Addendum to CIBC fax incident summary
Summary of Investigations
1) Faxes misdirected to a U.S. company
On November 24, 2004, the CIBC informed our Office that it had been inadvertently faxing the personal banking information of some of its customers to a business in the United States, Allstar Sports Line Limited (Allstar). The Office subsequently received complaints about the incident.
Allstar stated that it began receiving CIBC faxes in 2001. The company indicated that it did not initially know what CIBC was or where it was located. Eventually, it learned that CIBC was a Canadian bank. It stated that it attempted to alert the bank by calling the senders and, later, CIBC Customer Care, but its concerns were not addressed. As a result, in 2002, Allstar contacted a CIBC customer, whose name appeared on one of the faxes, who in turn informed his bank manager and Customer Care of the problem.
CIBC Customer Care took steps in late February 2002 to rectify the problem, by sending a "news flash" to all areas of CIBC on February 27, 2002, alerting them to the facsimile problem. Faxes, however, continued to be misdirected to Allstar, and CIBC's legal branch became involved.
CIBC's legal branch wrote to Allstar in March 2002, asking that Allstar provide the bank with the identity or fax number of the individual senders, and indicating that any specific information Allstar could provide to CIBC regarding the location of the sender would assist CIBC in addressing the issue internally.
In the meantime, CIBC sent another message on March 6, 2002, this time to a segment of the bank that dealt with clients with more specialized financial needs. This message, however, did not go to all employees, but only a smaller select group. Problems clearly continued as our Office confirmed that personal information continued to be faxed to Allstar. The phone records also showed that in the first six months of 2003, there were 196 calls from Canadian numbers to Allstar's line. Our Office verified that these numbers were facsimile lines for CIBC branches. CIBC stated that it did not hear again from Allstar about errant faxes until 2004; however, there is evidence that Allstar attempted to contact CIBC about the matter again later in 2002. The bank did not initiate any follow up with Allstar to ensure that the faxing had ceased.
The owners of Allstar recognized that the information being faxed to their business was highly sensitive and destroyed some of the documents. In CIBC's March 2002 letter to Allstar, it asked Allstar to send the "particulars of the actual faxes received from CIBC" and confirmed that the materials would be shredded by Allstar. However, the evidence indicates that the transmissions did not stop and that some of the documentation received was not shredded or otherwise destroyed.
CIBC states that it relied on Allstar to shred the information in an attempt to protect client confidentiality. CIBC has since made it a policy that if, in the future, any material is reported to have been sent in error to anyone, the bank will retrieve the material and ask the recipient to sign an acknowledgement indicating that no copies have been made.
In March 2004, Allstar filed a civil suit against CIBC. The bank originally believed that the suit concerned the faxes received in 2002, and stated that it was not until October 2004 that it became aware that the problems had continued past 2002. Records showed that Allstar received faxes in November 2004, as well. Allstar stated that it contacted the bank about these faxes but was shuttled from official to official until it was referred back to the bank's legal branch because the matter was in litigation. The evidence showed that the day after the story became public, and on the following day, the personal information of two more customers was disclosed via facsimile.
On November 8, 2004, Allstar's legal counsel electronically filed a motion for letters rogatory and attached two facsimiles received from CIBC as exhibits, which contained personal information. Allstar's counsel filed this motion on an automated court system called "pacer." The information on the system is password protected; officers of the court, as well as members of the media, have access to this information. A copy of the material was subsequently obtained by a reporter.
CIBC stated that it was aware of Allstar's motion, but acknowledged that it did not look at the attached material, as it did not intend to dispute the motion. The facsimiles with personal information were removed from the web site on November 26, 2004.
It was determined that the intended recipient of the facsimiles was CIBC's Central Operations Services Group (COSG), which provides administrative services for CIBC Trust, deposit operations for RSP, RIF, and GIC purchases, Investor Services, and Securities Inc. COSG handles approximately 14,000 inbound facsimiles a month, and more during January and February, which is its busiest season.
Information on the misdirected facsimiles included customer name, social insurance number, account number(s), amounts, home address, home telephone number, and customer signatures. Some facsimiles also had information relating to registered and unregistered investment transfers.
The facsimile numbers for COSG and Allstar were so similar that if an individual dialing COSG mistakenly keyed in an extra seven in the numerical sequence, the general number for Allstar was connected. Our Office examined the records and noted that over 200 Canadian telephone numbers that called the Allstar's toll-free number were attached to CIBC.
CIBC acknowledged that although the steps it had taken were not successful in stopping the faxes, it did perform an investigation. It stated that in 2002, and after the lawsuit commenced in 2004, it investigated whether the COSG fax unit number had been mispublished and determined that it had not. While the bank stated that it would have done more if Allstar had provided more information, it believed that its actions demonstrate that it did not take the matter lightly.
Our Office noted, however, that employees who knew about the problem did not bring the matter to the attention of senior officials responsible for privacy matters or take steps to fully investigate the problem. The evidence suggests that apart from the initial attempts to deal with the problem by CIBC's Customer Care Centre, the matter was dealt with by the bank's legal division.
After our Office was notified by CIBC of the matter, we told the bank that we would be investigating the incident and would be looking at how CIBC informed its customers that their personal information had been disclosed. Our investigation established that the bank made no effort to advise its clients about the disclosure until after the story had become public, and OPC had launched its investigation. CIBC then contacted or attempted to contact the customers whose personal information had been disclosed. It apologized and offered to replace their account numbers.
2) Misdirected faxes to Dorval, Quebec company
The owner of a business in Dorval contacted CIBC Customer Care in March 2004 about a number of faxes containing the personal information of CIBC customers that he had received. Customer Care sent out an "alert" to all of its branches advising of the error, and asking them to verify the numbers on their facsimile machines. In spite of this, the owner continued to receive faxes over the coming months. He contacted the bank after receipt of each facsimile until August 2004. The bank then had no further contact with the owner until December 2004, when he called to inform it that he intended to go to the press about the matter.
The faxes he received were from different bank branches, and there was no similarity between his fax number and that of COSG, the intended recipient. The bank was never able to determine the cause of the misdirected faxes.
The owner estimated receiving around 20 to 25 facsimiles. He destroyed most of them. After July 2004, he stopped destroying them, but continued to send CIBC a copy of what he was receiving. He has since turned over all copies of facsimiles he received from the bank and no longer has any information related to the bank's clients or this incident.
As with the other incident, the bank did not notify its clients of the disclosure — with the exception of one customer, who was also a bank employee — until after the Office announced its investigation.