By Ross Marowits
MONTREAL (CP) - For the second time in three years, the ability of the CIBC (TSX:CM) to protect confidential data has come under scrutiny after a computer file containing information on up to 470,000 Talvest Mutual Funds clients was lost in transit between offices.
In 2004, it was disclosed that the bank had for three years been inadvertently sending faxes containing confidential information to scrap yards in West Virginia and suburban Montreal.
The latest incident occurred just before Christmas. CIBC Asset Management, which manages the Talvest family of mutual funds, notified the federal privacy commissioner of the breach on Dec. 22.
The head of the agency and police in Montreal and Toronto have launched investigations.
"My office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not recur," commissioner Jennifer Stoddart said in a statement.
The agency is working with the bank to establish the facts, assess the privacy risks and notify the individuals affected.
Stoddart said she has grounds for a commissioner-initiated probe to determine if the incident contravenes the Personal Information Protection and Electronic Documents Act.
The backup computer file contained information on the process used to open and administer current and former Talvest client accounts, the Montreal-based fund said.
It may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and social insurance numbers.
There is no evidence the file was inappropriately accessed, said CIBC spokesman Rob McLeod.
"We've been using our normal security measures to monitor potential fraud and we have seen no unusual activity," he said in an interview.
An Internet privacy expert called the CIBC a "poster child for these cases," adding the security breach highlights the inadequacies of Canada's privacy laws.
"It's yet another example of security breaches that are increasingly gaining attention and are clearly part of our landscape today, highlighting the fragility of people's personal information," said Michael Geist, law professor at the University of Ottawa and chairman of the Canada Research Chair in Internet and E-commerce Law.
Unlike in most U.S. states and some provinces, there is no federal law that forces companies to notify people when their confidential information has been breached.
That raises the likelihood that these type of events are more common than we know, he said.
"Given the number of disclosures we've seen in the U.S., there's every reason to think that Canadian organizations face the same sort of risks," Geist said, adding that he believes Canada's privacy laws should be tightened to force disclosure of breaches and to give the privacy commissioner the ability to fine and force companies to comply.
"There's really limited consequences, other than the negative publicity that may come out of this."
A spokeswoman for Stoddart said it would be premature to seek more powers because the law is relatively new.
Valerie Lawton added that breach notification is one of the issues being considered by a Parliamentary committee that is studying the federal law.
"We think that breach notification can be addressed through guidelines and it may not be necessary to amend the law," she said, noting that unlike Canada, the United States has no overarching privacy law.
Industry Canada said it is eagerly anticipating recommendations from the Standing Committee on Access to Information, Privacy and Ethics that must review the law every five years.
Toronto-based CIBC said Talvest has retained original copies of the files on its secure website.
Although it has no evidence the file was accessed, CIBC Asset Management is taking several steps, including:
-Notifying all affected clients by letter.
-Compensating any affected Talvest clients for monetary loss that arises directly from unauthorized access of personal information.
-Giving Talvest clients the opportunity to enrol in a credit monitoring service at no cost and establishing a call centre and website to deal with any affected Talvest client inquiries.
"Any issue that causes disruption to our clients is of great concern to us and we regret the inconvenience this may cause our Talvest Mutual Funds clients," said CIBC Asset Management president Steve Geist, who is not related to Michael Geist.
CIBC said it is working with the police to investigate the incident and retrieve the backup file.
The announcement came after TJX Cos., operator of T.J. Maxx and Marshalls discount stores and the U.S. parent of Canadian retailers Winners and HomeSense, said its computer systems were hacked late last year and customer information was stolen.
The company said the full extent of the intrusion is not yet known, but it is conducting a full investigation.
That break-in was discovered in mid-December, but was kept confidential upon the request of law enforcement officials.
Copyright © 2007 Canadian Press