Home
200 Point Fraud Alert
Fraud Prevention
FREE Resources
Asset Protection
Privacy Law Compliance
How We Are Unique
They Never Saw It Coming!
Contact Us
E-Newsletter Subscription

Errant faxing may be 'systemic'

By GORDON PITTS

Monday, April 18, 2005 Updated at 1:05 PM EST

Globe and Mail update
 
 The federal privacy commissioner says three years of misdirected faxes by Canadian Imperial Bank of Commerce represent a serious breakdown of privacy practices that may reflect a widespread problem in Canadian business.

"We're concerned that other businesses look to this experience as a model of what to do and what not to do," commissioner Jennifer Stoddart said today, as she released her report into CIBC's errant faxing of customer information to companies in Canada and the United States.

Ms. Stoddart said the CIBC case should act as a wake-up call to companies that have developed privacy policies, but failed to set up processes and training to alert the entire organization to systemic failures.

"This is a pitfall that could be more widespread in Canadian business," she said in an interview. "We adopt a policy, we think we've done it and then we realize we haven't done the fire drills."

The commissioner was responding to complaints arising from news reports last November that West Virginia scrap dealer Wade Peer had received CIBC faxes containing personal customer information for three years.

A Dorval Que. firm also reported it had received CIBC faxes containing personal customer information.

Mr. Peer said he continued to receive the faxes even after notifying the bank, and is suing CIBC for allegedly clogging his fax lines, affecting his business. The case is scheduled to be heard in district court in Baltimore, starting May 9.

Ms. Stoddart said she met with CIBC chief executive officer John Hunkin 10 days ago, and was told the bank has made "a major investment' in privacy practices. The bank is required to submit a written report within six weeks, followed by a verification audit by Ms. Stoddart's staff.

A staff memo released today from chief privacy officer Ron Lalonde said the bank accepted the commissioner's findings, and has begun to implement all recommended changes.

Mr. Lalonde said the bank was focusing on three elements: to create a national data base and reporting mechanism to capture privacy matters; to develop a process to identify and deal with potential issues; and to put resources into solutions rather than one-off fixes.

For example, the bank has designated individuals as single points of contact in each business, and has set up a privacy intranet for employees.

The commissioner said the CIBC affair showed that simply publishing a privacy policy does not mean a company is complying with privacy legislation, such as the Personal Information Protection and Electronic Documents Act, which applies to the banks.

The commissioner said she is also concerned that the misdirected faxing continued over three years, that attempts to stop the problem were ineffective and that the bank did not appropriately recover personal information, or notify customers until the breach had become public.

"The chief privacy officer didn't hear of those problems and they weren't recognized as systemic privacy problems," she said.

She said that the banking sector is a major source of complaints to her office, reflecting the banks' mass collection of customer data and the fact the banking privacy legislation has a track record of four years.

Her office said it is dealing with two other complaints regarding misdirection of faxes within the banking sector.

"I have a concern that if this has happened in one bank, has it happened in others?" Ms. Stoddart said

Regarding Mr. Peer's case, earlier this month, U.S. district judge Andre Davis declined judgment on a CIBC request for mitigated damages, deciding to leave the matter to a jury.

However, in a memo to counsel, the judge said he believed that "six to eight adults armed with common sense and mature judgment will readily agree with defendant that this entire exercise has been some kind of 'stick-up job,' aimed at a large foreign bank by a struggling start-up company that has tried to leverage a minor inconvenience into a lottery jackpot."