CIBC’s could-be security breach raises BPM issues

What makes you feel better: knowing that your personal information has been lost by a major financial institution, or that there’s a 50/50 chance it’s safe?

That’s the choice facing customers of CIBC following the conclusion of an investigation by the Privacy Commissioner of Canada’s office. Two years ago the bank said a hard drive containing close to half a million customer records went missing. That’s bad. What’s worse is the 24 hours it took before they alerted the police, and the fact that customers weren’t notified for more than a month.

However, the Privacy Commissioner’s office says CIBC now isn’t sure that any of those 470,000 records were actually on the drive. This isn’t just a privacy breach: it’s a major business process mess.

“I am troubled that CIBC has been unable to establish whether a data transfer to a portable disk drive had ever been made,” assistant privacy commissioner Elizabeth Denham told the Globe and Mail. I’d be troubled too, but it goes to explain some of the delay in the CIBC’s disclosure around this incident. If you lose a hard drive with nothing important on it, why call the cops? There aren’t that many hard drives in those kinds of organizations, however, which don’t contain something of value. As a CIBC spokesperson said, it was out of an “abundance of caution” that it ended up being treated like a bona fide crisis.

To raise panic among customers over a privacy violation that may not have happened, however, isn’t showing an abundance of responsibility. It’s not clear from the Globe story when the uncertainty around this drive came to light. Presumably if CIBC isn’t sure now, it wasn’t sure in 2006, and if so the reporting of this incident, at the very least, should have been tempered.

For IT departments, the CIBC case demonstrates an additional layer of attention that needs to be factored into your IT security strategy. We tend to focus on simply protecting the data or the IT asset, whether by technology, policy or (preferably) a combination of the two. Good security also means not simply safeguarding the device, but keeping track of what happened to the device. Portable hard drive activity might make it into the server logs, but those aren’t always updated regularly or properly. That’s where you need business process management.

I doubt whether BPM and security are spoken of in the same breath by most IT managers, but CIBC’s hard drive is an object lesson in why the two are inextricably linked. With the right BPM, a missing hard drive is just a wayward piece of metal. Without it, what seemed like much ado about privacy now looks like much ado about nothing.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Shane Schick
Shane Schick
Your guide to the ongoing story of how technology is changing the world

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight