Interview with Bank of Montreal
October 2003
Terry McQuay, Nymity's President, recently spoke
with Dina Palozzi, Executive Vice-President, Client Relations,
BMO Nesbitt Burns and Senior Vice-President and Chief Privacy
Officer, BMO Financial Group of Bank of Montreal about the
privacy issues regarding a recent privacy incident.
Nymity: Dina, on September 12th Geoff Ellis reported to
the Bank of Montréal and the Toronto Star that he had obtained
second hand computer disks that contained Bank of Montreal's
customer data. What happened?
Palozzi: Well let me clarify one thing for you, Terry. Mr. Ellis bought two obsolete computer servers, not disks, which he intended to refurbish and resell via auction. Most of the information on these servers contained 'transactional information', for example, showing a dollar amount being transferred from one account to another, but with no information that would identify a customer or even be discernable by anyone other than a bank employee. However, there were a small number of records containing personal customer information and that is why we moved quickly to secure the data and contact our customers.
When BMO Financial Group replaces obsolete servers, we typically
contract with a third party service provider to have all of
the data on our obsolete servers deleted or 'scrubbed' before
they can be offered for sale to interested 'resellers'. This
is a standard approach within the industry. The outside company
we use is highly regarded and very dependable.
Unfortunately, due to human error, one of the supplier's
employees mistakenly shipped two servers that had not yet
been scrubbed.
When we discovered this, we immediately contacted Mr. Ellis
who cooperated with us fully and held the servers for us.
We were able to retrieve the equipment and data the next day.
After a very thorough and structured examination of the data,
we identified 350 customers whose personal information was
on one or both of the servers. We have been contacting customers
since last week to explain to them what has happened and assure
them that their information and their accounts remain secure.
Nymity: Your privacy office is prepared for breaches of
this nature. Please share with us your processes for handling
such events.
Palozzi: We have a process in place that ensures we can react
quickly and effectively to mitigate a compromise or the impact
of any compromise of customer information.
A response team representing corporate and information security,
line of business operations, communications and executive
management is immediately engaged so that all of the required
thinking and decision-making can be appropriately applied
to the situation. Those efforts are typically coordinated
by the Privacy Office. All of the members of this team are
on call on a 24-hour basis, and supported by remote technology
(cell phones, pagers, personal assistant devices and home
pcs) to ensure that we can collectively remain engaged in
the investigation, information sharing and problem solving
from start to finish.
Naturally, our first priority in such a situation is to secure
the data/equipment and protect against unauthorized access
to customer accounts. We work closely with our own internal
corporate security team and information security staff who
moved quickly to secure the equipment and data and almost
concurrently moved into the investigative phase of the process
to identify and understand the nature and cause of the incident.
This involves a thorough, structured examination of the data,
our own processes as well as the activities of our suppliers
to determine where and how a breakdown occurred.
Of course we work closely with the Privacy Commissioners Office and, given the circumstances, were in contact with them throughout the situation. In addition to keeping them up to date on our progress throughout our examination, we will share with them our findings and recommendations for remedial measures.
Nymity: How many calls reached your call centers and the Privacy
Office from concerned customers?
Palozzi: Very few. I think this is because we were proactive
in calling affected customers and openly participating in
news media interviews to accurately convey our message that
the situation was well in hand and that customer accounts
were secure.
Nymity: As you have contacted the 350 customers involved,
what was their reaction?
Palozzi: Customers were very appreciative that we were proactive
in calling them. Most were comfortable with our reassurances
that their accounts were safe and thanked us for taking the
time to explain what had happened.
A few, and this has been a very small number of the customers
contacted, have simply asked for something in writing, as
an added measure of reassurance. We're naturally happy to
provide this to them and have invited them to call us at any
time if they require further explanation or assurances.
Nymity: Why did the Privacy Commissioner launch an investigation
when they had not received any complaints?
Palozzi: Under PIPEDA, the Privacy Commissioner may, with reasonable grounds, initiate a complaint or audit of the information practices of an organization. In this case, it is not being treated as either a complaint or a full audit but a review of the incident has been requested.
I'm not aware that they've received any complaints; in fact, I don't believe they have, however it seems appropriate, given the nature of the incident, that they would want to monitor our progress and remedies.
Nymity: What is the scope of the Commissioner's investigation?
Palozzi: You may want to talk with them directly. I can only tell you that they have remained interested in keeping abreast of the progress of our investigation as well as the steps we were taking to inform customers. We will also share our conclusions and remedies with them.
Nymity: If I understand the process, Bank of Montreal provides
the disks to Rider Computer Services, an assets management
firm, who contracted Ecosys for the removal of data from the
disks? Although this event was a simple human error, someone
is held accountable and legally liable. Who would that be?
Palozzi: Ultimately, BMO is accountable for the protection
and security of our customers' information and accounts. This
is a responsibility that we take extremely seriously. Of course,
we work closely with our contracted service providers to ensure
that they have processes and capabilities that meet our own
rigorous standards. This is achieved in the thorough review
that we do at the sourcing stage as well as through regular
audits of our suppliers' processes and their worksites to
ensure they are adhering to the standards and practices that
we set down in their service contracts.
At some point, in all systems, one cannot eliminate human
error, even with the best of processes and intentions. Nonetheless,
we are asking our suppliers to review, with their staff, their
own processes and safeguards; to provide their staff with
additional coaching and training; and to ensure everyone understands
and renews their commitment to protecting our customer information.
We're looking at everything to see what additional layers
of precaution we can incorporate into our existing processes.
Nymity: As many of our subscribers are outsourcers to the
Banks and other large organizations, please share with us
how this event has impacted Rider Computer Services and Ecosys.
Palozzi: These are very competent organizations with a solid
record for dependable and secure management of data. I know
that this incident is being reviewed at the very top levels
of their executive management and we have their commitment
that they are looking at their processes very thoroughly,
just as we are, to identify any areas that can be improved.
Nymity: Ann Cavoukian, Ontario's Privacy Commissioner, commented
in an interview with the Toronto Star the need for encryption.
What safeguards does Bank of Montreal utilize for customer
data?
Palozzi: We don't believe there is a 'one size fits all' solution. Encryption alone will not provide the depth of protection that a variety of integrated controls, such as physical security combined with logical security and procedural controls, can provide. Integrated controls that complement each other, collectively, provide much more effective protection against unauthorized access to customer information.
Thus we adapt a variety of controls to suit the risks and circumstances. For handling paper based documents, shredding and controlled disposal work effectively. To protect against unauthorized access to electronic information, we employ process controls such as individual user IDs and passwords, log files, separation of duties and access control (i.e. on a need to know basis only) as well as the appropriate application of technologies such as firewalls, anti-virus programs, intrusion detection, etc. As an added measure, we will conduct routine internal audits to ensure the integrity of our processes and practices.
Encryption is a key component of the integrated security toolkit that we utilize across the organization. Analysis, assessments and decisions about how and where we use encryption are risk based. For example, all external communication lines that carry customer information are encrypted. These include ABMs, inter-banking lines, lines with Bank of Canada etc.
In addition, we have a specific policy in place that governs how we deal with outsourcing and third party service providers. And although human error is hard to prevent in every situation, periodic assessments of the security posture of our third party service providers help to assure that our standards are consistently being met.
Finally, we have in place an ongoing awareness program that educates staff, reinforces appropriate safeguards and practices and reminds each of us that we have a collective responsibility and commitment to protecting customer information.
We can and do protect what is under our control. Nonetheless,
customers understand that unless they take appropriate measures,
when they connect to the internet their own PC can be vulnerable.
Consequently, they too carry a responsibility and that is
to protect their end of the communication. Use of strong passwords
or personal identification numbers for Internet accounts,
maintaining up to date anti-virus software, installation of
personal firewalls to help prevent unauthorized access to
a home computer are just a few of the very basic measures
that PC users can undertake to safeguard their personal information.
Nymity: I understand that you reviewed your policies and
procedures as a result of this incident? What were the results?
What changes are required?
Palozzi : Our review is ongoing. We want to be thorough.
We're reviewing our own practices and those of our suppliers
and we are working together to determine if and how we can
improve the way we handle this process. We won't make any
final decisions until that review is complete.
In the meantime, we are asking our suppliers to review with
their staff their own processes and safeguards; to provide
their staff with additional coaching and training; and to
ensure everyone understands and renews their commitment to
protecting our customer information. We're looking at everything
to see what additional precautions we can incorporate into
our existing processes.
Nymity: What recommendations would you make to Privacy Officers?
Palozzi: My advice to Privacy Officers is to:
- learn from each situation
- have a process for assembling a response team and be prepared to act quickly to mitigate a compromise or the impact of any compromise of customer information
Use this as an opportunity to reassess your own situation e.g. review outsourcing agreements, have your Information Security group review your processes, audit your processes with sample testing, ensure that privacy incidents are included in your business recovery planning, plan contingencies for contacting customers if require.
|
