CIBC's privacy practices failed in cases of misdirected faxes

Incident Summary #2

Incident

In late 2004, the Office of the Privacy Commissioner of Canada commenced an investigation into incidents involving misdirected facsimiles. These faxes, containing the personal information of CIBC customers, were sent by various branches of the bank to a company in the United States and another in Dorval, Quebec.

The bank's privacy practices were seriously tested by these incidents, and they failed. These incidents are a wake-up call to not only CIBC but to every organization in Canada that collects, uses, or discloses personal information in the course of its commercial activities.

The Personal Information Protection and Electronic Documents Act requires organizations to implement policies and procedures to give effect to the principles of fair information practices. It is not merely a matter of publishing a privacy policy in a brochure or on a web site. The entire organization must be aware of the policy and must ensure that its employees are adhering to it, bringing problems to the attention of the right people, and acting on it. It is not just a good idea — it is the law.

The following should serve as a cautionary tale for all organizations subject to the Act. Had CIBC's privacy policies and procedures been in working condition, these events might not have occurred.

Summary of Incidents

The incidents in question covered the period from 2001 to 2004. There were many commonalities between these incidents. In both cases, faxes were misdirected, and the recipients notified the bank repeatedly. While there was some evidence that the bank, specifically the Customer Care Centre and the legal branch, attempted to solve the problem, its efforts were ineffective. In 2002, the bank asked the U.S. company to shred the misdirected faxes. Two years later, it learned that the company had not shredded everything. In 2004, when confronted with a Dorval business owner telling the bank that he was receiving facsimiles containing customer personal information, the bank nevertheless asked him to shred the misdirected faxes. In both cases, CIBC took no other measures to recover the personal information of its clients, and with the exception of one individual, the affected customers were not notified that their personal information had been faxed to the wrong location until after the matter became public in 2004. For further details on the incident investigations, please see Addendum to CIBC fax incident summary.

Office of the Privacy Commissioner's Comments

It was clear that the bank's privacy practices failed at the most basic organizational level. As a result, customer personal information — and trust — was breached. The fact that the misdirected faxing occurred over a number of years, that the attempts to stop the problems were ineffective, and that the bank did not appropriately recover customer personal information were deeply disturbing to the Office.

Most particularly egregious was the fact that the CIBC employees involved in responding to the incidents never fully recognized that misdirected faxes were a privacy issue. We were disappointed that an apparently well-organized institution such as the CIBC had a privacy policy with such holes in it that these incidents were not fully recognized as privacy breaches and that the bank's privacy officials were not informed of the matter.

Remedial Measures Taken

CIBC has taken a number of measures to identify the problems and to implement short-, medium-, and long-term solutions to enhance its personal information safeguards.

It banned all branch faxing across Canada in the immediate term. All transmissions previously done via facsimile were moved to other mediums, such as internal courier bags. There were a few exceptions to the ban on faxing, namely, in places where courier services were unavailable, such as in remote locations. In such cases, strict directions relating to facsimile transmissions were implemented.

The bank reviewed all of its fax processes to establish the volume of faxes sent annually, to prioritize these processes, and to assess its ability to move faxes to alternative and more secure mediums. The bank set up a team to establish and monitor controls to ensure that employees are adhering to the new processes and reporting any issues.

CIBC investigated a number of technological options. Most of the bank's facsimile machines could be programmed by the bank's head office. The bank will be using a secure fax dialing system when faxes are sent. The problem facsimile number was also taken out of service. The bank is considering the automation of forms as a longer-term solution for some of its processes.

CIBC recognized that there were problems associated with its handling this matter and decided to strengthen its internal processes by:

• Restructuring the areas responsible for assessing risks, escalating, monitoring and reporting on privacy issues
• Developing and launching Privacy Issue Escalation Procedures, including roles and responsibilities
• Identifying and providing training to single points of contact in all business/infrastructure areas
• Launching a privacy intranet site that includes policies, standards, and forms for escalating privacy issues
• Developing tools and templates for issue prioritization, scripting, and protocols for contacting customers.

Recommendations

The Office of the Privacy Commissioner recommended the following:

• That CIBC fully implement its planned changes and safeguards with a view to ensuring that it immediately addresses privacy concerns when such concerns have been identified.
• That CIBC implement a mechanism to immediately notify any affected persons in the event that their personal information has been inappropriately disclosed.
• That CIBC report back to the Assistant Privacy Commissioner.

The Audit and Review Branch of the Office of the Privacy Commissioner will be verifying actions taken by the bank and will be discussing any other risks to the communication of personal information.

Final Comment

Our Office is strongly urging this organization and all others subject to the Act to assess their policies and privacy management procedures, and to implement plans to address shortcomings.