Bank loses unencrypted CDs containing customers’ data

June 7, 2011

Scotiabank confirmed on Monday that three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system. The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It reportedly did not include savings or chequing account numbers, any account balances, or employment information.

The bank admitted that there was non-compliance with its policy of encrypting portable storage devices that contain confidential personal information. It said it has changed its processes so future CDs will be encrypted.

The Scotiabank incident comes on the heels of other notable privacy breaches involving major corporations. In April, Sony revealed that it had suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts.

Privacy breaches such as these should concern insurers, especially when companies (such as Sony) try to make first party claims. Or identity theft victims sue the companies over losses arising as a result of those breaches.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.