CIBC could have prevented faxes containing confidential customer information from being sent to outside parties, said federal privacy commissioner Jennifer Stoddart.

"That the bank's privacy practices were not functioning on a practical level should serve as a wake-up call to all organizations in Canada," she said.

Stoddart made public Monday her findings of an investigation into reports of misdirected faxes which occurred between 2001 and 2004.

She said she was concerned that the misdirected faxes continued to occur over several years, and that attempts to stop the problem did not work.

"It's serious because we have a major financial organization, that was bound by the law since January of 2000, several years later clearly didn't have adequate implementation procedures in place," she said.

Stoddart also cited the bank for not appropriately recovering customer personal information, or informing customers until the issue had become public.

"Canadians expect much more from the institutions they entrust with their personal information," Stoddart said.

Last year, CTV News reported that the owner of a scrap yard in Ridgely, W. Va., had been receiving the faxes. Faxes had also been sent to another company in the Montreal suburb of Dorval.

The scrap yard owner said the forms contained social security numbers, home addresses, phone numbers and detailed bank account information.

Stoddart said she was "disappointed that an apparently well-organized institution such as CIBC failed to recognize that the misdirected faxes were a privacy issue."

She said simply publishing a privacy policy does not make a business privacy compliant.

"Organizations must ensure that all employees are aware of and adhere to privacy policies. When there are breaches, these must be brought to the immediate attention of the organization's privacy officials," Stoddart said.

In response to Stoddart's findings, the bank said it accepts the findings of the report, and has already begun implementing all of the recommended actions.

"The first I learned of the incidents involving the West Virginia faxing was literally an hour or two before you made it a national issue," Ron Lalonde, CIBC's chief privacy officer, told CTV News.

"Once I did find out about it, once other senior executives found out about it, I think we reacted very quickly."

CIBC faces other fallout from the incident.

Tim Speevak's personal information was faxed by CIBC to West Virginia. He is suing the bank for $9 million in damages.

"Identity theft. Pure and simple. All the key information and more to pull it off was out there," he told CTV News.

CTV News reported last fall that Scotiabank and T-D Bank had also faxed confidential data to the wrong parties. Now it has learned the Royal Bank has done the same thing.

However, Stoddart said none of the problems with those banks is on the scale of the CIBC's problem.

With a report from CTV's David Akin and files from The Canadian Press