Friday, January 26, 2007

CIBC Kept Quiet on Data Gaffe Until Forced by Watchdog

Financial Post, Duncan Mavin, 26 January 2007

Canada's privacy watchdog said yesterday that it forced Canadian Imperial Bank of Commerce to go public last week with the announcement it lost a file containing private data on half a million mutual fund customer accounts.

"We were very concerned about the direction they were planning to take with respect to notifying the public, and we encouraged them to be as open and transparent as possible," said Anne-Marie Hayden, spokesperson for the Office of the Privacy Commission of Canada.

Last Thursday, CIBC announced that a file went missing in late December when it was being transported from Montreal to Toronto.

The lost file contains personal details, including client names and addresses, signatures, dates of birth, bank account numbers and social insurance numbers from 470,000 accounts of current and former clients of Talvest Mutual Funds, which are managed by CIBC Asset Management.

Also yesterday Finance Minister Jim Flaherty said he has personally become involved in the matter.

"I spoke to [the privacy commissioner] myself about the issue we had with one of the banks. A data concern," Mr. Flaherty told reporters. "[The commissioner] and I had a constructive discussion on that so I expect we will be seeing some recommendations soon."

NDP Finance critic Judy Wasylycia-Leis also weighed in, expressing dismay that CIBC may not have gone public on the data gaffe without external pressure.

"That makes this even more horrific," Ms. Wasylycia-Leis said. "If Canadians think the banks will only comply with certain standards of decency under duress from Parliament, then we've got a serious problem on our hands."

A CIBC spokesman said last week that the bank contacted police, the privacy commissioner and financial services regulators several weeks ago as soon as the security breach became apparent.

"Our primary focus was to first proactively and directly notify all of the affected clients by letter," said spokesman Stephen Forbes.

"Throughout this process, we consulted with our various regulators to ensure that we took the best action on behalf of our clients."

CIBC said it started sending letters to affected customers last Wednesday.

So far there is no evidence any of the information has been accessed inappropriately, said a bank spokesman. However, data security experts have said the missing file could be used for the purposes of identity theft.

In 2004, the commissioner criticized CIBC after it accidentally faxed confidential information related to banking clients to a scrap yard in West Virginia over a period of three years.

After that incident, the commissioner said the bank's privacy policies and practices "were not functioning on a practical level.".
Financial Post, Emily Mathieu, 26 January 2007

Four out of five of the major Canadian banks have said there's not a single confirmed case of fraud reported from customers of Winners and Home Sense stores after hackers broke into computers belonging to the parent U.S.- based discount chain company.

The banks included the Canadian Imperial Bank of Commerce, Toronto-Dominion Bank, Bank of Montreal and Royal Bank of Canada. The Bank of Nova Scotia declined to speculate on the possible number of customers affected, but referred questions to VISA.

VISA Canada spokesperson Tania Freedman said it's too early to connect any reports of fraud with TJX, the parent company of Home Sense and Winners. Master Card was unavailable for comment.

"It's really difficult to link fraud back to a specific breach," she said.

TJX, based in Framingham, Mass., reported last week the sales and credit information of millions of customers was accessed through, and in some cases removed from, company databases.

The compromised information was from transactions that took place at TJX stores in Canada, the United States and Puerto Rico in 2003 and last year between mid-May and December.

On Wednesday, the Massachusetts Bankers Association, which represents 205 commercial savings and loans institutions in Massachusetts and New England, said U.S. customer information from TJX stores is being used fraudulently in Hong Kong, Sweden, Florida, Georgia and Louisiana. Spokesperson Bruce Spitzer said only a "handful" of U.S. cards have been used for fraud, but that number is likely to rise.

The Privacy Commissioner of Canada will be conducting an investigation, but the RCMP said it is not involved. The impact the breach will have on Canadian customers isn't clear.

"It's still too early to tell," said Rob McLeod, CIBC spokesperson. "We're still receiving information from VISA and we're analyzing that."

It is estimated that each Canadian bank flagged thousands of credit card numbers for heightened risk of fraud and are actively monitoring the accounts.

"Right now, we're focusing on contacting all the customers on the list and getting information to them to monitor their accounts," said Michael Edmonds, spokesman for BMO Financial Group.

Bruce Cran, president of the Consumers' Association of Canada, said he's not aware of any fraud in Canada related to TJX, but said it's a logical conclusion to assume if fraud is popping up in the U.S., Canada can't be far behind.

"People have expectations of privacy when they do business with financial institutions and I don't think we are getting that at all," he said.