The Canadian Imperial Bank of Commerce is creating a national database to track privacy issues in the wake of the Office of the Privacy Commissioner’s four-month investigation into
misdirected faxes to two organizations in Canada and the U.S.
The database is one of several steps CIBC is taking to manage its privacy issues as outlined in an internal letter issued Monday to employees by the bank’s chief privacy officer, Ron Lalonde. CIBC also established a National Privacy Office in December and recently appointed Dan Ruch as office vice-president. Reporting to the chief control officer and the chief privacy officer, Ruch is responsible for handling CIBC privacy issues.
In addition to these changes, CIBC is developing a process to identify, assess and deal with potential issues and concerns and implementing short and long-term solutions to prevent future mishaps. The National Privacy Office will manage the database, which is based on Microsoft’s SQL Server product and will be enhanced to record, manage and measure privacy-related incident, a spokesperson said.
Monday’s letter follows the release of the PCO’s findings from the investigation, which commenced in late 2004 after a senior CIBC official reported the U.S. incident to the Commissioner. In a summary statement the Commissioner said: “The bank’s privacy practices were seriously tested by these incidents and they failed. These incidents are a wake-up call to not only CIBC but to every organization in Canada that collects, uses or discloses personal information in the course of its commercial activities.”
Lalonde stated in his letter that CIBC accepts the findings of the Commissioner. “The report identified shortcomings in the implementation of our privacy policy relating to these incidents and recommended that CIBC assess its policies and privacy management procedures and implement action plans to address deficiencies.”
The U.S. case involved West Virginia scrapyard owner Wade Peer who told the Globe and Mail in November he had been receiving faxes from CIBC containing confidential data for three years. After several failed attempts to notify CIBC of the problem, Peer contacted a customer listed on one of the faxes in 2002, who informed his bank manager and CIBC customer care of the problem. The bank, however did not follow up with Peer to ensure that faxing had ceased or that the documentation had been destroyed, the report found.
In March 2004, Allstar Sportsline Products Inc., which Peer owns, filed a $3 million civil lawsuit against CIBC for damages to his business. A Maryland U.S. District Court judge recently ruled that Allstar failed to show sufficient evidence of property damage. A pre-trial conference date has been set for May 2, 2005 with the trial scheduled for May 9.
The second case involved the owner of a Dorval, Que.-based company who contacted CIBC customer care in March 2004 regarding faxes that he had received containing personal customer information. He has since destroyed or handed over all copies of the faxes he received, the report found.
The problem facsimile number has since been taken out of service and CIBC is looking into automating some of its forms for select processes. CIBC is set to make a full report to the Commissioner’s office in six weeks’ time, according to the Commissioner.
Jennifer Stoddart, Privacy Commissioner of Canada, said the bank violated parts of the Personal Information and Electronic Documents Act (PIPEDA), security principles and parts of the Canadian Standards Association’s (CSA) code. Stoddart added the breaches were a result of lax operational and management policies and not security and IT policies.
“They were, how do you manage this as an issue when something goes wrong? How do you follow up on that? How do you make sure that it goes up and down the chain of command and how do you ensure that it is prevented? Neither happened in this incident,” said Stoddart in a telephone interview.
But Stoddart noted this case was due to human error and not theft of customers’ personal information, as alleged in recent U.S. cases like ChoicePoint and LexisNexis. “Here we have human error that we’ve all seen happen if we haven’t done it ourselves in that numbers were mispunched in by employees acting in good faith in an organization acting in good faith.”
Stoddart added that there have been no cases of identity theft reported by CIBC customers.
In its report, the PCO acknowledged measures the bank has taken already including a temporary ban on faxing across Canada (with the exception of remote locations); a review of its fax processes; and a secure fax dialing system. The Commissioner also recommended CIBC fully implement its planned changes and safeguards to address privacy concerns and have a policy in place to deal with customers in the event their information has been compromised. (In both incidences the bank didn’t notify its customers of the disclosure, save for one who was also a bank employee, until after the PCO announced its investigation.)
Asked if a similar law to the one in California that requires businesses to notify their customers within 48 hours in the event their data has been stolen or compromised would make companies more accountable, Stoddart replied: “I don’t know that you need specific legislation to notify your customers if there’s been a problem. We ask that when there’s a problem of this kind that organizations take steps to inform their customers.”
Stoddart suggested there could be additions to PIPEDA, which will be under review next year. “This is something that could be added. I wouldn’t be against it to the extent that this could be useful. There may be an issue of informing the public if there are minor slips that have no identifiable impact.”
Comment: [email protected]
