The disappearance of a corporate hard drive containing thousands of customer records is the largest privacy debacle in Canadian history, experts say.
On Jan. 16, a disk drive went missing from Information Systems Management (ISM) Canada, an IBM Canada subsidiary based in Regina. ISM was holding
social insurance numbers, banking authorization, credit card numbers and dates of birth for The Co-operators Life Insurance Co.
The disappearance prompted The Co-operators to send out a letter Jan. 27 to 180,000 of its life insurance and pension clients informing them some of their personal information held on disk was missing.
The disk was recovered by Regina police Feb. 3, according to published reports, and at press time, charges were pending against a single individual.
ISM actually reported the incident to the Regina Police Services on Jan. 16, says Sergeant Rick Bourassa of the Regina Police Service.
Data from other private and public sector companies, including SaskTel and SaskPower, the provincial workers’ compensation plan, a unit of Co-operators Group Ltd. of Guelph, Ont., Winnipeg-based Investors Group Inc. and thousands of Manitoba businesses was also contained on the disk.
A Regina law firm has launched a class-action suit against ISM and several of its clients, including Co-operators and Investors Group, on behalf of people whose information was on the disk, alleging the companies failed to properly protect information and did not promptly inform those affected.
According to Mary Kirwan, a lawyer with Mississauga, Ont.-based security company Kasten Chase, this type of theft is more common than people are led to believe. The Co-operators is a rare instance wherein it has actually been reported.
“”Unfortunately, sometimes companies put in every type of security you can think of, then they forget that sometimes the biggest weak link is their employees,”” says Kirwan. “”Insider attack is usually the vulnerable point.
“”You could have a lot of good security (but) you might not have proper policies and procedures in place in terms of your employees. You might just have a few bad eggs.””
Co-operators CEO Kathy Bardswick says the insurance company is conducting its own review of security procedures and is helping investigate the matter with ISM and Regina police. Whether the company will terminate its contract with ISM will be determined pending the review. ISM did not return calls for comment at press time.
“”I think every organization needs to be vigilant to do what it can to prevent this kind of occurrence from happening,”” says Bardswick. “”At this point our investigation is not complete. I can’t actually comment on what did go wrong, if anything.””
The risk of data loss increases if its management is outsourced to another provider, says IDC analyst Jonathan Gaw. “”Often times the people you outsource to don’t have the same kind of sensitivities to these things that perhaps an insurance company might.””