Canadian Bank Chastised by Privacy Commissioner Over Privacy Breach

The Privacy Commissioner of Canada, Jennifer Stoddart, has released her findings regarding the breach of privacy represented by misdirected faxes from Canadian Imperial Bank of Commerce (CIBC). The investigation by the Office of the Privacy Commissioner (OPC) was launched in late 2004, prompted by the revelation that for three years faxes from various CIBC branches and containing customers' personal information were mistakenly sent to a company in the US and to another in Dorval, Quebec. Although CIBC had adopted a privacy policy concerning customers' personal information –required by the Personal Information Protection and Electronic Documents Act (PIPEDA) – as stated by MS Stoddart, "simply publishing a privacy policy does not make a business compliant [with PIPEDA]. When there are breaches, they must be brought to the immediate attention of the organization's privacy officials". In this instance, this did not happen. As quoted in the News Release by OPC (dated Aril 18, 2005), the Privacy Commissioner was concerned that, "the misdirected faxing continued to occur over a number of years, that the attempts to stop the problem were ineffective, and that the bank did not appropriately recover customer personal information, nor did it notify affected customers until the issue became public". Further, in the news release, the OPC strongly urged all organizations subject to PIPEDA to assess their policies and privacy management practices, and to address any shortcomings. For the text of the News Release (containing further links to an "Incident Investigation Summary"), see: http://www.privcom.gc.ca/media/nr-c/2005/nr-c_050418_e.asp Summary by: The Editor