Securing Information In An Electronic Age
By: Joe Hornyak
With more modern technology enabling more people to work offsite, the danger of personal information going astray is increasing. Joe Hornyak, executive editor of Benefits and Pensions Monitor, looks at what Canadian pension and benefit organizations are doing to secure the personal information they manage.
When the first reports surfaced that a laptop with the personal information of about 196,000 current and former Hewlett- Packard employees had been stolen from a Fidelity Investments employee, it sent ripples through the industry.
It marked the first reported incident of a security breach in the pension industry. Fidelity, however, is not alone. Since the beginning of 2005, universities, banks, and even government agencies have had to admit that somehow personal information from their databases had gone astray. Some examples include: u Alaptop stolen in March, 2005, from University of California at Berkeley compromised personal information on more than 98,000 alumni, graduate students, and past applicants u Last December, backup tapes with data on 206,000 customers disappeared from the offices of the timeshare unit of Marriott International Inc. u In April, Georgia’s Department of Motor Vehicles had an employee steal personal data on 465,000 people
Breaches of security for personal information is not new.
Ariane Siegel, a partner with the communications and technology law practice at Gowlings in Toronto, recently had a first-hand experience with the type of breaches we once had.
Just a few months ago in Toronto, they were making a 9/11 movie in downtown Toronto with a building made up to look like the World Trade Towers. “I just happened to be there at the time and they had a fake fire scene with smoke and papers blowing all over the place,” Siegel says. It turned out that the papers blowing all over the place were records from a radiology clinic. The clinic had sent its records to destruction but they had actually gone to recycling and somehow ended up blowing around a movie set.
Today, this kind of breach is far more serious.
When data thieves breached the systems of credit-card processor CardSystems Solutions last June, they made off with data on as many as 40 million accounts potentially affecting one out of every seven credit cards issued in the U.S.
With computers, memory sticks, and other storage mediums, the potential is for thieves to get away with information on millions of individuals and the ability to use this personal information for any number of illegal activities including opening illegal credit card accounts and other forms of identity theft.
Pension funds and company benefit plans can provide an inviting target for these thieves.
However, portability of information raises the potential for it going astray.
The world has changed, says Siegel. “People don’t just access their work from their office anymore. More and more, we do it from remote locations – from our cars, or from our homes – and that really puts into place the need for more vigilance.”
Yet, clients trust that those who have their personal information are keeping it secure.
“In the day to day world of financial services, clients entrust us with the use of their personal information,” says Joan Johannson, managing director and senior vice-president at Integra Group Retirement Services.
In the case of group programs, she says, the clients themselves are entrusted with selecting third parties, such as recordkeepers, who will treat this information with appropriate care as a critical dimension of their good governance.
Siegel says when you’re looking at protecting information, there are basically three things you want to look at: u Physical Safeguards uAdministrative Safeguards u Technical Safeguards
Administrative Safeguards is the place to begin because they are at the highest level, the governance level. “The first thing you want to do is make sure that you have actual policies and procedures in place so everybody knows what’s supposed to happen with personal or confidential information,” says Siegel.
This would include the provision of non-disclosure agreements for both employees and third parties you may be using to process the data. “For example, if you’re a pension plan sponsor, any party which potentially may have access to confidential, including personal, information needs to complete a non-disclosure agreement.” These non-disclosure agreements should specify that personal information is to be protected, not disclosed or used for any purposes other than providing the services to you.
As well, you should specify if you want to impose upon them that they must use technical safeguards and physical safeguards that are at least strong as the industry dictates “or as you specify. So you’re maintaining control all along the process with respect to that personal information.”
Physical safeguards include having data stored in locked file cabinets, having restricted access to certain areas, and having a clean desk policy.
However, something that needs more attention by most companies, says Siegel, is “are your home computers safe, are we using adequate virus protection and firewalls on home computers to make sure you can’t be accessed by anyone else and there’s going to be no inadvertent disclosure there.”
Finally, there are technical safeguards – servers and the computer environment such as screen savers, intrusion detection mechanisms, firewalls, and encryption standards.
This may include basic things like how display screens are positioned. Siegel says most financial institutions now have their screens turned in a certain direction so you can’t really see what the employee is doing and what’s on the screen.
The use of passwords has become very common in all settings. However, these need to be frequently changed. Securing laptop computers and devices and having protocols in place for how these should be dealt with are other good ideas.
Finally, when information is no longer required, companies should destroy hard drives, rather than just trying to wipe them clean because often that can’t be done.
Siegel also recommends imposing similar standards on your service providers.
So how is the pension and benefits industry in Canada dealing with securing electronic information?
IT Security Policies
At OMERS, all the standard IT security policies, operating procedures, and guidelines are used, says Janet Wilson, vicepresident, business and information technology services, to protect the information on the 350,000 pension plan members and retirees it manages.
“In general, we have a standard package, from a high level of overall policies all the way down to user quick tip guides for maintaining the integrity and security of information.” For example, it has a quick tips guide for laptop users on securing their laptops. The guide advises them to make sure “you don’t leave it places, that you secure it to the desktop, you lock it in the trunk of you car, and you don’t keep data on it that you shouldn’t keep on it.”
OMERS does not allow access to its pension system from laptops without a secure connection, but access from laptops is also severely restricted. In fact, the lone exception is for technical people who may have to access data from their home. However, the data is not kept on their home PC or laptop. It’s retained within the data centre itself and the environment can be accessed for changes for support and those sorts of things.
Another unique aspect of the OMERS plan is that it does not have website access for plan members. It does for its 779 employer members. Most of its work happens between the employer and OMERS and the plan members deal with the employer.
Employer and OMERS communication is done through a business-to-business application that sits on top of its main database of information. This is fully secured and has 128-byte encryption.
Using a system called ‘e-access,’ designated individuals at the employers are given user IDs to access the information they are privy to. There are specific roles within the system so different people can only do certain things. “For example, there might be a person who is able to do some financial processing or someone who can only do enrolments. So we do segregate who has access to which kind of data. We try to secure the member’s information, even at the employer’s side where applicable,” says Wilson. In total there are 2,241 user IDs on the e-access system. The reason there are more IDs than employers is that the city of Toronto, for example, has 22,000 members, so it doesn’t just have one person who needs access to the system. These IDs are changed if the user no longer has access.
They are also monitored for activity.
Seven Million People
Sun Life has a different set of challenges.
The 2004 Sun Life Fact Book says Sun Life Financial has a customer base of more than seven million people, including 1.2 million group retirement plan members and 10,000 employers who provide group benefits to their employees. What makes Sun Life different from OMERS, however, is that it encourages members to access their information online. “Here at Sun Life Financial we are very committed to the security of our customer information,” says Carol Osler, vice-president, information security and chief information security officer.
Its security program takes a layered approach. “We have a set of policies and standards, which are consistent with industry best practices. It’s these policies and standards that help us to guide the security setups that we put in place.”
For example, one policy is that security risk assessments of all third-party providers are conducted. This risk assessment looks at the third-party provider’s environment, its authentication methods, its use of encryption, and other types of security controls and “no connections are made with a third-party until they meet our stringent security requirements.”
In terms of laptops, all are protected with hard drive encryption software. “In the event that a laptop goes missing, effectively, the hard drive is of no use to anyone who may receive that machine because it is protected with encryption. They’d basically be forced to remove the hard drive.”
People working offsite is another issue. Osler says they address this by having all their remote usage done through an encrypted VPN (Virtual Private Network) line. Anyone working from home or working remotely, “even an executive who wants to connect from an airport back to the Sun Life network,” can only access the network by using a secure ID token that allows them to authenticate to the network and then creates an encrypted tunnel they can transmit through.
Regardless the measures taken, Johannson says these must be combined with “common sense and constant awareness of the value of the information entrusted to our care. Electronic platforms constantly evolve to allow us greater efficiency in the workplace and expansion of the workplace through the use of Blackberries and laptops. Common sense must be relied upon while policies and practices catch up with each phase in this evolution.
“It is this awareness and diligence which is truly our best defense against such events in our fast evolving electronic world.”
Joe Hornyak is executive editor of Benefits and Pensions Monitor.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -