the customer?
|
|
|
|
|
|
|
|
c.
|
Does your company notify customers when their account information has been modified? If so, provide details, i.e. how this is communicated, during what time frame, whether it is done before the modification is made, etc.
|
|
|
|
|
|
|
|
2.
|
Password/PIN (collectively password)
|
|
|
|
|
|
|
|
a.
|
Is it technologically feasible to offer customers passwords?
|
|
|
|
|
|
|
|
b.
|
Are customers informed that they can password-protect their accounts? If so, how and when are customers informed?
|
|
|
|
|
|
|
|
c.
|
Is it your policy to encourage customers to password-protect their accounts? If so, how and when are customers encouraged to do this?
|
|
|
|
|
|
|
|
d.
|
Provide the percentage of your customers that have password-protected their accounts.
|
|
|
|
|
|
|
|
e.
|
f customers have password-protected their accounts, can they access their accounts without their passwords?
|
|
|
|
|
|
|
|
f.
|
If a customer has password-protected his/her account and forgets his/her password, what is the process to create a new password, including what information/identification is required from the customer, whether the customer must visit a retail outlet in person, etc.?
|
|
|
|
|
|
|
|
g.
|
If a customer has password-protected his/her account, is the password the sole piece of information required to access the account? If not, what pieces of identification are required?
|
|
|
|
|
|
|
|
h.
|
Does your company notify customers when their passwords have been changed? If so, provide details, i.e. how this is communicated, during what time frame, whether it is done before the password is changed, etc. .
|
|
|
|
|
|
|
|
3.
|
Validation Methods
|
|
|
|
|
|
|
|
a.
|
How many pieces of identification are required to validate the identity of a customer a) if a person calls from what appears to be the account billing telephone number, b) if a person calls from any other telephone number.
|
|
|
|
|
|
|
|
b.
|
Provide a complete list of the acceptable pieces of identification required to validate the identity of a customer where a) a person calls from what appears to be the account billing telephone number, b) a person calls from any other telephone number.
|
|
|
|
|
|
|
|
c.
|
List the order of preference, if applicable, of the acceptable pieces of identification required to validate the identity of a customer a) if a person calls from what appears to be the account billing telephone number, b) if a person calls from any other telephone number.
|
|
|
|
|
|
|
|
d.
|
When and how are each of the pieces of identification listed above placed on the customer's file?
|
|
|
|
|
|
|
|
e.
|
When a person calls from a telephone number that appears to be different from the account billing telephone number, and the person is requesting confidential customer information, does your company require explicit consent for the disclosure through a separate customer contact, e.g., a telephone call? If so, please provide the details as to how this is done.
|
|
|
|
|
|
|
|
f.
|
Does your company notify customers when their confidential customer information has been requested? If so, provide details, e.g. how this is communicated, etc.
|
|
|
|
|
|
|
|
4.
|
Distribution of Confidential Customer Information
|
|
|
|
|
|
|
|
a.
|
List all of the confidential customer information that is allowed to be divulged, e.g. account balance, account contracts, call details, credit details, etc.
|
|
|
|
|
|
|
|
b.
|
List all of the confidential customer information that is never allowed to be divulged.
|
|
|
|
|
|
|
|
c.
|
For each type of confidential customer information that is allowed to be divulged, list all methods by which it can be distributed, e.g. over the phone, by facsimile, by mail, over the internet, etc.
|
|
|
|
|
|
|
|
d.
|
Does your company notify customers after their confidential customer information has been provided? If so, provide details, i.e. how this is communicated, how soon notice is given after the information has been provided, etc.
|
|
|
|
|
|
|
|
e.
|
Is there a limit on the amount of confidential customer information that may be distributed a) during one session; b) in total? If so, what are the limits?
|
|
|
|
|
|
|
|
5.
|
CSR Related Questions
|
|
|
|
|
|
|
|
a.
|
List and describe all of the confidential customer information that is accessible to the CSR.
|
|
|
|
|
|
|
|
b.
|
For each piece of confidential customer information listed above, is the information a) partially or b) fully accessible to the CSR?
|
|
|
|
|
|
|
|
c.
|
If any of the pieces of confidential customer information listed above, is a) not accessible or b) partially accessible to the CSR, how is this information used by the CSR to validate the identity of a customer?
|
|
|
|
|
|
|
|
d.
|
Does the CSR have access to a customer's password?
|
|
|
|
|
|
|
|
e.
|
List and describe all of the confidential customer information that a CSR is prohibited from volunteering to a caller in order to validate a customer's identity.
|
|
|
|
|
|
|
|
f.
|
List and describe all of the confidential customer information that a CSR is allowed to volunteer to a caller in order to validate a customer's identity.
|
|
|
|
|
|
|
|
g.
|
List and describe the steps that a CSR is required to follow when she/he becomes suspicious about the identity of a caller.
|
|
|
|
|
|
|
|
h.
|
List and describe the steps that management follows when made aware that a CSR is/was suspicious about the identity of a caller.
|
|
|
|
|
|
|
Date Modified: 2006-04-24
|