Radhika is an employee of the TransCanadian Savings and Loan Corporation. After coming back from picking up her lunch one day, having left her office door wide open, as always, she noticed her laptop had been stolen from its docking station. Realizing that sensitive and personal information for more than 800 of her customers was contained on her machine, she immediately told her supervisor. The bank duly reported the theft to the Office of the Privacy Commissioner of Canada.

Carmen was a customer of the bank. Almost three months later, he received a letter from the bank in which he was merely advised to contact the institution about a "current matter." Only when he called the bank was he informed of the theft and the potential security risk to his credit information. He was then advised to contact two credit bureaus and have an alert put on his file.

During an investigation, it came to light not only that the laptop had been left unattended in the employee's office, but also that the office door did not have a lock on it. Further, Radhika's office was located on a corridor accessible to a public area by a door that was always unlocked during business hours. The bank also admitted that Radhika had not followed the company's data backup requirements or its security procedures regarding laptop computers.

Analyze and discuss the above privacy breach in light of the bank's obligations pursuant to PIPEDA. What are the potential risks that Carmen faces now that his personal information has been stolen? What steps might the bank have taken to avoid this situation?