All firms and government agencies in the incident say they are satisfied with the Regina police assessment that information from the stolen hard drive was not accessed or copied. ISM spokeswoman Anne Mowat confirmed that the hard drive was taken from a standard PC workstation and was a backup to information stored elsewhere.
"Even if that is proven to be the case, the organizations cannot be absolved of neglecting their duties to protect their clients information," says lawyer Merchant. He plans to recover costs on behalf of clients like Taylor, who says he spent about $1,200 changing bank accounts and obtaining new personal documents. Merchant also plans to seek even heftier punitive damages from the courts.
"Here you have very large, reputable organizations like IBM, Co-operators and Investors Group, and their course of conduct has been totally unacceptable," says Merchant. "They have shown negligence in the way they simply passed off personal information about their clients to a third party, without adequately ensuring its security. The [punitive] award has to say to the corporate world, you cannot show this lack of care with personal information."
Talk of punitive damages and the resulting negative publicity are reasons why companies need strategies to deal with the loss of private information as part of their crisis plans, says Jo-Anne Polak, head of the National Crisis Practice for public relations firm Hill & Knowlton in Ottawa. "In a crisis, you dont scrimp. You spend whatever is required because it can literally mean the life or death of a company," she says.
Direct costs related to the theft of the hard drive already are substantial, but Polak says they dwarf legal and administrative costs to be amassed in the coming months and years. "When you add up all of the hard costs—the mailings, customer service representatives—multiply that by 100 to get closer to the true costs of handling this kind of crisis," she says.
For its part, ISM refuses to answer any questions about the nature of the loss of the hard drive, or what actions it is now taking to protect its customers data.
Ira Winkler, chief security strategist for Hewlett-Packard of Palo Alto, Calif., and a prime competitor to IBM, says the firms directly involved will learn from the incident, but hes not so certain the outsourcing industry as a whole will take heed. He says companies talk a good game when it comes to protecting their clients personal information, but when it comes to paying for that security, theyre more apt to be "penny-wise and pound-foolish."
"The only unusual thing about this whole incident is that it was reported," adds Winkler. "Things like this happen all the time. Its to their credit that they were able to determine something was missing and actually track it down."
Contributing Editor Mel Duvall is a veteran business and technology journalist, having written for a variety of daily newspapers and magazines for 17 years. Most recently he was the Business Commerce Editor for Interactive Week, and previously served as a senior business writer for The Financial Post.