Shostack + Friends Blog Archive

 

CIBC & SB136

CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.)

SB 1386 is a California law that requires companies to disclose to their California customers if their private data is compromised.

SB 1386 likely does not apply to CIBC (unless CIBC has Californian customers). But what if it did? (Allow me to remind you that I am not a lawyer.) I’ll pretend that CIBC has Californian customers, and ignore any choice-of-law or international law issues that may apply. I’ll also pretend that social insurance numbers are social security numbers.

The text of SB-1386 is here.
Some excerpts:

SEC. 2. Section 1798.29 is added to the Civil Code, to read:
1798.29. (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person.

(d) For purposes of this section, “breach of the security of the
system” means unauthorized aquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. …
(e) For purposes of this section, “personal information” means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.

So it seems from reading this that the main points are:

  • Do business with Californians
  • Maintain computerized data that includes an SSN
  • Know about unauthorized aquisition of that data.

I have no idea how important the word computerized is here. In a way, everything seems to hinge on it. But the preamble of the law makes clear that what matters is the disclosure, not its form.

The disclosure of the data in the CIBC case was not computerized. So, under 1798.29.d, CIBC may be able to argue that no breach of the computerized data occurred.

It seems somewhat unlikely that CIBC knows what customers’ data is compromised. As Akin points out, there’s at least one more recipient of the errant faxes. And given the nature of the error (misdialed faxes), there’s probably a lot more than these two. (Why CIBC didn’t have an auto-dial system in place is beyond me…how many places do they need to fax data?) So notifying the correct set of customers would be hard. What if they don’t notify, on my whacky computerization theory? Why, the bill specified a private right of action:

1798.84. (a) Any customer injured by a violation of this title
may institute a civil action to recover damages.
(b) Any business that violates, proposes to violate, or has
violated this title may be enjoined.

The theory behind this is that stopping identity theft requires prompt action, and by not quickly notifying customers, those customers are more likely to suffer more substantial injury. (See the bill, its in section 1, a-e.). I’m not aware of any private action brought under this section, but it seems to me that to show that a theft occurred is easy. To show that it was a result of CIBC’s inaction strikes me as very difficult.

Alternately, those writing new laws could make them more clearly address these sorts of issues. The broad reach of the “California customers” provisions cause all companies to comply with the strictest of these laws.

2 comments on "CIBC & SB136"

  • David Akin says:

    CIBC, it seems to me, would almost certainly have customers in California. While it’s a Canadian bank, one of the company’s ventures is CIBC World Markets, an investment bank which is very active in the U.S., and CIBC Mellon, another investment bank/brokerage active in the U.S.
    While it’s pulled its horns in a bit over the last year or so (it was implicated in both the Enron scandals and in some mutual fund scandals that Eliot Spitzer investigated), it was among the most aggressive of Canada’s banks to push into the U.S. market, particularly in the area of investment banking to the tech industry. I’m sure northern California would have been one area the bank would have been very active in.

  • DM says:

    Well how was the fax generated? Was the information fed to a fax machine by hand or was it sent though and email to fax gateway or an online fax service (either internal or external to CIBC). Also note that AB1950 has some requirements around this as well that aren’t limited to just computers…

Comments are closed.