Following national publicity about misdirected faxes (see PIPEDA and Canadian Privacy Law: Incident: Candian bank's internal faxes went to West Virginia for three years), the bank in question has ordered all of its employees to stop sending personal information via the supposedly "internal" fax sytem that has been implicated in the incident:

CIBC orders companywide halt to faxes with customer info until glitch fixed

TORONTO (CP) - Scrambling to deal with a potentially serious breach of client privacy, CIBC said late Friday it is ordering all employees to stop using the bank's internal fax system to send customer information between branches or offices.

The bank, which has known that a U.S. junkyard has received CIBC internal faxes as far back as 2001 and as recently as this year, said it has assembled a team of senior managers to deal with the problem.

CIBC spokesman Rob McLeod said the bank determined that faxes about 29 of its customers were obtained by the owner of a West Virginia junkyard, who is suing the bank for $3 million US and claiming the bank failed to heed his warning...."

Update: See, also, The Globe and Mail: CIBC bans faxes after scrapyard gets more.

"Legal experts say the commissioner is likely to focus on the consent provisions of the federal privacy law, known as the Personal Information and Protection of Privacy Act.

"It does not appear that the customers of the bank could have been reasonably interpreted to have consented to the transmission of these documents in the circumstances described," said Margaret Ann Wilkinson, a professor of law at the University of Western Ontario. "It is clear that these documents should not have been disclosed to this third party because the bank is prohibited from making such a disclosure."

Ms. Stoddart [Privacy Commissioner] said her investigation is also concerned with the length of time — more than three years — the information was faxed to Mr. Peer.

"We'll be looking into the procedures within that bank that resulted in what appears to be such a serious breach of privacy," said Ms. Stoddart, a lawyer and historian who was appointed on Dec. 1.

"It would appear to have gone on for a certain time. So how diligent was the bank in addressing this problem? What steps did they take? What went wrong?"

Ms. Stoddart said she expects her investigation to take about two months and that the goal of any investigation of a privacy breach is to reach a practical solution to prevent further breaches.

"However, when that is not enough or our advice is not heeded, we can go to Federal Court and ..... we can ask for damages," she said. "At any point, I would think, the CIBC could choose to settle any claims their unhappy customers might have, either within our process or without our process."

Some CIBC customers said they were consulting lawyers.

Legal experts said the Privacy Commissioner's findings will affect what legal actions customers pursue.

...

Ms. Stoddart said her investigation may also focus on the role of CIBC's chief privacy officer, Ron Lalonde, to whom Mr. Maclachlan, the ombudsman, reports.

Privacy experts said they expect the Privacy Commissioner to look at the relationship of Mr. Lalonde's office to other senior executives, including chief executive officer John Hunkin.

Yesterday, privacy experts criticized the bank for failing to notify customers affected as soon as the privacy breach occurred.

"What they should have done immediately is notify all of the branches," said Philippa Lawson, a lawyer and executive director of the Canadian Internet Public Policy Interest Centre at the University of Ottawa's law school."

Update: April 18, 2005 - PIPEDA and Canadian Privacy Law: Privacy Commisioner of Canada releases her report on the CIBC faxing incidents

Labels: information breaches, privacy