Hard drive robbery sparks outsourcing debate

Authorities in Regina earlier this month found a hard drive that went missing from services firm ISM Canada Inc., which contained personal information for millions of Canadians.

According to police, the hard drive that disappeared on Jan. 16 from ISM’s Regina offices carried a variety of information, including personal customer account information gathered by a unit of the Co-operators Group Ltd., as well as Saskatchewan Telecommunications, Saskatchewan Power Corp., Investors Group Inc. and several Manitoba-based businesses.

While authorities weren’t releasing any details at press time on where the disk was found or the identity of the person charged in connection with the missing disk, a spokesperson for the Regina police department confirmed that one individual was in custody.

He added that there is no evidence to suggest any of the information contained on the disk was used maliciously.

ISM, a division of IBM Canada Ltd., offers security services to clients, both in the public and private sector. So far, Investors Group, along with the Saskatchewan government, have terminated their dealings with ISM until the company can prove the data it handles is secure.

Although the incident may cast a shadow on outsourcing, one expert says companies shouldn’t be too alarmed.

“Personally, I think it is a real stretch to make the conclusion that outsourcing puts you at more of a risk than keeping IT in-house,” said Dan McLean, director of utility research and IT outsourcing with IDC Canada Ltd. in Toronto. “The inference has been that this is going to have a bad impact on outsourcing no matter how you slice it. It is just because the circumstance was that this was an outsourced situation.”

McLean said businesses have historically been wary of outsourcing due to the risks involved. However, those risks usually pertain to loss of control over operational aspects of a business, not necessarily security, he added.

“When you have information stored on any number of hard drives out there, there is a vulnerability to it,” McLean said. “The association that is trying to be made is through the inherent risk in outsourcing. But there is a risk in computing. Because there was a breach in security, does that in a sense make all outsourcing situations equally risky? I don’t believe that for a second.”

As far as WhiteHat Inc., an information technology security provider in Burlington, Ont., is concerned, it was improper procedures, not outsourcing that caused the breach in security at ISM.

WhiteHat CEO Rosaleen Citron said the key is in the fine print of the outsourcing agreement. She explained that boundaries and determinations should be set to establish a plan of action in the case of a security breach.

Citron recommended that companies looking to outsource should question not just where their data is being kept, but how it is being kept, referring to ISM’s decision to load several companies’ information on a single drive.

Another issue brought to light by the recent incident is the question of physical security, or lack thereof in corporate environments.

“Everybody is worried about someone attacking you in a cyber fashion,” Citron said. “But, the simple fact is when someone picks up a hard drive and walks out with it, what is the devastation of that? Well, we’ve just seen it. People outsource in most cases because it will save them money. What do you think this [incident] is now going to cost? We are looking at lost business and falling share prices. You really have to think of everything and anything and put it in the contract.”