Crisis PlanBy Mel Duvall | Posted 2003-03-06 Email Print
When an IBM subsidiary set out to refurbish computers storing data for clients, no one could have anticipated the drama that would follow when a pocket-sized, 30-gigabyte hard drive was reported missing in January.
When the agency got the call from ISM that information on close to 5,000 of its clients was on the drive, it activated a pre-existing crisis plan. Though not designed specifically to deal with the loss of personal data, the plan was broad enough to address the issue. Communications manager Judy Orthner says within 90 minutes of receiving the call from ISM, the board's crisis-team members formed an action plan. The committee consisted of the directors of communications, information technology, and finance and operations, as well as senior managers within the technology and operations units.
Three specific actions were taken:
Orthner says the board has not yet totaled the expenses arising from the incident. But the crisis team is compiling a list of all costs and time spent on the incident for later review. Direct costs related to setting up the call center and mailings are estimated at around $6,000. Legal fees could take a bigger bite out of the board's budget.
Similar steps were taken at Co-operators Life Insurance, a division of The Co-operators Group, and Investors Group, a mutual fund company.
Co-operators, based in Guelph, Ontario, learned that information on about 176,000 of its life insurance clients was on the disk. A letter detailing the incident, and the information contained on the disk (names, addresses, value of policies, beneficiaries, social insurance numbers and individual bank account numbers), was mailed out to affected clients.
Co-operators also set up a call-center operation on Jan. 28 with 30 staffers to field questions. Even so, it wasn't enough.
"Call volumes were extremely high at points and some calls were dropped," says Dominique O'Rourke, the firm's spokeswoman, noting that volume reached 1,200 calls per day at peak periods. Co-operators' Chief Operating Officer, Dan Thornton, acknowledged that the company's letter likely caused undue alarm for some clients, but believes it was the appropriate action. "From the beginning, we have indicated that we were erring on the side of caution and have maintained that our clients had the right to know their information had been potentially compromised," he says.
In the aftermath, Co-operators conducted an internal investigation of its security measures. While O'Rourke says the firm is confident security procedures were followed, it has identified a number of areas "where security measures can be improved" and is taking steps to plug those holes.
Winnipeg-based mutual-fund firm Investors Group, which had the largest number of people affected by the security breach, notified 650,000 of its clients in a Jan. 29 letter detailing the scope of the information loss. Spokesman Ron Arnst says the company's existing call center handled calls coming into the head office regarding the incident, but the majority of calls were made to the company's 3,300 field agents—that is, investment agents assigned to individual clients. Arnst says a "small number" of accounts were lost due to the incident, but Investors' agents allayed most clients' fears.
The same cannot be said for the company's relationship with ISM. "We have made the decision not to send any further client information to ISM until we are fully satisfied that there are appropriate measures in place to protect the identity of our clients," says Arnst. ISM Canada was considered a rising star in the outsourcing business, boasting a blue-chip list of government and corporate clients. In fact, its solid reputation was a factor why IBM purchased the company in 1995 for more than $140 million. Today, the firm employs about 315 people, providing technology-project, document-management and application services, as well as general outsourcing. IBM doesn't disclose the unit's revenue.