How much do trust your bank or other institutions that have access to your financial and personal information? It may be time that all Canadians ask themselves this important question. This is a major issue in today’s world. We are living in the Information Age, and with all the technological advances we experience daily, having access to any kind of information is literally at yours and everybody else’s fingertips.
This paper will focus on one of the most significant issues in the news recently that have sparked national interest, which is the issue of Privacy Laws in Canada, specifically within the Banking industry. Privacy issues have taken centre stage in Canada in recent weeks with the public’s attention focused on the major privacy breach at the Canadian Imperial Bank of Commerce. As of February 4, 2005, CIBC is now facing a $9 million class action lawsuit from customers whose confidential RRSP and other personal and financial information was made public. A Toronto law firm has filed the suit in the Ontario Superior Court of Justice, after revelations that CIBC had been faxing thousands of their client confidential personal information to unauthorized third-parties and individuals, including a now-famous junkyard in West Virginia. The suit alleges CIBC sent client and other applications over unsecured fax lines to the junkyard between 2002 and 2004 .
The documents contained highly personal information including names, addresses, phone numbers, social insurance numbers, bank accounts, GIC numbers and amounts, as well as client credit information. One of people that received this information was a businessman from West Virginia. Over the past two years, he identified more than 350 Canadian phone numbers that have sent faxes to his fax machine, all of which he believes are CIBC branches.
He claims he advised the CIBC of the problem several times, but the faxes continued to come . These CIBC clients entrusted the bank with their sensitive personal information in order to feel secure and to obtain the peace of mind that their financial affairs were protected by a well respected Canadian Bank. The financial information dealt particularly with RRSP plans and other investments which the clients rely on and save for in their retirement years. Rather than bringing them peace of mind that their financial affairs were protected, thousands of people now find that their sensitive information has carelessly been disclosed to unauthorized third-parties and possibly many other random unauthorized civilians. The clients involved have no means of determining how wide the distribution of their information is. Adding to the already existing worries of banking clients, digital form signatures have now become a concern.
Any of the information disseminated is potentially very dangerous if it happens to fall in the wrong hands. The clients of the bank now will be required to incur ongoing costs to monitor their credit ratings, bank accounts, and RRSP accounts, and have to be on alert at all times because of the potential for identity thefts. Banks are in the business of providing financial and investment services to its clients.
All banks have a duty of care to their customers to treat their sensitive personal information with confidentiality, and to prevent its disclosure to any unauthorized people. This breach of duty occurred through the negligence of the bank or its employees, for whom the bank is ultimately liable. All information collected by the bank is personal and sensitive information of the clients as defined in the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2002.
The bank is subject to PIPEDA, and is required to implement its strategies towards protection and privacy . Under this act, the clients’ have a right to privacy and security of their personal information. In addition to this, it is also important to note that the Act includes such areas as protection, security, application and enforcement of privacy policies of customer information for all employees within the bank and with whomever outside the bank the information is authorized to. A 2004 interview with CIBC Senior Manager of Consumer and Small Business Services, Bob Atkinson stated the banks position on privacy and implementation. In response to a question that asked if there are any Privacy Guidelines implemented with the bank’s third-parties, he responded “Of course we do our homework on the companies we do business with.
.and review their internal policies on privacy, information security, and business continuity. From there we develop a business agreement that expressly binds the parties to protect CIBC customer privacy through compliance with a number of CIBC policies and standards.” Please also note that this interview was given while the bank was fully aware of this particular situation which is considered a major breach in customer privacy.
As we have seen from this issue, a problem as small as entering in a wrong fax number on unsecured machines can lead to potential crisis for the banks and especially their valued clients. Perhaps the bank should do more to ensure the privacy of client information, revise privacy policies with up-to-date technologies, and properly train employees in order to prevent any kind of mistake with that kind of information. This breach of duty of care and of PIPEDA by the bank is not a mere accident, especially when it was revealed later that this was not an isolated incident, and as a matter of fact CIBC was actually aware of this situation and other privacy breaches long before it was solved or made public. What is even more bizarre about this situation is that the bank did absolutely nothing to fix the problem, nor did they notify their clients or authorities even after they were alerted about the breach. Instead, like nothing ever happened, the bank continued to use unsecured fax machines, and the personal and sensitive information of thousands of innocent Canadians continued to end up in a junkyard in West Virginia. It took a direct fax from one of the recipients of these misdirected faxes to a CIBC manager with the manager’s personal information on file to get some kind of attention.
In addition to this, the bank still might have not acknowledged the problem, or informed its clients had it not been for the pressure of the media to leak the story causing bad publicity for the bank. The bank took no steps to advise or warn its clients of the breach until the Office of the Privacy Commissioner advised that there would be an investigation instituted against the bank . Faxes, misdirected voice mails, improperly addressed e-mails and improperly accessed documents all pose problems when it comes to protecting confidential data. Banks and all other businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes, and the proper use of technology. With the rise of technology in recent years, much of the business that we conduct on a day to day basis is through e-mail, internet, fax machinesetc.
, and it is therefore imperative for the Banking Industry to make consistent efforts and look to new initiativesto improve privacy standards for their clients. As a CIBC customer myself, I feel cheated and also a little scared at the same time. As far as I know, someone performing in a circus in Germany could have all my personal and financial information. As a respected bank, I expected better from CIBC to protect my privacy, and although I will still continue to do business with them, I will be keeping close watch on my accounts and investments from now on.References CIBC faces lawsuit over breach of privacy.
, Ottawa Business Journal Staffhttp://www.ottawabusinessjournal.com/282695125737805.php., February 24, 2005 CIBC Class Action Claim – Ontario Superior Court of Justicehttp://www.cacounsel.
com/CIBC%20Class%20Action%20Claim.pdf., February 4, 2005Interview with Bob Atkinson – PrivaViewshttp://www.nymity.com/PrivaViews/2004/Atkinson.
asp,. October 2004Canton, David., Privacy culture necessary., London Free Presshttp://www.harrisonpensa.com/LFPArticles/January%208,%202005.htm., January 8, 2005