COMMENT ON THIS ARTICLE
The loss of a backup drive containing personal and financial data of 470,000 clients by the Canadian Imperial Bank of Commerce (CIBC) was preventable, say Canadian security and legal experts.
Organizations, they say, are obliged to take reasonable steps to avert security breaches, and CIBC doesn't appear to have done that.
The drive was lost by CIBC's mutual fund subsidiary Talvest Mutual Funds, while in transit between Montréal and Toronto.
The loss – and the massive potential security breach it may have caused – is being investigated by Canada's privacy commissioner, Jennifer Stoddart.
In a statement, Stoddard said there are grounds for a probe to determine whether there was any contravention of the Personal Information Protection and Electronic Documents Act.
The computer drive may have contained everything from personal data, such as names, addresses, signatures, date of birth and social insurance numbers to financial information such as bank account numbers and beneficiary information, according to a statement on CIBC's Web site.
This data loss amounts to a disclosure of personal information without the consent from the parties who own it, says David Fewer, staff counsel at Canadian Internet Policy and Public Interest Clinic (CIPPIC) in Ottawa.
The CIPPIC is part of the University of Ottawa's faculty of law and deals with policy and law-making processes in the area of new technologies.
"Although this disclosure was involuntary, it raises the question of whether they had appropriate safeguards in place. And it sounds like that may not have been the case."
Fewer says while organizations do not have an absolute obligation to prevent all security breaches, they have a responsibility to take certain "reasonable" precautions.
Ensuring the safe transport of a hard drive containing important personal and financial information would be a "reasonable" precaution, he says.
According to Fewer, charges cannot be laid against CIBC under the Personal Information Protection and Electronic Documents Act, as the Act does not have a criminal provision.
However, the privacy commissioner could request an order from federal court that CIBC would be required to follow.
Cases brought to federal courts under this Act have been "few and far between", and even in those cases, the outcomes have been lukewarm, Fewer notes.
A Canadian security expert believes the loss of the backup computer file was "quite preventable" from the outset.
The data on the hard drive doesn't appear to have been encrypted, and it should have been, says Brian O'Higgins, chief technology officer at Third Brigade Inc. in Ottawa.
Third Brigade Inc. specializes in host-based intrusion prevention systems.
"You're going to lose a disk or computer at some point, therefore companies should encrypt their data. It costs time and effort but needs to be done," says O'Higgins.
There are a number of ways to implement encryption, he says, but the best way is to encrypt the data when it's 'resting', as opposed to encrypting the transmission channel and leaving the data unscrambled.
That way, O'Higgins says, even an open network could be a secure route for data delivery.
While hard drive data encryption is a crucial first step for any financial institution, the Third Brigade executive doesn't see the practicality of enforcing it.
"There would be a 'knee-jerk reaction' where companies would employ encryption on all machines and spend all their energy, while bigger problems got ignored."
Instead of a blanket encryption, financial institutions should focus on data security where it actually counts - with personal and financial information. That way, they would get the "biggest bang for their buck," he says.
The possible non-encryption of the hard drive data, in part, represents a procedural error, says Joe Greene, vice-president of IT security research at analyst firm, IDC Canada in Ottawa.
"The breach didn't occur while the data was sent electronically, nor were they hacked. They put the data on a hard drive and sent it off."
Greene suggests the data should have been scrambled – if it already wasn't – and transmitted electronically.
Furthermore, should client information fall in the wrong hands, the issues of identity theft and unauthorized bank account access will no doubt surface.
CIBC, meanwhile, says there is no evidence to suggest the lost backup file has been "inappropriately accessed".
However, precautionary measures will be taken to protect clients including: notifying all affected clients by letter, compensating them for monetary loss arising directly from unauthorized access of personal information contained on the file, and providing affected clients the opportunity to enroll in a credit monitoring service at no cost.
Talvest is working with the police to investigate this incident and retrieve the backup file, the CIBC statement says.
Those affected have been sent a letter advising them of these measures and urging them to regularly review activity on all their financial accounts. "If you discover any unauthorized activity, be sure to report it immediately to your financial institution," the letter says.
To enroll in the credit monitoring service, the letter directs affected individuals to visit www.tal.talvest.com/english or www.tal.talvest.com/francais and register by April 30, 2007 – quoting the provided ID number.
CIBC could not be reached for additional comment.
With files from Joaquim P. Menezes