Your company’s clients are more likely to forgive a high-tech business blunder if you’re upfront with them about the mistake, according to a banking industry insider.
That’s one of the lessons learned at BMO Financial Group after the firm faced a potential disaster involving two servers, an outsource service provider and nearly 140 customers whose information resided on computers that ended up for sale online.
After a roundtable discussion about IT security held by Microsoft Corp. and security software maker McAfee in Toronto last month, Robert Garigue, BMO’s chief information security officer and vice-president, outlined the steps his firm took to remedy a situation that could have been worse.
Garigue recalled that last September Ecosys Canada Inc., an asset management firm under an outsourcing contract to dispose of old BMO hardware, received some of the bank’s servers.
The servers’ hard drives were supposed to be wiped before Ecosys turned them over to a reseller. But an Ecosys employee mistakenly packaged up and mailed two former BMO boxes that hadn’t been cleaned of customer information to Geoff Ellis, who resells computer equipment on eBay.
Ellis, who posted the devices for sale on the Web-based auction site, discovered that the computers still stored info about some of the bank’s clients. He took the machines off the market and contacted BMO about the situation.
Although the servers were on the digital block for just a short period of time, Garigue said the state of affairs had a profound impact at BMO. The company learned a thing or two about outsourcing, internal processes and how forgiving customers can be when they’re dealt with honestly.
“We had about 137 people that we called up,” Garigue said. BMO explained to the affected customers what had happened to the servers. Garigue said the bank elicited a positive response for being so frank about the situation. “[The customers] said, ‘Thank you for informing us.’”
He takes it as a sign that it’s best to be honest with clients. “It was the right thing to do, the expected thing to do. It talks to what is expected of institutions.”
Garigue also said BMO reviewed its policies, making sure that confidential information is handled properly. “We strengthened the awareness around content management, identifying the things that had to do with regulated content and privacy laws.
“We also talked to the community,” he continued, explaining that BMO discussed the matter with other financial institutions. Those conversations yielded some questions about how well banks inform their outsource service providers.
“When we look at our data classifications across the banks, for example, we find that some have three, some have four, some have five (classifications),” Garigue said. “When you ask common outsourcers to manage certain things on your behalf, are we giving them, as a sector, the right indications about controls, retention, disposal, lifecycle management issues?”
BMO also has questions for its outsource service providers. “How are you governing your own, regulated content in your organization? Some of that is part of my value chain….We want to make sure it’s managed appropriately.”
Garigue said the Ecosys predicament didn’t cause BMO to reconsider its outsourcing ways. He likened outsourcing to the brakes in a car. The brakes let a driver push harder on the gas pedal, because the driver knows she can slow down for corners and stop for red lights. BMO can focus on IT projects that propel the business, because another company is doing the high-tech maintenance work.
Garigue said the server sale could have been worse. At least Ellis checked the boxes and took them down from eBay quickly. And Ecosys’ mistake was nothing more than that: a mistake, no indication of a serious process breakdown at the Dorval, Que. company.
“It’s been a great learning experience,” Garigue said. “It was a painful one, but one in which a lot of people suddenly realized what content management and information management was all about.”
— With files from Chris Conrath
