When an IBM subsidiary set out to refurbish computers storing data for clients, no one could have anticipated the drama that would follow when a pocket-sized, 30-gigabyte hard drive—valued at a little more than $100—was reported missing in January.
At first, managers of the IBM business believed that the drive contained limited information on clients of several government agencies in the Canadian province of Saskatchewan. But in the following days, executives from the IBM unit—Information Systems Management (ISM) Canada—said the hard drive not only contained data on about 100,000 clients of government agencies, but also highly sensitive personal information on 175,000 clients of a prominent Canadian insurance firm, and 650,000 clients of a large mutual fund company.
ISM had suddenly become embroiled in the largest information privacy breach in Canada to date.
Direct costs related to the loss of the hard drive have already reached about $500,000 (US$335,000), but industry experts say those costs will pale compared with the legal bills that will pile up in the months ahead. At least one class-action suit has been launched against ISM Canada, the Saskatchewan government, Co-operators Life Insurance, and Investors Group, seeking about $5 million in damages. More suits are expected.
The hard drive? It was recovered Feb. 5 by Regina City Police in Saskatchewan. But the data was gone. The contents apparently were deleted by an ISM employee who is believed to have been looking for a little extra storage room for his personal computing needs. The employee, Daniel Gregory Harrison, was charged with possession of stolen property under $5,000.
Harrison made his first appearance in a Regina courtroom Feb. 27, where his lawyer told reporters the long-term ISM employee had made an innocent mistake. Lawyer William Howe says Harrison took the hard drive home to work on a personal project, and in the process wiped the hard drive clean. "This is a relatively silly, unfortunate series of events," Howe says, adding that the incident had been blown out of proportion. Harrison is scheduled to appear in court again April 3.
Regina police also dont believe the personal information on close to 1 million people, which included names, addresses, social insurance numbers and bank account information, was copied to another location. The drive itself was wiped clean.
ISM only wishes it could clean up the fallout as easily.
"They say the information wasnt copied, but how can they be sure?" says an angry Alex Taylor, one of 5,000 Saskatchewan Workers Compensation Board clients whose personal information was on the disk. Taylor has joined the class-action suit launched by Tony Merchant, a lawyer from Regina. "Its easy for them to say no harm, no foul, but theyve got my bank account numbers, my drivers license, my PIN numbers Im supposed to just relax and forget about it?"
The incident involving ISM, a 400-employee unit thats part of IBM Global Services, may prove to be an isolated, harmless security breach. But the repercussions for IBM, the outsourcing industry—and companies that hand over their clients information to technology partners—will be longer lasting.
Already the firms and government agencies involved say they refuse to renew their contracts with ISM until the company can demonstrate that its security procedures have been overhauled. The companies involved also have launched investigations into their own information security practices, and are revising disaster plans to better accommodate the loss or theft of personal information.
When the agency got the call from ISM that information on close to 5,000 of its clients was on the drive, it activated a pre-existing crisis plan. Though not designed specifically to deal with the loss of personal data, the plan was broad enough to address the issue. Communications manager Judy Orthner says within 90 minutes of receiving the call from ISM, the boards crisis-team members formed an action plan. The committee consisted of the directors of communications, information technology, and finance and operations, as well as senior managers within the technology and operations units.
Three specific actions were taken:
Orthner says the board has not yet totaled the expenses arising from the incident. But the crisis team is compiling a list of all costs and time spent on the incident for later review. Direct costs related to setting up the call center and mailings are estimated at around $6,000. Legal fees could take a bigger bite out of the boards budget.
Similar steps were taken at Co-operators Life Insurance, a division of The Co-operators Group, and Investors Group, a mutual fund company.
Co-operators, based in Guelph, Ontario, learned that information on about 176,000 of its life insurance clients was on the disk. A letter detailing the incident, and the information contained on the disk (names, addresses, value of policies, beneficiaries, social insurance numbers and individual bank account numbers), was mailed out to affected clients.
Co-operators also set up a call-center operation on Jan. 28 with 30 staffers to field questions. Even so, it wasnt enough.
"Call volumes were extremely high at points and some calls were dropped," says Dominique ORourke, the firms spokeswoman, noting that volume reached 1,200 calls per day at peak periods. Co-operators Chief Operating Officer, Dan Thornton, acknowledged that the companys letter likely caused undue alarm for some clients, but believes it was the appropriate action. "From the beginning, we have indicated that we were erring on the side of caution and have maintained that our clients had the right to know their information had been potentially compromised," he says.
In the aftermath, Co-operators conducted an internal investigation of its security measures. While ORourke says the firm is confident security procedures were followed, it has identified a number of areas "where security measures can be improved" and is taking steps to plug those holes.
Winnipeg-based mutual-fund firm Investors Group, which had the largest number of people affected by the security breach, notified 650,000 of its clients in a Jan. 29 letter detailing the scope of the information loss. Spokesman Ron Arnst says the companys existing call center handled calls coming into the head office regarding the incident, but the majority of calls were made to the companys 3,300 field agents—that is, investment agents assigned to individual clients. Arnst says a "small number" of accounts were lost due to the incident, but Investors agents allayed most clients fears.
The same cannot be said for the companys relationship with ISM. "We have made the decision not to send any further client information to ISM until we are fully satisfied that there are appropriate measures in place to protect the identity of our clients," says Arnst. ISM Canada was considered a rising star in the outsourcing business, boasting a blue-chip list of government and corporate clients. In fact, its solid reputation was a factor why IBM purchased the company in 1995 for more than $140 million. Today, the firm employs about 315 people, providing technology-project, document-management and application services, as well as general outsourcing. IBM doesnt disclose the units revenue.
Punitive Damages Sought
"Even if that is proven to be the case, the organizations cannot be absolved of neglecting their duties to protect their clients information," says lawyer Merchant. He plans to recover costs on behalf of clients like Taylor, who says he spent about $1,200 changing bank accounts and obtaining new personal documents. Merchant also plans to seek even heftier punitive damages from the courts.
"Here you have very large, reputable organizations like IBM, Co-operators and Investors Group, and their course of conduct has been totally unacceptable," says Merchant. "They have shown negligence in the way they simply passed off personal information about their clients to a third party, without adequately ensuring its security. The [punitive] award has to say to the corporate world, you cannot show this lack of care with personal information."
Talk of punitive damages and the resulting negative publicity are reasons why companies need strategies to deal with the loss of private information as part of their crisis plans, says Jo-Anne Polak, head of the National Crisis Practice for public relations firm Hill & Knowlton in Ottawa. "In a crisis, you dont scrimp. You spend whatever is required because it can literally mean the life or death of a company," she says.
Direct costs related to the theft of the hard drive already are substantial, but Polak says they dwarf legal and administrative costs to be amassed in the coming months and years. "When you add up all of the hard costs—the mailings, customer service representatives—multiply that by 100 to get closer to the true costs of handling this kind of crisis," she says.
For its part, ISM refuses to answer any questions about the nature of the loss of the hard drive, or what actions it is now taking to protect its customers data.
Ira Winkler, chief security strategist for Hewlett-Packard of Palo Alto, Calif., and a prime competitor to IBM, says the firms directly involved will learn from the incident, but hes not so certain the outsourcing industry as a whole will take heed. He says companies talk a good game when it comes to protecting their clients personal information, but when it comes to paying for that security, theyre more apt to be "penny-wise and pound-foolish."
"The only unusual thing about this whole incident is that it was reported," adds Winkler. "Things like this happen all the time. Its to their credit that they were able to determine something was missing and actually track it down."
-Operators Base Case">
Headquarters: Priory Square, Guelph, Ontario, Canada N1H 6P8
Phone: (519) 824-4400
Business: One of Canadas largest full-line insurance providers
Chief Executive Officer: Kathy Bardswick
Financials: US$1.4 billion in revenues 2001, US$20.2 million profit
Challenge: Co-operators Life division hires ISM Canada to compile policy statements for life insurance and pensions. In January, it learned that a hard drive containing personal data on 176,000 of its clients was missing
- Assemble pre-established 12-member emergency response team within 24 hours of security breach report
- Respond to all customers by mail within 48 hours and set up call center to handle follow-up inquiries
- Avoid future exposure of clients personal data whether it is maintained internally or handled by outside vendors