What makes you feel better: knowing that your personal information has been lost by a major financial institution, or that there’s a 50/50 chance it’s safe?
That’s the choice facing customers of CIBC following the conclusion of an investigation by the Privacy Commissioner of Canada’s office. Two years ago the bank said a hard drive containing close to half a million customer records went missing. That’s bad. What’s worse is the 24 hours it took before they alerted the police, and the fact that customers weren’t notified for more than a month.
However, the Privacy Commissioner’s office says CIBC now isn’t sure that any of those 470,000 records were actually on the drive. This isn’t just a privacy breach: it’s a major business process mess.
“I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had ever been made,” assistant privacy commissioner Elizabeth Denham told the Globe and Mail. I’d be troubled too, but it goes to explain some of the delay in the CIBC’s disclosure around this incident. If you lose a hard drive with nothing important on it, why call the cops? There aren’t that many hard drives in those kinds of organizations, however, which don’t contain something of value. As a CIBC spokesperson said, it was out of an “abundance of caution” that it ended up being treated like a bona fide crisis.
To raise panic among customers over a privacy violation that may not have happened, however, isn’t showing an abundance of responsibility. It’s not clear from the Globe story when the uncertainty around this drive came to light. Presumably if CIBC isn’t sure now, it wasn’t sure in 2006, and if so the reporting of this incident, at the very least, should have been tempered.
For IT departments, the CIBC case demonstrates an additional layer of attention that needs to be factored into your IT security strategy. We tend to focus on simply protecting the data or the IT asset, whether by technology, policy or (preferably) a combination of the two. Good security also means not simply safeguarding the device, but keeping track of what happened to the device. Portable hard drive activity might make it into the server logs, but those aren’t always updated regularly or properly. That’s where you need business process management.
I doubt whether BPM and security are spoken of in the same breath by most IT managers, but CIBC’s hard drive is an object lesson in why the two are inextricably linked. With the right BPM, a missing hard drive is just a wayward piece of metal. Without it, what seemed like much ado about privacy now looks like much ado about nothing.