Regina police recover missing hard drive (Financial, health records of 1 million+ compromised)

REGINA-- Regina police said Tuesday they have recovered a missing computer hard drive that contained sensitive personal information on more than one million people.

Police have scheduled a news conference for Wednesday, but did say there is no indication that the information contained on the drive was targeted, nor that it was used.

The hard drive was reported missing by ISM Canada, a major information management and outsourcing company, on Jan. 16. Police treated the case as a theft and began investigating.

The disk contained up to 750,000 files on clients of Investors Group, Canada's biggest mutual fund company.

Investors Group said the data contained on the disk included clients' names and addresses, account numbers, portfolio holdings and beneficiaries. The company said the information could not be used to access clients' holdings.

The missing disk was also reported to contain files on 180,000 clients of the Co-operators Insurance Company, 10,000 customers of SaskPower, 60,000 Saskatchewan government employees and 56,000 Saskatchewan farmers.

A class-action lawsuit has already been launched in Saskatchewan against the companies and agencies that stored information the missing hard drive.

A Regina law firm, the Merchant Law Group, filed the suit on behalf of people whose personal information is contained on the hard drive.

The suit named the Government of Saskatchewan, ISM-Canada, the Co-operators Insurance Company and Investors Group as defendants in the case.

Earlier story:

C B C . C A N e w s - F u l l S t o r y :

Investors Group says customer information on missing hard drive

Last Updated Mon Feb 3 18:30:07 2003

REGINA-- Information on hundreds of thousands of clients of Investors Group was on a computer hard drive that is presumed stolen last month from ISM Canada in Regina.

Up to 750,000 customer files may have been on the missing drive, the Globe and Mail reported Monday.

Investors Group, the biggest money management company in the country, said the data contained on the disk included clients' names and addresses, account numbers, portfolio holdings and beneficiaries.

Hoping to allay consumers' fears, the money manager said there is now way for anyone to use the missing data to access client accounts in any way. The missing information doesn't include personal information normally involved in the misuse of personal data, such as social insurance numbers, dates of birth, or banking information, Investors Group said.

"I understand the concern this may cause for our clients," Jeff Orr, Investors Group's president and chief executive officer, said in a release.

"The security of our clients' information is a top priority for Investors Group, and we take this incident very seriously," he said.

The report of the missing data is the latest involving lost information on hard drives missing from ISM Canada, a subsidiary of IBM Canada.

Data on about 180,000 customers of the Co-operators insurance company is also reported to be missing.

The disk drive may have also contained information on 410,000 customers of SaskPower. About 10,000 of those customers may have had bank account information, social insurance numbers, provincial health plan numbers and driver's licence numbers taken. The other 400,000 customers are thought to have only had their names, addresses and electrical consumption data taken.

The Saskatchewan government also said last week that files on 60,000 public servants and 56,000 farmers may have been on the missing disk.

A subsidiary of IBM Canada, ISM said it is cooperating with the Regina City Police, which is treating the incident as a theft.

"We deeply regret the disruption and concern that this incident has caused our client organizations and their customers and we are committed to working through this with them every step of the way," Dan McMurtry, the CEO of ISM Canada, said.

"We respect our customers' wishes that we keep their business with us confidential," McMurty said.

ISM indicated that a spokesperson for the Regina City Police has said there is no evidence to date that the material on the drive has been used illegally.

Written by CBC News Online staff

Data processing star faces tough privacy questions

ISM Canada deals with the fallout of missing disk with client details

By DAVID AKIN

Tuesday, February 4, 2003 – Print Edition, Page B7

The company at the centre of what experts say is Canada's biggest privacy disaster was once the country's shining information technology star, a firm that had built a thriving multimillion-dollar business providing data processing services for a blue-chip client list.

Its success in building a healthy services business was the big reason International Business Machines Corp. of Armonk, N.Y., acquired ISM Canada Inc. of Regina in 1995 for more than $140-million. At the time, IBM was beginning a long process of transforming itself from primarily a maker of computer hardware to a services and consulting firm.

But today, ISM, which employs about 315 people in Saskatchewan, faces its darkest hour and its parent, IBM Canada Ltd. of Markham, Ont., must deal with some embarrassing questions about its ability to protect sensitive customer information. On Jan. 16, during a routine upgrade of a computer in ISM's Regina facility, a computer hard drive went missing and police are investigating.

The disk contained detailed personal financial and health information for, it now appears, more than one million Canadians, including Saskatchewan government employees and customers of Investors Group Inc. of Winnipeg and Co-operators General Insurance Co. of Guelph, Ont.

"It's bad practice to put two financial institutions on the same disk," said Ira Winkler, chief security strategist for Hewlett-Packard Co. of Palo Alto, Calif., one of IBM's biggest competitors. "You should never co-mingle customer data on the same disk."

ISM has said it will not comment on the specifics of the security procedures it had in place for its customers.

Michael Power, an Ottawa-based lawyer for Gowling Lafleur Henderson LLP, said it was Canada's biggest privacy disaster.

"There's the potential for lawsuits here, including class-action lawsuits in a worst-case scenario and that's why I refer to it as the Exxon Valdez of privacy," Mr. Power said.

Indeed, late yesterday, a lawsuit was filed by a Regina law firm on behalf of those whose customer records the suit alleges were put at risk, naming ISM, Investors Group, Co-operators and others as defendants.

"This is an obligation they can't expect to avoid at a senior management level. They are assumed to have been aware of these issues and will face the consequences if they're not," said Mary Kirwan, a lawyer and senior director at Kasten Chase Applied Research Ltd. of Mississauga, a maker of computer security products and services. "This does expose management and directors to civil suits."

Mr. Power, who helped draft Canada's federal privacy legislation, agreed: "The obligation is on the Co-operators and other organizations that collect personal information to make sure that any third-party contractors that they use maintain adequate security procedures."

Almost all of Canada's largest financial services companies, including banks, credit unions, mutual fund companies and insurers use third-party firms such as IBM, HP, EDS Canada, CGI Group Inc. and others to perform a host of data processing tasks. All of those firms routinely handle sensitive personal and financial information on behalf of their financial services customers.

But industry sources say it's difficult to persuade chief executive officers, chief financial officers and other non-technical executives at those financial services companies to spend money on information security, because it's difficult to gauge the return on that investment.

In other words, there's no formula a CEO can point to in order to say to his or her shareholders that for every dollar invested in computer security, there will be a corresponding improvement to the company's overall profitability.

"Only with catastrophic events, you have the benefit of hindsight to say, 'We should have . . .," said Robert Everett, an Ottawa-based vice-president with EDS Canada, another of IBM's biggest competitors. "This stuff costs money. Encryption, for example, provides a significant burden on your [IT] infrastructure and puts significant challenges on the efficiencies of an IT environment. Your response times drag and business policies have to be wrapped around it."

Dan McMurtry, who was named president and chief executive officer of ISM early in 2001, declined to discuss the specific computer security measures in place for the Co-operators, Investors Group or any other ISM customer. He conceded, though, that as each customer contracts for different services, so each customer has different security requirements and agrees to pay for different levels of security.

"It's kind of like a level of insurance. What are you prepared to pay? As you evaluate the sensitivity and the nature and likelihood associated with encryption and all of those security measures do, I think, come down to a matter of cost," Mr. McMurtry said.

Ms. Kirwan, of Kasten Chase, said the incident should serve as a wake-up call for senior executives across Canada.

"Unfortunately, this is extremely commonplace. These issues are not brought up enough in terms of the value chain, in terms of things that have to be looked at. Companies you would expect to know better do not have information security policies in place; do not have people who are responsible for information; and there is a dissociation between senior management and security personnel," Ms. Kirwan said. "What we have to do is establish a culture of security in Corporate Canada."

David Akin is national business and technology correspondent for CTV News and a contributing writer to The Globe and Mail.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.