Newsworld's Nancy Wilson talks with Ontario's information and privacy commissioner, Ann Cavoukian.(Runs 4:00)
Both in RealVideo format.
Newsworld's Nancy Wilson talks with Ontario's information and privacy commissioner, Ann Cavoukian.Both in RealVideo format.
The company at the centre of what experts say is Canada's biggest privacy disaster was once the country's shining information technology star, a firm that had built a thriving multimillion-dollar business providing data processing services for a blue-chip client list.
Its success in building a healthy services business was the big reason International Business Machines Corp. of Armonk, N.Y., acquired ISM Canada Inc. of Regina in 1995 for more than $140-million. At the time, IBM was beginning a long process of transforming itself from primarily a maker of computer hardware to a services and consulting firm.
But today, ISM, which employs about 315 people in Saskatchewan, faces its darkest hour and its parent, IBM Canada Ltd. of Markham, Ont., must deal with some embarrassing questions about its ability to protect sensitive customer information. On Jan. 16, during a routine upgrade of a computer in ISM's Regina facility, a computer hard drive went missing and police are investigating.
The disk contained detailed personal financial and health information for, it now appears, more than one million Canadians, including Saskatchewan government employees and customers of Investors Group Inc. of Winnipeg and Co-operators General Insurance Co. of Guelph, Ont.
"It's bad practice to put two financial institutions on the same disk," said Ira Winkler, chief security strategist for Hewlett-Packard Co. of Palo Alto, Calif., one of IBM's biggest competitors. "You should never co-mingle customer data on the same disk."
ISM has said it will not comment on the specifics of the security procedures it had in place for its customers.
Michael Power, an Ottawa-based lawyer for Gowling Lafleur Henderson LLP, said it was Canada's biggest privacy disaster.
"There's the potential for lawsuits here, including class-action lawsuits in a worst-case scenario and that's why I refer to it as the Exxon Valdez of privacy," Mr. Power said.
Indeed, late yesterday, a lawsuit was filed by a Regina law firm on behalf of those whose customer records the suit alleges were put at risk, naming ISM, Investors Group, Co-operators and others as defendants.
"This is an obligation they can't expect to avoid at a senior management level. They are assumed to have been aware of these issues and will face the consequences if they're not," said Mary Kirwan, a lawyer and senior director at Kasten Chase Applied Research Ltd. of Mississauga, a maker of computer security products and services. "This does expose management and directors to civil suits."
Mr. Power, who helped draft Canada's federal privacy legislation, agreed: "The obligation is on the Co-operators and other organizations that collect personal information to make sure that any third-party contractors that they use maintain adequate security procedures."
Almost all of Canada's largest financial services companies, including banks, credit unions, mutual fund companies and insurers use third-party firms such as IBM, HP, EDS Canada, CGI Group Inc. and others to perform a host of data processing tasks. All of those firms routinely handle sensitive personal and financial information on behalf of their financial services customers.
But industry sources say it's difficult to persuade chief executive officers, chief financial officers and other non-technical executives at those financial services companies to spend money on information security, because it's difficult to gauge the return on that investment.
In other words, there's no formula a CEO can point to in order to say to his or her shareholders that for every dollar invested in computer security, there will be a corresponding improvement to the company's overall profitability.
"Only with catastrophic events, you have the benefit of hindsight to say, 'We should have . . .," said Robert Everett, an Ottawa-based vice-president with EDS Canada, another of IBM's biggest competitors. "This stuff costs money. Encryption, for example, provides a significant burden on your [IT] infrastructure and puts significant challenges on the efficiencies of an IT environment. Your response times drag and business policies have to be wrapped around it."
Dan McMurtry, who was named president and chief executive officer of ISM early in 2001, declined to discuss the specific computer security measures in place for the Co-operators, Investors Group or any other ISM customer. He conceded, though, that as each customer contracts for different services, so each customer has different security requirements and agrees to pay for different levels of security.
"It's kind of like a level of insurance. What are you prepared to pay? As you evaluate the sensitivity and the nature and likelihood associated with encryption and all of those security measures do, I think, come down to a matter of cost," Mr. McMurtry said.
Ms. Kirwan, of Kasten Chase, said the incident should serve as a wake-up call for senior executives across Canada.
"Unfortunately, this is extremely commonplace. These issues are not brought up enough in terms of the value chain, in terms of things that have to be looked at. Companies you would expect to know better do not have information security policies in place; do not have people who are responsible for information; and there is a dissociation between senior management and security personnel," Ms. Kirwan said. "What we have to do is establish a culture of security in Corporate Canada."
David Akin is national business and technology correspondent for CTV News and a contributing writer to The Globe and Mail.