Mary Gazze of The Canadian Press reports:
Scotiabank says it will use digital locks on data discs after three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system.
The bank said a “small percentage” of customers are affected, but it is warning clients as a precaution so they can monitor accounts for any fraudulent activity.
[….]
The information on the discs was not encrypted, and was set to be transferred to the Canada Revenue Agency as part of the bank’s requirements to report the information.
The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It does not include savings or chequing account numbers, any account balances or employment information.
“It is clear that there was non-compliance with the bank’s policy of encrypting portable storage devices that contain confidential personal information,” the bank said.
“This appears to have been due to a belief that Canada Revenue Agency (CRA) would not accept encrypted files that, upon further examination, appears to be inaccurate.”
Read more on CanadianBusiness.com.
Okay, so the bank misunderstood. Not good, obviously. But assuming that this would not be the first time the bank was transferring required information to Canadian Revenue, why didn’t Canadian Revenue ever contact them and say, “Hey, you’re supposed to be sending this stuff encrypted?”