According to CTV, the bank has been misdirecting confidential information to the scrap yard since 2001 - that's three years - and was informed of the breach of security at that time. Wade Peer, the scrap yard owner said the response of the CIBC to the privacy lapse was to hang up the phone on him and to continue to send the faxes. Nice...

Mr. Peer has since filed suit in court alleging the faxes, which tied up his business fax line and for which he had to pay the long distance charges (it is a tool free number), damaged his business. The CIBC denies the allegation in court documents and goes on to accuse him of not co-operating with its attempts to resolve the issue. Uh... pardon me, CIBC? You were sending the faxes to the wrong number, so it was your problem not his.

Forgive me for being shocked by this, but I would have thought that if a guy files suit because a company is flooding his fax machine with other people's confidential information, the company's lawyers would have said: Yikes, we have a problem with our clients' privacy and we should do something about it or else we're going to get sued by our clients.

In a written statement (which was also being read last night to CIBC clients concerned about the issue) the bank says it responded to Mr. Peer in March of 2002, thought the matter had been resolved and that it was a "disturbing revelation" that the faxes continued after that time. They say they are undertaking a review of the matter and have notified Canada's Privacy Commissioner. Great, close the barn door after the horses escape.

None of its actions are enough, of course. The bank has a lot of explaining to do.

The CIBC must explain to its customers how it is that so much of their private information was sent to an unauthorized individual in another country. It must explain why the matter was not resolve in 2001 when they were first alerted to the problem. It must explain what action they took to confirm that the matter had indeed been resolved in 2002 as they claim. It must explain why no customers were alerted to the fact their privacy may have been compromised. It must explain why the faxes continued after they "resolved" the matter in 2002. It must explain how it plans to ensure confidential information will never be misdirected again. Most importantly, it must explain why, after three years of knowingly compromising the privacy of its account holders, anyone should trust the bank ever again.

The bank should also contact any customer who might have been affected and assist them in finding a way to determine if any of their private information has been used for nefarious purposes.

It is truly astounding to me that the CIBC allowed this situation to get to this point. It missed far too many chances to put things right for anyone to conclude it was anything less than negligent. This casual disregard for its customers will undoubtedly hurt the company immediately and in the long run as its reputation takes a serious hit.

Further Reading:
Scrap yard receiving bank clients' private data (CTV News)
CIBC faxes go to scrapyard (Globe and Mail)
Fax flaw sends CIBC customer data to U.S. scrap dealer ... for 3 years (Ottawa Business Journal)