Adequate security safeguards not yet in place at brokerages: report

Mortgage brokers in Canada must try harder to improve their security, according to an audit released this month by the Office of the Privacy Commissioner of Canada. Several mortgage brokerages made some privacy and security improvements, but have no measures in place to alert managers about suspicious activity, the audit said.

The audit, reported as part of the 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act, examined brokerages after 14 data breaches were reported during the summer of 2008. Imposters acting as mortgage agents downloaded credit reports for members of the public who had not even applied for mortgages, compromising the personal information of thousands, the Commissioner said.

"We found that brokers have significantly strengthened their hiring processes in the wake of these breaches," said the audit. "However, we found that mortgage brokers are unable to demonstrate that there are adequate security safeguards in place to protect the personal information under their control."

Mortgage brokerages suffered from vague privacy policies that did not detail how they were handling information on meeting their Personal Information Protection and Electronic Documents Act (PIPED Act) obligations, the audit warned, and they were not making those policies accessible to their clients. "We found that a client's consent is not always obtained prior to a credit report being obtained, and that some brokers used clients' information for purposes other than that for which it was collected."

Mortgage brokers did not always dispose of unapproved application files securely, and neither were they training their staff adequately in privacy responsibilities.

The audit covered five Ontario-based mortgage brokers, as all of the breaches in 2008 occurred within the province, the Commissioner said.