The personal financial data of thousands of brokerage industry clients contained on a mobile device lost by an employee of the Investment Industry Regulatory Organization of Canada (IIROC) is more vulnerable than first thought, as it turns out the device was not encrypted.

IIROC confirms that while the portable device in question was password protected, it was not encrypted, which is contrary to the self-regulatory organization’s policies. “We have strict policies in place that require all information we collect to be protected and we take this responsibility very seriously,” notes Lucy Becker, vice president public affairs at IIROC.

However, in the wake of this incident, Becker says that the SRO is undertaking “a comprehensive review to further strengthen policies and internal controls relating to our IT security environment as well as practices relating to the collection, sharing and safeguarding of confidential information.”

Additionally, she reports that it has hired an outside expert to independently review its internal controls and information management practices to ensure they conform with best practices.

The latest details to emerge surrounding the incident come as the Investment Industry Association of Canada (IIAC) expressed concerns about the fact that it was not alerted to the lost device before IIROC announced it publicly on April 11. IIAC president and CEO, Ian Russell, says that he was “disappointed to say the least” that the industry trade association, which represents the 32 firms that are affected by the loss, was not “brought into the loop early on”.

Brokerage client data loss entirely preventable, Ontario’s privacy commissioner says

The device was reportedly lost about five or six weeks ago, although IIROC has declined to confirm this fact. Becker does say that after it learned of the loss, it immediately set out to recreate the data, and, as of March 22, a third-party forensic expert had determined that extent of the problem. “It is important to understand this is a highly complex and intense process to recreate information on a lost device,” she notes.

At that point, Becker says, IIROC immediately began its process to communicate with the affected clients; and, it contacted each of the affected dealers directly. That communication process is ongoing, and Russell notes that he expects to meet with IIROC next week to get more detail, and to offer its help and support.

The IIAC’s other main concern with this episode is the potential cost to clean up the problem. “This is a problem of IIROC’s making, that’s obviously got a pretty big price tag on it,” says Russell. “And my view is that my members shouldn’t pay for that, especially in these conditions, when roughly half of the boutiques are losing money — they shouldn’t be forced to carry this burden, there should be another way.”

IIROC hasn’t said how the cost of the clean up will be funded, although Becker says that IIROC management and its board, “are very aware of the issue and the sensitivity in the industry with regard to any fee increases in this environment.”

“We will directly communicate with all IIROC members on these and other issues and questions they have as soon as we are able to do so,” she adds.