Page 32 - CCCA63_2008
P. 32
CCCA_V2No3_BreachofTrust-FIN.qxd:CCCA_V1No1_DriversSeat-FIN.qxd 9/18/08 5:33 PM Page 40 Feature n 2001, staff at Canadian Imperial Bank of Commerce to eight gigabytes of data, Fraser points out. “That’s probably the branches across the country started doing a curious thing: entire phone book for metro Toronto, and it can be lost unbeliev- I They started faxing clients’ confidential information — on ably easily,” he says. A recent study in the U.S. indicated that some transfer forms concerning retirement funds — to a scrapyard in 12,000 laptop computers are lost in American airports each week. West Virginia. The forms contained personal and financial details Then there’s employee misconduct, such as when a staff mem- like social insurance numbers, home addresses, phone numbers and ber gone bad sells private information to identity thieves. Or, says detailed bank account information. Fraser, an employee could simply become bored on a coffee break Despite the scrapyard operator’s reportedly vigorous attempts and type their neighbour’s name into a database to see what might to stop the faxes, they kept coming, for up to three more years. turn up. The scrapyard received so many faxes, in fact, that ultimately its owner, Wade Peer, launched a $3 million lawsuit against CIBC, Identity theft suing the bank for negligence and seeking compensation for But privacy isn’t breached only by careless or mischievous business he claimed was lost because his fax machine was too employees; there are plenty of bad guys out there actively trying tied up with CIBC faxes for his customers to communicate with to break into your customers’ records. Social engineering and him effectively. pretexting is a growing category of privacy breaches. This is what Three years later, CIBC took decisive remedial action, issuing an happens when identity thieves or other impostors use sophisti- apology and announcing that it would overhaul its privacy proce- cated techniques to persuade someone on the other end of the dures. But by then, the news was out, and many customers were phone to release private information. feeling (and freely expressing in front-page news stories) a volatile A memorable example of this occurred in 2005 when a mixture of shock, disappointment, worry and anger. A legal, com- Maclean’s correspondent successfully obtained the phone records munications and customer relations nightmare had been spawned. It seems the error stemmed from something as mundane and low-tech as a wrong digit in a fax number, although CIBC insisted it had never published anything other than an accurate number. Now, you’d think such occurrences would be reassuringly rare. It isn’t every day that a major Canadian bank faxes private client infor- mation to a junkyard in another country. But data breaches of one sort or another are surprisingly common and increasingly danger- ous, say lawyers who specialize in the area. In fact, depending on what you define as a breach, says David Fraser, a privacy lawyer with McInnes Cooper in Halifax, it’s probable that they happen daily. Internal sources While cases like the CIBC faxing fiasco and other prominent breaches — such as that which befell TJX Companies Inc. (the U.S. parent company of Winners and HomeSense stores in Canada) in 2006 — make big news only occasionally, breaches can be caused by something as ordinary as an employee acciden- tally misplacing confidential information about staff or clients. While most people worry about hackers breaking into databas- es, as in the TJX case, experts say the majority of privacy breaches can be traced back to internal sources. For example, as with CIBC, privacy breaches can be caused by misdirected faxes or e-mails. They can also happen when databases are transferred to third par- ties for processing or data management purposes. The company that collected the information in the first place might have appro- priate safeguards in place, but the third party might not. Suzanne Morin Information can also be lost in transit when couriered on disks. Assistant General Counsel for Lost laptops, memory sticks and hard drives are behind other Regulatory Law and Policy MIKE PINDER breaches. A memory card the size of a postage stamp can hold up Bell Canada, Ottawa 40 CCCA Canadian Corporate Counsel Association FALL
