When an IBM subsidiary set out to refurbish computers storing data for clients, no one could have anticipated the drama that would follow when a pocket-sized, 30-gigabyte hard drive—valued at a little more than $100—was reported missing in January.
At first, managers of the IBM business believed that the drive contained limited information on clients of several government agencies in the Canadian province of Saskatchewan. But in the following days, executives from the IBM unit—Information Systems Management (ISM) Canada—said the hard drive not only contained data on about 100,000 clients of government agencies, but also highly sensitive personal information on 175,000 clients of a prominent Canadian insurance firm, and 650,000 clients of a large mutual fund company.
ISM had suddenly become embroiled in the largest information privacy breach in Canada to date.
Direct costs related to the loss of the hard drive have already reached about $500,000 (US$335,000), but industry experts say those costs will pale compared with the legal bills that will pile up in the months ahead. At least one class-action suit has been launched against ISM Canada, the Saskatchewan government, Co-operators Life Insurance, and Investors Group, seeking about $5 million in damages. More suits are expected.
The hard drive? It was recovered Feb. 5 by Regina City Police in Saskatchewan. But the data was gone. The contents apparently were deleted by an ISM employee who is believed to have been looking for a little extra storage room for his personal computing needs. The employee, Daniel Gregory Harrison, was charged with possession of stolen property under $5,000.
Harrison made his first appearance in a Regina courtroom Feb. 27, where his lawyer told reporters the long-term ISM employee had made an innocent mistake. Lawyer William Howe says Harrison took the hard drive home to work on a personal project, and in the process wiped the hard drive clean. "This is a relatively silly, unfortunate series of events," Howe says, adding that the incident had been blown out of proportion. Harrison is scheduled to appear in court again April 3.
Regina police also dont believe the personal information on close to 1 million people, which included names, addresses, social insurance numbers and bank account information, was copied to another location. The drive itself was wiped clean.
ISM only wishes it could clean up the fallout as easily.
"They say the information wasnt copied, but how can they be sure?" says an angry Alex Taylor, one of 5,000 Saskatchewan Workers Compensation Board clients whose personal information was on the disk. Taylor has joined the class-action suit launched by Tony Merchant, a lawyer from Regina. "Its easy for them to say no harm, no foul, but theyve got my bank account numbers, my drivers license, my PIN numbers…Im supposed to just relax and forget about it?"
The incident involving ISM, a 400-employee unit thats part of IBM Global Services, may prove to be an isolated, harmless security breach. But the repercussions for IBM, the outsourcing industry—and companies that hand over their clients information to technology partners—will be longer lasting.
Already the firms and government agencies involved say they refuse to renew their contracts with ISM until the company can demonstrate that its security procedures have been overhauled. The companies involved also have launched investigations into their own information security practices, and are revising disaster plans to better accommodate the loss or theft of personal information.