An investigation into the 2006 disappearance of confidential data on nearly half a million CIBC clients has turned up few findings, revealing only that the data may not have been lost in the first place.

The Office of the Privacy Commissioner of Canada launched the investigation after CIBC informed the commissioner that it lost a hard drive containing the personal information and financial data of some 470,000 clients of Talvest Mutual Funds, which were at that time a family of CIBC Mutual Funds. In November 2007, CIBC re-branded the Talvest funds as part of Renaissance Investments.

The investigation revealed that the bank could not confirm whether that personal information was ever transferred to a hard drive in the first place.

“I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had even been made,” said assistant commissioner Elizabeth Denham in a statement.

As part of a server consolidation project, CIBC transferred Talvest files from Montreal to its Toronto-area computing centre in December 2006. The files of 470,752 accounts of current and former Talvest clients contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers.

Since the amount of data was too large to transfer over an internal network, CIBC decided to copy the files onto two identical disk drives — one to be sent by land, the other by air.

While the air-shipped package arrived without incident, the land-shipped package was opened and found to be empty. There was no sign the empty package had been tampered with, according to the commissioner.

To date, the missing disk drive has not turned up, yet there is no evidence that personal information on the drive has been improperly accessed and misused.

CIBC now considers it highly possible that the package was empty all along, though it cannot confirm this because CIBC’s computer systems didn’t track whether copies of data were made.

“If CIBC had followed its policies and processes or had a technical means to determine whether the transfer to a second disk drive had actually taken place, quite possibly, no further action would have been necessary,” said Denham. “Whether or not the personal information of more than 470,000 people was transferred to a disk drive should not be a mystery.”

The OPC’s investigation also raised concerns about the fact that personal information being sent had not been encrypted given the potential for the data to be accessed and viewed by unauthorized parties. CIBC has since adopted a policy which requires information to be encrypted if it must travel outside the bank.

The bank has also put in place a number of remedial measures to address other deficiencies in its security policies and procedures, including those relating to the handling and movement of confidential information.

IE