News Release

Failure of CIBC's privacy practices a wake-up call to businesses

Ottawa, April 18, 2005 – A serious breakdown in CIBC's privacy practices at the most basic organizational level involving misdirected faxes could have been prevented and serves as a wake-up call for all organizations in Canada collecting and using personal information, according to the Privacy Commissioner of Canada, Jennifer Stoddart. The Commissioner today released the findings of an investigation into the CIBC, launched by the Office of the Privacy Commissioner of Canada (OPC) in late 2004, as a result of incidents reported in the media and complaints filed by a number of Canadians.

"Canadians expect much more from the institutions they entrust with their personal information. As Privacy Commissioner, I was disappointed that an apparently well-organized institution such as CIBC failed to recognize that the misdirected faxes were a privacy issue. That the bank's privacy practices were not functioning on a practical level should serve as a wake-up call to all organizations in Canada," said Ms. Stoddart.

The Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to implement policies and procedures aimed at protecting personal information.

"Simply publishing a privacy policy does not make a business privacy compliant. Organizations must ensure that all employees are aware of and adhere to privacy policies. When there are breaches, these must be brought to the immediate attention of the organization's privacy officials," said Ms. Stoddart. This did not happen with CIBC.

The OPC's investigation looked into incidents of misdirected faxes containing the personal information of CIBC customers, that occurred during the period from 2001 to 2004. The misdirected faxes sent by various branches of the bank to a company in the United States and another in Dorval, Quebec.

The Commissioner was concerned that the misdirected faxing continued to occur over a number of years, that the attempts to stop the problem were ineffective, and that the bank did not appropriately recover customer personal information, nor did it notify affected customers until the issue became public.

CIBC has now taken a number of measures to identify the problems and to implement short-, medium-, and long-term solutions to enhance its personal information safeguards.

"We have recommended to the CIBC that it fully implement its planned changes and safeguards and that it immediately address privacy concerns when such concerns arise. We have also recommended that it notify customers when a breach occurs." Ms. Stoddart has asked the CIBC to report back to the Office on its corrective measures.

In light of these events and other current investigations by the Office of the Privacy Commissioner into similar cases involving misdirected faxes within the banking sector, we strongly urge all organizations subject to PIPEDA to assess their policies and privacy management practices and address any shortcomings.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians. The Privacy Commissioner of Canada conducts investigations into personal information management practices of organizations and may make those practices known to the public if the Commissioner considers it in the public interest to do so.

— 30 —

For more information about the OPC Investigation into the CIBC misdirected faxes:

• Incident Investigation Summary
• Addendum to Investigation Summary

For more information about protecting your personal information from identity theft:

• Steps to Reduce the Risk of Identity Theft
• Faxing Personal Information

For more information, please contact:

Renée Couturier
Director, Public Education and Communications
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
E-mail: rcouturier@privcom.gc.ca
www.privcom.gc.ca