News of the lost hard drive proved to be particularly puzzling for the Saskatchewan Workers Compensation Board. The agency, which provides payments to workers injured on the job, had ended its contract with ISM in August 2002. ISM previously managed the process of compiling and mailing financial records of the boards annuity clients. The board moved that operation back in-house last August.
When the agency got the call from ISM that information on close to 5,000 of its clients was on the drive, it activated a pre-existing crisis plan. Though not designed specifically to deal with the loss of personal data, the plan was broad enough to address the issue.
Communications manager Judy Orthner says within 90 minutes of receiving the call from ISM, the boards crisis-team members formed an action plan. The committee consisted of the directors of communications, information technology, and finance and operations, as well as senior managers within the technology and operations units.
Three specific actions were taken:
A letter was drafted detailing the known circumstances of the information loss, and mailed to 5,000 affected clients.
The information technology department took steps to electronically flag all client accounts. The measure would alert administrators to any unusual activities such as name or address changes, or bank-account changes.
A separate call-center unit was set up with five dedicated staffers to handle queries from clients as they received their letters or reacted to media reports on the hard-drive loss.
Orthner says the board has not yet totaled the expenses arising from the incident. But the crisis team is compiling a list of all costs and time spent on the incident for later review. Direct costs related to setting up the call center and mailings are estimated at around $6,000. Legal fees could take a bigger bite out of the boards budget.
Similar steps were taken at Co-operators Life Insurance, a division of The Co-operators Group, and Investors Group, a mutual fund company.
Co-operators, based in Guelph, Ontario, learned that information on about 176,000 of its life insurance clients was on the disk. A letter detailing the incident, and the information contained on the disk (names, addresses, value of policies, beneficiaries, social insurance numbers and individual bank account numbers), was mailed out to affected clients.
Co-operators also set up a call-center operation on Jan. 28 with 30 staffers to field questions. Even so, it wasnt enough.
"Call volumes were extremely high at points and some calls were dropped," says Dominique ORourke, the firms spokeswoman, noting that volume reached 1,200 calls per day at peak periods. Co-operators Chief Operating Officer, Dan Thornton, acknowledged that the companys letter likely caused undue alarm for some clients, but believes it was the appropriate action. "From the beginning, we have indicated that we were erring on the side of caution and have maintained that our clients had the right to know their information had been potentially compromised," he says.
In the aftermath, Co-operators conducted an internal investigation of its security measures. While ORourke says the firm is confident security procedures were followed, it has identified a number of areas "where security measures can be improved" and is taking steps to plug those holes.
Winnipeg-based mutual-fund firm Investors Group, which had the largest number of people affected by the security breach, notified 650,000 of its clients in a Jan. 29 letter detailing the scope of the information loss. Spokesman Ron Arnst says the companys existing call center handled calls coming into the head office regarding the incident, but the majority of calls were made to the companys 3,300 field agents—that is, investment agents assigned to individual clients. Arnst says a "small number" of accounts were lost due to the incident, but Investors agents allayed most clients fears.
The same cannot be said for the companys relationship with ISM. "We have made the decision not to send any further client information to ISM until we are fully satisfied that there are appropriate measures in place to protect the identity of our clients," says Arnst.
ISM Canada was considered a rising star in the outsourcing business, boasting a blue-chip list of government and corporate clients. In fact, its solid reputation was a factor why IBM purchased the company in 1995 for more than $140 million. Today, the firm employs about 315 people, providing technology-project, document-management and application services, as well as general outsourcing. IBM doesnt disclose the units revenue.