When we investigated the complaint we had about CIBC Visa, where the information does in fact flow into the United States, we discovered that CIBC had done everything they could to protect the information it dealt with. The agreement they had with the company they outsourced to dealt with safeguards, how the information could be used—as in not used, not disclosed—all that sort of thing. So they had taken all the appropriate steps, and the law in fact requires that to happen. If you're going to outsource, whether it's to the United States or to India, or wherever you're going, you are ultimately responsible. If you're ultimately responsible, you do the best you can to protect yourself as the organization in Canada so that we can't come along and say “We hold you responsible for the fact that this information was sold”, or what have you.
On November 27th, 2006. See this statement in context.