Shostack + Friends Blog Archive


Privacy lessons from CIBC

The disaster over at CIBC is telling, and bears a little exploration.

The real victims, whose details were faxed to never saw the violation of their privacy. It was CIBC tossing data around incompetently, all the while publicly proclaiming their commitment to privacy. Wade Peer, a scrapyard operator in West Virginia brought the three years of negligence by the bank to light.

If he hadn’t chosen to file a lawsuit, we would still not know about this, and it would still be going on. Worse, Peer only got a fraction of the documents mis-addressed. Others have gone elsewhere. (This is conjecture, but consider: Bank employees misdial phones. Are they likely to always misdial those phones the same way? Are all of their misdials going to be voice numbers? If not, then they’ve sent other faxes to less honorable folks.) Further, we should ask, what are the odds that only CIBC is doing this? This reminds me of the HRDC scandal:

In the two years since the Office of the Privacy Commissioner found out about the labour file, Mr. Phillips said he has tried, unsuccessfully, to persuade HRDC officials to enact legislation to control the collection, handling and access to the information.

Canada needs a privacy commissioner who will aggressively audit government agencies and those companies who are required by law to collect information. And the commissioner should name and shame any organization that has an ongoing issue for more than a year.