CIRO faces potential class action following data breach

The class action application states that the plaintiff wishes to institute a class action on behalf of “all persons in Canada whose personal or financial information was held” by CIRO “and was compromised in the data breach … or who received an email or letter from [CIRO] informing them of such data breach.”

In an emailed statement, CIRO said, “The allegations in the proposed class action, which seeks to include all Canadians receiving notification that their personal information was affected, are not proven.”

Further, “CIRO is confident in its position that the organization responded in a timely and appropriate manner,” the statement said. “CIRO collects personal information in the normal course of carrying out its mandate and conducting its registration, investigation, compliance assessment and market regulation work.”

Our attempts to contact the plaintiff were unsuccessful. The application was filed on Oct. 6 with the Superior Court of Quebec in Montreal by counsel David Assor of Lex Group Inc. in Westmount, Que.

The class action is “not authorized yet,” Assor said in an interview, and as such, there hasn’t been a formal notification to potential class members. However, “we feel strongly that [the application] will be authorized,” he said.

CIRO registration data — including registrants’ personal information such as addresses, phone numbers, and eye and hair colour — was breached on Aug. 11. All mutual fund and investment dealers and individuals were affected, including Quebec-only mutual fund dealers and individuals, the regulator said.

Member firms were notified of the breach on Aug. 18, CIRO said, and it began sending letters to registrants on Sept. 9 to inform them that their data were affected. Bank account numbers, if included as part of financial solvency disclosure, were among the breached data, as were investment and beneficiary information, if included as part of the ownership in securities and derivatives disclosure.

The class action application alleges CIRO was negligent on several counts, including failing to: implement an effective “data security industry standard” to protect the personal and financial information; post fraud alerts on class members’ credit files immediately after the data breach; encrypt and protect the personal and financial data; and promptly notify the plaintiff and class members of the breach.

The plaintiff received notice about 42 days after the breach, during the week of Sept. 22, according to the application.

The application also alleges that CIRO “committed a fault by retaining the very private, personal and financial information” of the plaintiff and class members for several years more than required — well over a decade in the plaintiff’s case.

Like the plaintiff, “some people may no longer be practising — or moved on to different careers — and are still affected” by the breach, Assor said.

CIRO says on its website that the collection of registrants’ data is mandated by the CSA under Form 33-109F4. The regulator also says it will “conduct a renewed review of its data retention policies.”

Citing Quebec legislation, the class action application alleges that CIRO is liable to pay at least $1,000 in punitive damages to each class member for the loss of data, as well as potential compensatory damages (e.g., out-of-pocket expenses for identity-theft protection, such as insurance) and moral damages (e.g., stress).

The application asks for a national class action to be granted, before the Superior Court in Montreal.

If the class action is authorized, no action on the part of the determined class members will be required, Assor said. “Notices will go out and then [class members] will be given an opportunity to opt out,” he said.

As things stand, registrants can sign up for notices about the class action application on the Lex Group website.

As previously reported by this publication, the Office of the Information and Privacy Commissioner of Ontario (IPC) said it contacted the Ontario Securities Commission (OSC) for more information about the CIRO cybersecurity breach after it occurred.

Self-regulatory organizations (SROs) aren’t required to report data breaches to the IPC, but provincial institutions, including Crown agencies such as the OSC, are required to report breaches that pose a risk of “significant harm.” In this case, the compromised data was collected under powers delegated to the SRO by the OSC.

The IPC has since told this publication — in an emailed statement in November — that it contacted the OSC on Sept. 18.

“We were advised that no records in the custody and control of the OSC were impacted by the breach,” the statement said.

The data breach occurred about four months after most of the provincial securities regulators delegated broader authority for registration to CIRO, and a few weeks after the Autorité des marchés financiers did so.

In an email, Debra Chan, senior public affairs specialist with the OSC, said, “[W]e do not wish to comment on any discussions with the IPC.” Chan referred to the CSA’s response to this publication in September that the National Registration Database wasn’t affected by the breach.

Previous IIROC-related class action attempt

CIRO predecessor the Investment Industry Regulatory Organization of Canada had a security breach in 2013 after an employee lost a laptop containing investors’ personal information.

That case can’t be directly compared to the current case. Still, in the laptop case, the Superior Court of Quebec dismissed a proposed class action on behalf of affected investors, finding that there was no evidence that the compromised information was misused, and that the regulator “reacted diligently” and shouldn’t face punitive damages.

The court ruled that the harm inflicted on investors didn’t justify compensation, and that it represented normal inconveniences “that any person living in society encounters and should be required to accept.”

With files from James Langton. This story has been updated.