The federal privacy commissioner expressed disappointment Monday with CIBC's handling of a situation that saw confidential faxes end up in the hands of outside parties.
Jennifer Stoddart said the bank failed to recognize that the faxes mistakenly sent by various bank branches to a scrapyard in West Virginia and a company in the Montreal suburb of Dorval were a breach of customers' privacy that could have been prevented.
The scrapyard owner said he was inundated between 2001 and 2004 with faxed fund-transfer request forms that contained social insurance numbers, home addresses, phone numbers and detailed bank account data of several hundred CIBC customers.
"Canadians expect much more from the institutions they entrust with their personal information," Stoddart said in a report.
"As privacy commissioner, I was disappointed that an apparently well-organized institution such as CIBC failed to recognize that the misdirected faxes were a privacy issue," she said.
"That the bank's privacy policies and practices were not functioning on a practical level should serve as a wakeup call to all organizations in Canada," she added.
"Organizations must ensure that all employees are aware of and adhere to privacy policies," Stoddart said. "When there are breaches, these must be brought to the immediate attention of the organization's privacy officials."
In its response Monday, the CIBC said the incident has prompted it to make changes.
"We accept the findings of the privacy commissioner," the bank said. "In fact, we had already begun to implement all of the recommended actions â and we are taking other steps to enhance privacy across the bank, for clients, employees and all our stakeholders."
CIBC shares were up 44 cents at $73.0 on the TSX.