A couple of items on the continuing CIBC missing faxes story in today's Globe and Mail:
Canadian Imperial Bank of Commerce accuses scrapyard operator Wade Peer of deliberately leaking confidential CIBC customer data and of violating Canadian privacy laws.
The bank's allegations, made in court filings yesterday, come just one business day after the bank publicly praised him for the way he protected confidential customer data that the bank had mistakenly faxed to him for more than three years.
Mr. Peer is seeking $3-million (U.S.) in damages from the bank in a Maryland court, claiming that the volume of faxes sent to his business, AllStar Sportsline Properties, by CIBC branches prevented him from communicating with his customers. As a result, he claims in the suit, his business failed.
In their brief, CIBC lawyers said: “Mr. Peer provided The Globe and Mail (a mass publication Toronto newspaper) and the Canadian tele-
vision network CTV with confidential financial information about CIBC's customers — either from his own copies of the faxes or, as Peer now claims, from the materials his counsel had already placed on this Court's website.
“[Mr. Peer and AllStar] have already shown that they will misuse CIBC's confidential customer information. . . . None of this conduct can possibly be justified as a matter of fairness or common sense.” . . .[Read the full story in the Globe and Mail]
——————————–
My colleague Gord Pitts takes a look at the reputational risk issues for the bank:
It's a bank's worst public relations nightmare — a challenge to its image of trust and confidence. It gets even worse when the accuser is an ordinary Joe, a plain-spoken scrap yard operator from West Virginia.
Canadian Imperial Bank of Commerce has responded by playing the heavy in its public relations standoff with Wade Peer, the scrap dealer who was mistakenly sent faxes of bank customer information.
Crisis management experts say this strategy contains risks in reassuring the public, which is more likely to sympathize with Mr. Peer than with a major Canadian bank already coping with challenges to its reputation … [Read the full story in today's Globe and Mail]
——————————-
And finally, the CIBC situation is fodder for the paper's editorial writers:
How does a bank know when its internal communications system is in awful shape? When its employees are faxing customers' confidential documents to scrapyards in Maryland and West Virginia. When they continue to fax those documents to the same 1-877 number for three years, despite the persistent pleas of the scrapyards' operator, Wade Peer, that they stop doing so. When, even after the story appears in The Globe and Mail and on CTV exposing this shocking breach of privacy on the part of Canadian Imperial Bank of Commerce, Mr. Peer receives two more such faxes, one from an Edmonton CIBC branch and one from an Ottawa branch.
And how does the bank respond? It orders all its branches not to transmit customers' personal information by fax machine, indicating that even now, three years later, it has no clue where the originating problem is and how to remove Mr. Peer's fax number from the bank's files. (The basic problem is simple enough to spot: If you hit a digit in the bank's 1-877 number twice by mistake, you get Mr. Peer's number.) CIBC says it will still send faxes to those customers who want to receive them. Brave customers.
The bank's chief privacy officer, Ron Lalonde, has posted a letter on CIBC's website that begins: “I want to personally apologize and share with you my deep concern regarding the breach of confidentiality of client information reported in the media.” He then spends the rest of the letter blaming Mr. Peer — a victim in this case, a man who was forced to launch a lawsuit against the bank last spring because the mail hadn't stopped — for not complaining often enough that he was being besieged. “We heard nothing further regarding this issue from the individual for more than two years,” Mr. Lalonde writes, “and thus believed that the company was no longer receiving CIBC faxes in error.” Did no one at the bank, particularly the chief of privacy, consider the matter worth a follow-up phone call or two? …[Read the full story in today's Globe and Mail – subscription required]
“And how does the bank respond? It orders all its branches not to transmit customers' personal information by fax machine…”
The tone of that sentence is critical, but isn't that the smart thing to do? Faxes have NEVER been a secure method of transmitting information. In fact, they are just about the most insecure method conceivable. The CIBC is taking the rap for what I have no doubt happens in every business, organization, and government institution in this country:
“I sent you a fax, did you get it?”
“No.”
“OK, I'll send it again.”
No one ever thinks to wonder where the first fax went; in whose hands it might be, and what that person might be doing with the information.
When you make a phone call, if you misdial you are alerted to the problem before you disclose information. When you send information via email, the chances of it reaching anyone other than the intended recipient are remote; if you type the address incorrectly, it bounces back to you. Return receipts can be easily set up, so that you get notified of the recipient's receipt of the message. Online forms (on Web pages) can be made secure.
Why are any of us still using fax machines at all?
Actually faxes are still an neccessary technology for a small percentage of communications.
The good news is that there is a solution to the problem that CIBC experienced which a handfull are using. It actually encripts the information being faxed and in case of misdialing prevents the information from being received. Simple and effective.