Crisis Plan

By Mel Duvall  |  Posted 2003-03-06 Print this article Print

When an IBM subsidiary set out to refurbish computers storing data for clients, no one could have anticipated the drama that would follow when a pocket-sized, 30-gigabyte hard drive was reported missing in January.

Crisis Plan
News of the lost hard drive proved to be particularly puzzling for the Saskatchewan Workers' Compensation Board. The agency, which provides payments to workers injured on the job, had ended its contract with ISM in August 2002. ISM previously managed the process of compiling and mailing financial records of the board's annuity clients. The board moved that operation back in-house last August.

When the agency got the call from ISM that information on close to 5,000 of its clients was on the drive, it activated a pre-existing crisis plan. Though not designed specifically to deal with the loss of personal data, the plan was broad enough to address the issue. Communications manager Judy Orthner says within 90 minutes of receiving the call from ISM, the board's crisis-team members formed an action plan. The committee consisted of the directors of communications, information technology, and finance and operations, as well as senior managers within the technology and operations units.

Three specific actions were taken:

  • A letter was drafted detailing the known circumstances of the information loss, and mailed to 5,000 affected clients.

  • The information technology department took steps to electronically flag all client accounts. The measure would alert administrators to any unusual activities such as name or address changes, or bank-account changes.
  • A separate call-center unit was set up with five dedicated staffers to handle queries from clients as they received their letters or reacted to media reports on the hard-drive loss.

    Orthner says the board has not yet totaled the expenses arising from the incident. But the crisis team is compiling a list of all costs and time spent on the incident for later review. Direct costs related to setting up the call center and mailings are estimated at around $6,000. Legal fees could take a bigger bite out of the board's budget.

    Similar steps were taken at Co-operators Life Insurance, a division of The Co-operators Group, and Investors Group, a mutual fund company.

    Co-operators, based in Guelph, Ontario, learned that information on about 176,000 of its life insurance clients was on the disk. A letter detailing the incident, and the information contained on the disk (names, addresses, value of policies, beneficiaries, social insurance numbers and individual bank account numbers), was mailed out to affected clients.

    Co-operators also set up a call-center operation on Jan. 28 with 30 staffers to field questions. Even so, it wasn't enough.

    "Call volumes were extremely high at points and some calls were dropped," says Dominique O'Rourke, the firm's spokeswoman, noting that volume reached 1,200 calls per day at peak periods. Co-operators' Chief Operating Officer, Dan Thornton, acknowledged that the company's letter likely caused undue alarm for some clients, but believes it was the appropriate action. "From the beginning, we have indicated that we were erring on the side of caution and have maintained that our clients had the right to know their information had been potentially compromised," he says.

    In the aftermath, Co-operators conducted an internal investigation of its security measures. While O'Rourke says the firm is confident security procedures were followed, it has identified a number of areas "where security measures can be improved" and is taking steps to plug those holes.

    Winnipeg-based mutual-fund firm Investors Group, which had the largest number of people affected by the security breach, notified 650,000 of its clients in a Jan. 29 letter detailing the scope of the information loss. Spokesman Ron Arnst says the company's existing call center handled calls coming into the head office regarding the incident, but the majority of calls were made to the company's 3,300 field agents—that is, investment agents assigned to individual clients. Arnst says a "small number" of accounts were lost due to the incident, but Investors' agents allayed most clients' fears.

    The same cannot be said for the company's relationship with ISM. "We have made the decision not to send any further client information to ISM until we are fully satisfied that there are appropriate measures in place to protect the identity of our clients," says Arnst. ISM Canada was considered a rising star in the outsourcing business, boasting a blue-chip list of government and corporate clients. In fact, its solid reputation was a factor why IBM purchased the company in 1995 for more than $140 million. Today, the firm employs about 315 people, providing technology-project, document-management and application services, as well as general outsourcing. IBM doesn't disclose the unit's revenue.

  • <1234>
    Contributing Editor
    Mel Duvall is a veteran business and technology journalist, having written for a variety of daily newspapers and magazines for 17 years. Most recently he was the Business Commerce Editor for Interactive Week, and previously served as a senior business writer for The Financial Post.


    Submit a Comment

    Loading Comments...
    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.