Commissioner initiates safeguards complaint against CIBC

PIPEDA Case Summary #2008-395

[Principles 4.7, 4.7.1]

The Complaint

On January 17, 2007, the Privacy Commissioner of Canada initiated a complaint against Canadian Imperial Bank of Commerce (CIBC) on a matter of security safeguards.

CIBC had previously reported to the Commissioner’s Office that a package supposedly containing a portable computer disk drive holding personal information of more than 400,000 current and former clients of Talvest Mutual Funds (Talvest) had been land-shipped by the bank from Montreal, Quebec, to Markham, Ontario, and had arrived undamaged but empty. The bank also indicated that the data in question had not been encrypted. Talvest Mutual Funds were at that time a family of CIBC Mutual Funds.

Outcome of Investigation

On the basis of the Office’s investigation, the Assistant Commissioner determined that CIBC had contravened PIPEDA’s safeguards principles by failing to execute appropriate policies and procedures governing the data transfer in question.   Although she was satisfied on the whole with CIBC’s response to the incident, particularly its notification of affected clients, and generally with the remedial measures that the bank had taken to address the problems it had identified in its own investigation of the incident, she remained troubled that CIBC had been unable in the end to establish whether or not a data transfer to a portable disk drive had even been made.

In a preliminary report, the Assistant Commissioner expressed her concern about CIBC’s lack of technical accountability. She made a recommendation that the bank research the available application software offerings on the market with a view to incorporating into its network one that would enable it to determine whether, when, and by whom copies of data onto portable storage devices are made.

In response, CIBC notified the Office that it had initiated a search for a suitable product and would assess the feasibility of implementing such a solution in the Windows environment in which the data transfers in question had been attempted. The bank also said it was investigating the deployment implications of disabling the attachment of portable storage devices to Windows servers.

On the basis of this favourable response by CIBC, the Assistant Commissioner concluded that the complaint was well-founded and resolved.

Summary of Investigation

The Incident

As part of a server consolidation project, CIBC transferred Talvest files from its premises in Montreal, Quebec, to its computing centre in Markham, Ontario, on December 13, 2006. Ordinarily CIBC would have used an internal network process for such a transfer, but in this case the customary process was rejected as being likely to have a negative effect on Montreal’s operations and consume all available network capacity. Instead, CIBC decided to deviate from its usual practice by copying the Talvest files onto two portable disk drives and shipping the two identical drives separately, one package by land and the other by air, to ensure timely receipt and operational readiness.

Both packages arrived undamaged at the Markham Computing Centre (MCC). The air-shipped package was opened on December 14, 2006, and found to contain a disk drive. On    December 15, 2006, the land-shipped package was opened and found to be empty.

The missing information would have related to the process for opening and administering 470,752 accounts of current and former Talvest clients. The files would have variously contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers.

CIBC’s Response

Later in the day on December 15, 2006, MCC employees notified CIBC’s Privacy Officer and Corporate Security of the missing disk drive.  On December 16, MCC employees initiated an onsite search that included a thorough inspection of shipping and receiving areas. Likewise, employees of CIBC’s Montreal office conducted a thorough search of their premises.

On December 18, 2006, CIBC Corporate Security initiated an in-depth investigation, including some 45 interviews, notably with personnel involved in the data transfer, the packaging of the disk drives, and the shipping and receiving of the packages.

On December 22, 2006, CIBC’s chief privacy officer reported the incident to the Office of the Privacy Commissioner.

On January 8, 2007, given the possibility of criminal activity, CIBC reported the incident to the Montreal police.

On January 17, 2007, CIBC began mailing letters to the affected clients, informing them of the incident and of precautionary measures taken by the bank in case their files might be accessed and used inappropriately. This letter included the following information:

• CIBC/Talvest would compensate clients for documented monetary loss arising directly from unauthorized access of personal information on the missing files.
• CIBC/Talvest was offering affected clients, at their option, the opportunity to enrol in a credit monitoring service.
• CIBC/Talvest was working with police to investigate the incident and retrieve the missing backup file.
• CIBC/Talvest would respond to questions through its dedicated customer service team or the Talvest website.

On January 18, 2007, CIBC issued a media release, including a website address where a detailed list of questions-and-answers about the incident could be found.

The Missing Disk Drive

To date, the missing disk drive has never turned up. Nor is there any confirmed evidence to date that personal information on the drive has been improperly accessed and misused.

The Montreal police were unable to find the missing drive in the course of their fraud investigation, which is now closed. They have informed our Office that their investigation proved inconclusive, having failed to raise sufficient evidence to meet the burden of proof required in criminal investigations.

CIBC, too, has been unable to find the missing disk drive, despite its own investigation into the matter. In the absence of any sign of tampering, and given evidence that the courier picking up the package had noticed its relative lightness and had asked aloud whether there was anything in it (the portable disk drive should have weighed between four and five pounds), CIBC considers it highly possible that the package may have been empty all along. Moreover, even after an intensive internal investigation, the bank has been unable to establish with any certainty whether or not any data transfer to a second disk drive ever actually occurred.

Continuous monitoring by the bank has to date revealed no unauthorized access to affected clients’ accounts and no conclusive evidence of any identity theft or fraud resulting from the incident. CIBC considers this lack of negative consequences thus far to be supporting evidence that no second portable hard drive containing Talvest clients’ personal information ever existed.

Concerns Raised and Addressed by CIBC

During its internal investigation of the incident, CIBC identified a number of deficiencies in the content and the application of its security policies and procedures, notably those relating to the handling and movement of confidential information.

Our Office has confirmed that CIBC has implemented a good many measures to address such deficiencies and prevent similar incidents in future. Prominent among these remedial measures are the following:

• Amendment of policies, procedures, and guidelines relating to the movement of confidential information so as to clarify and strengthen requirements where necessary;
• Implementation of an enhanced program of training and awareness for technology employees with respect to key policies and procedures governing information management;
• New Global Sourcing and Payment Processing Procedures for sending and receiving packages via courier;
• Review of the incident and relevant policies and procedures by senior technology executives and their management teams; and
• Management review, in accordance with CIBC employment policies, of the actions of employees involved in the incident, with subsequent disciplinary measures taken against several.

Concerns Raised by the OPC

In our Office’s investigation of the Commissioner’s complaint, we raised four specific concerns: (1) lack of encryption; (2) lack of supervision in data transfer; (3) apparent lack of technical accountability in data transfer; and (4) apparent delays in notification.

Lack of encryption: Given the potential for unencrypted data to be accessed and viewed by unauthorized parties, our Office asked CIBC to explain why the Talvest files had not been encrypted, and what steps the bank had taken to ensure that, in similar circumstances in future, encryption would be duly applied.

Lack of supervision in data transfer:  The evidence suggested that the important task of both transferring the Talvest files to the portable disk drives from the server and packaging the disk drives had been assigned to a single employee, who apparently worked in isolation and without supervision in performing the task. Our Office asked CIBC to explain how such a problematic situation had arisen in the first place, and what specific steps the bank had taken to ensure that such data transfers would be appropriately supervised in future.

On the questions of encryption and supervision, CIBC responded as follows:

• Had the information in question been transferred within a CIBC network according to the usual practice, there would have been no need of human intervention to ensure a successful transfer and no need for encryption since the data would not have been leaving the confines of the bank’s protected computing facilities and systems.
• In this case, for reasons stated earlier, CIBC decided to deviate from the usual practice. In the bank’s terminology, the data transfer thus became a “project”, subject to exceptional policies and procedures. Such policies were indeed in place, but in the circumstances were not followed. Despite its exceptional nature, the proposed method of data transfer did not receive appropriate risk and threat assessment and the explicit prior approval of appropriate CIBC executive management. This accounts for both the failure to encrypt the data and the failure to ensure that the process was adequately handled and supervised.
• Among the remedial measures that CIBC has implemented, policies and procedures regarding encryption and data transfer have been clarified. They now clearly state that, in transferring confidential electronic information within the CIBC network or premises, the first option must always be to use the CIBC internal network for the transmittal; however, in cases where the network cannot be used and the information must travel outside CIBC, the information must be encrypted according to a CIBC-approved encryption solution and placed on removable media. Furthermore, future deviations from corporate standard practices will require the use of a published form to document justification, the risks involved, and any compensating controls for mitigating risks. The form will require explicit prior approval of appropriate CIBC executive management.
• With regard to the supervision of employees, there are access controls in place to ensure that only authorized employees have access to systems. Moreover, not only are employees bound by a Code of Conduct, but there has been enhanced employee training and education regarding relevant policies and procedures. Notably, it has been emphasized to employees that network transfers are the preferred method of data transmittal.

Apparent lack of technical accountability in data transfer:  Our Office asked CIBC to explain why it had been unable to determine by technological means whether or not data had actually been transferred from the server to a second portable disk drive.

CIBC replied that the Windows platform used for the data transfers in question did not have an audit-trail capability to confirm the transmission of data to a portable disk drive. In its investigation of the incident, CIBC was able to determine that a device such as a disk drive had been connected to the system at the time in question, but not whether any actual data transfer to the device had subsequently been made. The bank also clarified that, besides the Windows platform, its computer environment comprises of a number of other leading commercial technologies, all of which do have audit-trail capabilities.

Apparent delays in notification: Specifically, our Office was concerned about CIBC’s apparent 33-day delay in notifying its affected clients. Also, since contamination of evidence over time may be a factor in the outcome of a criminal investigation, we were concerned about CIBC’s apparent 24-day delay in notifying the Montreal police. We asked CIBC to explain these apparent delays.

What follows is a summary of CIBC’s explanation of the level of effort required for client notification:

• Investigation by CIBC Corporate Security: Twelve Corporate Security employees were involved in this investigation, which began on December 18, 2006. It included several onsite visits, an extensive search of both sites, 45 interviews with employees, and a forensic examination of the computer system. This investigation was completed on Friday, January 5, 2007. CIBC notified Montreal police on Monday, January 8, 2007.

• Development of a client list and address validation: This activity proved time consuming as it involved the viewing of 3.3 million images, which then needed to be appropriately matched to the existing client base. Since not all Talvest clients had information on the hard drive, the matching procedure was complicated. Similarly, substantial address validation effort was required for the inactive client list.

• Development of letters and press release: Several different versions of letters were required for clients, investment advisors, and dealers. The letters and the press release also needed to be translated into French.
• Arrangements with credit bureaus: In order to offer credit monitoring to clients, CIBC needed to negotiate terms and conditions and enter into contracts with credit bureaus. This involved coordinating and implementing a registration process, which included the creation of forms tailored to the clients and establishment of links with the bureaus to process registrations.
• Website: To address clients’ need for information and registration for credit services, CIBC had to prepare website pages and appropriate links, with content developed in both French and English, and with built-in software connections to the credit bureaus.

• Printing and mailing letters: The volume of correspondence necessitated both a quality assurance process and the development of a merging process, which needed to be tested before use. The letters were sorted by geographic area for ease of Canada Post delivery. They were printed, stuffed into envelopes, and mailed over several days to ensure that call centres could accommodate incoming volumes.
• Call centres: Given the volume of affected clients, CIBC deemed it essential to contract with an external third party in order to supplement its own internal call centre resources. Possible vendors had to be reviewed. Procurement of French support staff had to be outsourced. Script development and training were needed for both internal and external staff. Also, a process was established to provide clients with copies of their documents on request. Dedicated phone lines had to be set up, as well as a process for clients wishing to escalate a concern or a claim. Times of operation had to be worked out over several time zones. Corporate Security was involved in setting up security around the process.
• In conclusion, CIBC noted that only 19 business days had elapsed between the beginning of the investigation by Corporate Security and the beginning of the actual mail drop. The bank further noted that, to address any and all client concerns or queries without giving rise to unnecessary panic or inconvenience, all factors listed above needed to be addressed before clients could be notified. Finally, the bank pointed out that the notification effort proceeded despite personnel accessibility issues of the holiday season, with many CIBC and vendor staff giving up vacations and working days, evenings, and weekends.

Regarding the apparent delay in notifying police specifically, CIBC offered no explanation, except to point out that the Montreal police had not themselves raised any concerns about timeliness of notification or contamination of evidence.

Findings

Issued September 25, 2008

Application: Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, and that organizations must protect personal information regardless of the format in which it is held.

In her preliminary report for the complaint, the Assistant Commissioner deliberated as follows:

• While I am relieved to know that no evidence has yet emerged of ensuing identity theft or financial loss, it is with some disappointment that I note that neither CIBC nor the Montreal police appear to have been able to determine with any certainty what exactly happened in this case – that is, why a package supposedly containing a portable disk drive full of Talvest client files arrived empty at destination. Without knowing for certain whether a second portable disk drive contained personal information or even existed, it is of course impossible for me to state for certain whether, in the language of Principle 4.7.1, personal information was lost or stolen, or improperly accessed, disclosed, copied, used, or modified in this case.
• Nevertheless, I can definitely affirm what the bank itself has in effect admitted – that CIBC did not take appropriate steps in the circumstances to adequately protect a vast quantity of sensitive personal information from such eventualities. Although I acknowledge that safeguards were in place at the time, notably in the form of security policies and procedures relating to usual practice, it is abundantly evident that policies and procedures relating to the unusual practice in question were either lacking to a significant degree or, if in place, were neither plainly set out by the bank nor properly applied in the circumstances by employees and managers. In general, due execution of appropriate policy and procedures was lacking, and since execution is as essential to the safeguarding of personal information as the policies and procedures themselves, CIBC was clearly in contravention of Principles 4.7 and 4.7.1.
• The question I must consider now is, Does the bank remain in contravention of these principles? Or has CIBC, through the remedial measures it has implemented, now brought itself into compliance? Are the bank’s security safeguards now sufficient to prevent similar incidents in future?
• On paper at least CIBC’s remedial measures appear to address more or less adequately the problems the bank itself identified in the course of its investigation of the incident. As always, however, much will depend on execution of the enhanced policies and procedures, and ultimately on the effectiveness of the bank’s efforts to educate and raise the awareness of its employees and to ensure that they diligently apply the relevant policies and procedures in handling personal information.
• On the whole, I am satisfied with the bank’s response to the incident, particularly its notification of affected clients, which included provisions for compensation in the event of ensuing financial loss and for enhanced credit bureau services. I should add that, all things considered, I find the length of time taken to notify clients to have been reasonable in the circumstances, given the sheer number of clients to be notified, the level of effort required, the complexity of the process, and the difficulty of managing such a project during the holiday season.
• Regarding the specific concerns raised by our Office in this case, I am generally satisfied that CIBC’s remedial measures have adequately addressed the problems of lack of encryption and supervision in respect of data transfers, but again only with the proviso that the enhanced policies and procedures be strictly and consistently applied.
• However, I am not satisfied that CIBC has addressed our concern about lack of technical accountability. To my mind, the most troublesome aspect of this case is the fact that the bank did not, and still does not, have a technical capability for confirming whether or not a data transfer to a second portable disk drive had occurred. It is my understanding that third-party application software does exist that can provide detail on when files have been copied to a USB device. I would point out that, in the circumstances of this case, had CIBC had such software in place, and had the bank been thereby able to ascertain in the beginning that no transfer to a second disk had taken place, no further action would have been necessary.

Recommended Action

In her preliminary report, the Assistant Commissioner recommended that CIBC research the available application software offerings on the market with a view to incorporating into its network one that would enable it to determine whether, when, and by whom copies of data onto portable storage devices are made.

CIBC’s Response to Recommendation

CIBC notified the Office that it had initiated a search for a suitable product and would assess the feasibility of implementing such a solution. The bank also said that it was investigating the deployment implications of disabling the attachment of portable storage devices to Windows servers.

Conclusion

On the basis of CIBC’s favourable response to the recommendation, The Assistant Commissioner issued a final report of findings in which she concluded that the complaint against CIBC by the Privacy Commissioner of Canada was well-founded and resolved.

Best Practices

In her preliminary report, the Assistant Commissioner also suggested two best practices to CIBC by way of improving its response to any similar incident in future:

• Notify police as soon as possible after establishing the possibility of criminal involvement.
• Having notified a privacy commissioner’s office of an incident, include that information in the notification to clients.