Hi David,
On 25.08.2023 13:54, David Conrad wrote:
Even if the RBC customer were in the EU, I think the challenge would be that he
(safe guess given the email address chosen) wouldn’t know and/or be bothered to
file a complaint. Whoever he is, he provided an email address years ago and
hasn’t noticed he’s never received anything at that address (including
statement notifications, low balance alerts, appointment reminders, etc.). If
RBC can be trusted (doubtful, but…), he also chose not to change it when he was
informed it was wrong at the RBC branch he made an appointment to go to a year
and a half ago. Now if I, as the impacted third party, could file a complaint…
maybe some sort of UCE-related complaint? Anyone know if Canada has laws like
that?
what you have described is clearly an Information Security Incident. Period.
And it equally clearly affects PII. Period again.
The least RBC could - and SHOULD! - have done within a reasonable time
frame after your initial report (to double-check on legitimacy,
authenticy etc. of your claim) is to delete your email address from
their customer's record.
Part of the annoyance is that at least some RBC staff are apparently aware they
are sending email to the wrong email address yet there doesn’t appear to be a
way to have that email address deleted from the customer's profile. I’m
guessing it’s a systemic thing, perhaps the result of social engineering
attacks. Still insane though…
That their customer doesn't seem to care and therefore does not attempt
to rectify the wrong email address on his record at RBC's: that's an
irritating shame, but somebody else's problem.
But that RBC has failed to delete *YOUR* email address (PII for sure
according to GDPR) from a totally unrelated customer record for at least
18 months now and after multiple attemps of yours to get this ironed
out, makes *YOU* an affected individual, too. Certainly at least
according to European GDPR.
I have filed an inquiry recently with a company I stopped having
business with years ago, when they all of a sudden started to send me
emails again. It was truly remarkable how quickly I received their
apologies combined with a comprehensive explanation how this had
happened and what they have done to prevent this from happening again.
Why? Because they knew and probably still know very well what otherwise
might be at stake for them.
Best,
-C.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
