An RCMP investigation into a string of arsons and shootings in British Columbia’s Lower Mainland turned up a connection with the province’s auto insurer ICBC. The employee, a woman who had worked with ICBC for 15 years, allegedly accessed personal information of 65 individuals, including the 13 identified victims of the attacks. That employee was fired and, along with other individuals, is under continued police investigation. While the extent of her involvement into the crime spree is still unknown, ICBC says it’s doing what it can to prevent other employees from acting in unscrupulous manners.
“We are appalled that one of our employees inappropriately accessed the information of so many customers without any apparent business reason to do so,” said Jon Schubert in a statement. “Our main concern is for the customers who have suffered as a result of this privacy breach.”
Schubert says ICBC this incident will prompt the insurer to look into its systems for the future.
“We have conducted a thorough internal and an independent external review of our systems as a result of the privacy breach and have taken steps to better guard against this type of incident from happening again,” he said.
ICBC’s existing security system automatically tracks access to policyholders’ information, said Mark Jan Vrem, ICBC’s Manager of Media Relations. Every time the customer database is accessed, ICBC can determine what was looked at and when it was opened. In the future, ICBC says a more proactive system will be implemented.
“Our legacy systems do not proactively flag inappropriate accesses however we have refined and implemented a tool that proactively monitors for patterns or specific scenarios of inappropriate access,” Jan Vrem told ILSTV in an email. “In early 2013 we plan to introduce new software which will proactively flag inappropriate or random information accesses, and further strengthen this aspect of our systems.”
The Information Systems (IS) in place are part of the safeguards ICBC has in place to protect the personal information of its policyholders, but the firm does not rely on technology alone.
“We screen our employees very carefully during the hiring process by requiring (among other things) criminal record checks. All new employees are required to review and sign a code of ethics and Information Systems securities policies,” Jan Vrem said. “ In addition to a mandatory annual review of the code and IS policies our employees also know about the audit trail left by accessing the system and this acts as a strong deterrent to inappropriate access.”
It was the ability to track employees’ usage of records that brought the breach to the attention of the RCMP and subsequently to ICBC.
“During the course of an RCMP investigation into several related criminal events, ICBC was asked to review our access records to determine whether the personal information of several individuals had been recently accessed, and by whom,” Jan Vrem explained. “The RCMP provided us with a list of people. Because our security system automatically tracks access to policy holders’ information, we were able to determine that an employee in one of our Lower Mainland offices had accessed the information of all the individuals.”
Jan Vrem said ICBC customers who do have privacy-related concerns can follow the steps laid out on its website.