The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, November 26, 2004
Following national publicity about misdirected faxes (see PIPEDA and Canadian Privacy Law: Incident: Candian bank's internal faxes went to West Virginia for three years), the bank in question has ordered all of its employees to stop sending personal information via the supposedly "internal" fax sytem that has been implicated in the incident:
CIBC orders companywide halt to faxes with customer info until glitch fixedTORONTO (CP) - Scrambling to deal with a potentially serious breach of client privacy, CIBC said late Friday it is ordering all employees to stop using the bank's internal fax system to send customer information between branches or offices.
The bank, which has known that a U.S. junkyard has received CIBC internal faxes as far back as 2001 and as recently as this year, said it has assembled a team of senior managers to deal with the problem.
CIBC spokesman Rob McLeod said the bank determined that faxes about 29 of its customers were obtained by the owner of a West Virginia junkyard, who is suing the bank for $3 million US and claiming the bank failed to heed his warning...."
Update: See, also, The Globe and Mail: CIBC bans faxes after scrapyard gets more.
"Legal experts say the commissioner is likely to focus on the consent provisions of the federal privacy law, known as the Personal Information and Protection of Privacy Act.
"It does not appear that the customers of the bank could have been reasonably interpreted to have consented to the transmission of these documents in the circumstances described," said Margaret Ann Wilkinson, a professor of law at the University of Western Ontario. "It is clear that these documents should not have been disclosed to this third party because the bank is prohibited from making such a disclosure."
Ms. Stoddart [Privacy Commissioner] said her investigation is also concerned with the length of time — more than three years — the information was faxed to Mr. Peer.
"We'll be looking into the procedures within that bank that resulted in what appears to be such a serious breach of privacy," said Ms. Stoddart, a lawyer and historian who was appointed on Dec. 1.
"It would appear to have gone on for a certain time. So how diligent was the bank in addressing this problem? What steps did they take? What went wrong?"
Ms. Stoddart said she expects her investigation to take about two months and that the goal of any investigation of a privacy breach is to reach a practical solution to prevent further breaches.
"However, when that is not enough or our advice is not heeded, we can go to Federal Court and ..... we can ask for damages," she said. "At any point, I would think, the CIBC could choose to settle any claims their unhappy customers might have, either within our process or without our process."
Some CIBC customers said they were consulting lawyers.
Legal experts said the Privacy Commissioner's findings will affect what legal actions customers pursue.
...
Ms. Stoddart said her investigation may also focus on the role of CIBC's chief privacy officer, Ron Lalonde, to whom Mr. Maclachlan, the ombudsman, reports.
Privacy experts said they expect the Privacy Commissioner to look at the relationship of Mr. Lalonde's office to other senior executives, including chief executive officer John Hunkin.
Yesterday, privacy experts criticized the bank for failing to notify customers affected as soon as the privacy breach occurred.
"What they should have done immediately is notify all of the branches," said Philippa Lawson, a lawyer and executive director of the Canadian Internet Public Policy Interest Centre at the University of Ottawa's law school."
Update: April 18, 2005 - PIPEDA and Canadian Privacy Law: Privacy Commisioner of Canada releases her report on the CIBC faxing incidents
Labels: information breaches, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.