CIBC is facing an investigation by federal Privacy Commissioner Jennifer Stoddart’s office following the loss of a backup drive containing personal and financial data on 470,000 customers of its subsidiary Talvest Mutual Funds.
The bank said it had no reason to believe information on the drive, which went missing while in transit between two offices, had been inappropriately accessed so far. The drive contained client names, signatures, addresses, signatures, date of birth, bank account numbers, beneficiary information and social insurance numbers, CIBC said. Talvest has retained original copies of the files on its secure Web site, the bank added.
CIBC spokesperson Rob McLeod said the drive also contained “information relating to the process used to open and administer the accounts,” but refused to provide more information while the police investigate. He said it did not contain passwords as such.
CIBC first learned of the missing drive close to the Christmas holidays last month, McLeod added.
“The intervening period has been spent cataloguing the information we knew was on file,” he said. “We have notified the Privacy Commissioner, developed a list of clients, and we were also developing communication materials and processes to communicate with clients.”
CIBC Asset Management, which handles the Talvest fund, has sent a letter to clients letting them know about the incident and has promised to compensate them for any monetary loss that directly comes from it. The bank has also set up a call centre and Web site to deal specifically with enquiries and will allow clients to enroll in a credit monitoring service to track any account abuses at no charge.
In a public statement, Stoddart said she was “deeply troubled” given “the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians.” Office of the Privacy Commissioner spokeswoman Anne-Marie Hayden noted that, as part of the five-year review of the Personal Information Protection and Electronic Documents Act, advocates have proposed legislation that would require companies to notify the public about a breach in a timely manner.
“When they contacted us before the holidays, the bank thought there may be a problem, but they thought they could possibly recover the information,“ Hayden said. “The people affected have to be informed in an appropriate way. Going out too early could confuse the situation.”
This is not the first time CIBC has been embroiled in a privacy-related controversy. In 2004, the bank was subject to a four-month investigation into a complaint by West Virginia scrapyard owner Wade Peer, who said he had been receiving faxes from CIBC containing confidential data for three years. After several failed attempts to notify CIBC of the problem, Peer contacted a customer listed on one of the faxes in 2002, who informed his bank manager and CIBC customer care of the problem. The bank, however did not follow up with Peer to ensure that faxing had ceased or that the documentation had been destroyed, the report from Stoddart’s office found.
Since then, the CIBC set up a Microsoft SQL Server-based database to track privacy issues and established a National Privacy Office in December of 2005. At the time, CIBC said it was developing a process to identify, assess and deal with potential issues and concerns and implementing short and long-term solutions to prevent future mishaps.