Fax machine scandal – the beginning of the end? (Guest commentary)

One headline, representative of them all, reads: “Fax flaw sends CIBC customer data to U.S. scrap dealer ... for 3 years.”

The details? CIBC fund transfer request forms containing social insurance numbers, home addresses, phone numbers and other account data of several hundred bank customers were sent, not to the proper CIBC office, but to the owner of a West Virginia scrapyard. He contacted the bank to get it stopped. When it continued, he began saving the faxes as evidence. He is suing the bank for loss of business while they are counter-suing.

Some people feel this may spell the end of the fax machine.

The facsimile — or FAX — as we love to call it, was introduced in the 1970s as a marvelous option for moving documents efficiently from location to location. At speeds that are now ridiculously slow, it transformed the ability to transfer data. If you send faxes today you will find that recipients (who aren’t paying for that long distance call) haven’t upgraded their machines above 1,200 baud, while e-mail connections at 56,000 baud are considered slow.

Reading more about the CIBC situation you begin to understand the fax itself is an innocent victim. The bank apparently advised its branches of the wrong fax number. But it compounded the problem by not acknowledging the mistakes, and failing to ensure the problem was corrected.

Fax machines throughout the bank merely carried out the wishes of their human masters.

Of course, in many situations e-mail has pretty much taken over as the method of choice for fast document transfer, leaving the fax only for documents that aren’t available in electronic format and where scanning isn’t an option.

Lest we get too complacent, let me advise you that e-mail has a well-deserved reputation for not being a secure method of information transfer unless it is encoded.

Human error translated into a “technical problem” is, unfortunately, fairly common.

Air Canada recently sent a large number of air crew letters advising that the airline had mistakenly overpaid for meal vouchers and threatened legal action if the overpayment wasn’t repaid (see page 1, “Air Canada union irate following collection agency threat”). The payroll system is being blamed, but the culprit is almost certainly human.

And this past November the Shared Services Bureau of the Ontario Government committed its 11th serious breach of privacy in the last 15 months when 27,258 child-care supplement cheques went out with stubs bearing names, addresses and social insurance numbers that didn’t match those of the recipients.

Other bureau problems have included Internet-based human resources software, employees receiving the wrong pay stub and mix-ups involving applicants to the Ontario Student Loan Program.

Ontario’s Privacy Commissioner Anne Cavoukian stated: “Clearly, this is not acceptable. The message has to be delivered that protecting privacy is just as important as getting the right name on a cheque…Weaknesses must be identified, controls must be strengthened and best practices must be developed,” she wrote, in recommending an audit (now being carried out by Deloitte Touche).

The fear about many of these problems is that they could directly contribute to identity theft, the fastest growing crime in North America, and one that HR professionals need to pay attention to.

Why? A recent study of more than 1,000 identity theft arrests in the United States shows up to 70 per cent began with the theft of personal data from a company by an employee. (Being sent someone else’s financial information is a pretty good place to start as well).

Overarching all of these issues is new legislation that came into play in the last year. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) sets out what information organizations must ensure are kept private, as well as responsibilities for informing affected individuals how this information is being used as it travels between provincial and international borders. PIPEDA governs the privacy of information in provinces that haven’t enacted similar legislation. British Columbia, Alberta and Quebec all have their own substantially similar laws, while Ontario has recently passed the Health Protection Information Privacy Act.

Paper has been lost and/or misdirected for years. The problem with faxes and e-mails is that instead of one mistake sent by post (when you can always run down to the mailroom to retrieve it), we can now make really big mistakes, sending thousands of people the wrong information, and completely irretrievable from the second “send” is clicked.

How many people have had an instant epiphany just as they hit that send button, realizing a split-millisecond too late that the “Debbie” that appeared automatically in the send line is not the intended Debbie.

Oh sure, there’s a disclaimer, something like: “This e-mail and any files transmitted with it are intended for, and should only be read by the intended addressee. Its contents are confidential, and if you are not the intended addressee, please notify the sender immediately, and delete all records of the message from your computer. Any reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this message without the prior written consent of the sender are strictly prohibited. Please note, this electronic message may be altered by a third party, either intentionally or unintentionally.”

Just so you know, those tag lines don’t really lock the barn door.

Ian Turnbull is executive director of the Canadian Privacy Institute, and author of “Privacy in the Workplace – The Employment Perspective” (see www.canadianprivacyinstitute.ca). He may be contacted at [email protected] or (416) 618-0052.

To read the full story, login below.

Not a subscriber?

Start your subscription today!