The ripple effect of IIROC’s data loss

The damage to IIROC’s reputation and possible fallout for the 32 firms with affected clients followed close behind. But it appears that the effects may extend beyond those immediate impacts.

For one, there’s the cost of cleaning up after this mistake – an issue that was promptly flagged by the Investment Industry Association of Canada (IIAC), which is acutely sensitive to adding to its regulatory costs at a time when many firms are struggling to make money. The IIAC was quick to voice the concern that the remediation costs for this incident could lead to higher fees for member firms.

IIROC promises that this will not be the case. The regulator declines to provide an estimate of how much the cleanup is expected to cost, but says that these costs won’t be covered by imposing higher fees on member firms.

IIROC, in a letter to its members published in early May, says it is “mindful of the financial impact” of the cleanup effort, which has involved: hiring an outside forensics expert to recreate the lost data; contacting all of the affected clients and firms; setting up a call centre to handle client questions; putting automatic credit alert and fraud warnings on the accounts of affected clients through two credit bureaus, Equifax Inc. and TransUnion LLC; and offering an optional year of credit monitoring to the affected clients through Equifax.

In addition, IIROC has hired an outside expert to review the regulator’s information-technology security policies, as well as its data collection and protection practices, in order to ensure that this sort of mistake will never be repeated.

These are just the direct costs – to say nothing of the time and attention that the incident has consumed, and will continue to consume – as IIROC reviews such matters as its internal controls and its practices for obtaining and retaining confidential client information from dealers.

Furthermore, IIROC is facing a possible class-action lawsuit in Quebec, where a law firm has filed a claim on behalf of the 52,000 clients who were affected by the privacy breach. The lawsuit is seeking $1,000 in compensation for each client for the inconvenience and worry the incident has caused. The allegations have not been proven and the lawsuit has not been certified as a class action. But, at the very least, there will be costs associated with dealing with this claim.

Although IIROC won’t reveal the estimated bill for all of this just yet, Lucy Becker, IIROC’s vice president of public affairs, says that the amount will be disclosed in the regulator’s financial reporting.

IIROC typically publishes its annual report, which includes its financials and management discussion and analysis (MD&A) as of the regulator’s March 31 fiscal yearend, in August.

In the meantime, according to a letter from IIROC to its members: “We are taking a number of measures to ensure that members do not bear the costs … through the imposition of fee increases.” Instead, IIROC will be looking to fund the expenses from its existing resources.

In particular, the letter notes that IIROC has implemented “significant reductions” to its 2014 budget and has identified “additional means” to fund these costs.

Again, IIROC is not prepared to flesh out these plans publicly yet; nor has the IIAC been apprised of them, according to Ian Russell, the IIAC’s president and CEO. These measures also will be spelled out in IIROC’s MD&A report.

For now, given IIROC’s commitment not to raise fees for this incident, it’s clear that the financial impact will, to some extent, be felt in the rest of IIROC’s operations.

Although IIROC obviously is going to feel most of the fallout from this incident, the effects also extend to other regulators that now have been alerted to the significant risk of data loss within their own operations.

“This incident has served as a reminder of the critical need to secure personal data for regulators generally,” notes Jill Homenuk, director of communications and public affairs at the Ontario Securities Commission (OSC). “We are using this opportunity to ensure that we review the implementation of all of our existing information-protection practices, policies and procedures, and examine whether anything else is needed to ensure that private data is protected to the extent possible.

“We have clearly re-articulated our expectations to staff,” Homenuk adds, “regarding our responsibilities.”

At the same time, Homenuk says, the OSC, which is leading the Canadian Securities Administrators‘ (CSA) investigation into the incident involving IIROC, also is reviewing the CSA’s oversight program “to increase the efficiency and enhance our oversight.”

Mark Gordon, president and CEO of the Mutual Fund Dealers Association of Canada (MFDA), also reports that his organization is “assessing our data security risks generally to ensure we have implemented all reasonable measures to protect data.”

For example, Gordon says, the MFDA is in the process of implementing a new file-transfer system to provide its members with “an additional secure and controlled method to transfer data” between the regulator and themselves.

Gordon also points to staff training as “a key component of our data security procedures.”IE

© 2013 Investment Executive. All rights reserved.