The Canadian Securities Administrators (CSA) said Friday that they are investigating the loss of the personal financial data of thousands of brokerage clients by the Investment Industry Regulatory Organization of Canada (IIROC).
Back on April 11, IIROC announced that it lost a mobile device containing the personal financial data of 52,000 brokerage clients, from 32 different brokerage firms. It later admitted that the device was not encrypted, in violation of IIROC policies.
The usual government privacy watchdogs seemingly do not have jurisdiction over IIROC — or self-regulatory organizations (SROs) generally, because they are neither government agencies, nor are they involved in “commerical activities” — so oversight accountability for the incident falls to the CSA, which oversees the securities industry SROs and ensures they comply with the terms of the recognition orders that provide their regulatory authority.
In the May issue, Investment Executive reported that the CSA would be investigating the incident, and that the Ontario Securities Commission (OSC) is taking the lead in that investigation. Today, the CSA issued a release confirming that it is “reviewing the facts surrounding this incident, including a review of IIROC’s current policies, procedures and controls relating to information security, the encryption of data, and the collection and storage of personal information for regulatory purposes.”
A spokesperson for the OSC declined to give further details of its planned investigation, or to confirm whether it will be publicly releasing its findings.
In a statement IIROC said, “The protection of confidential information is critical to IIROC. We welcome and are cooperating fully with the CSA’s review as part of their oversight.”
Ontario’s privacy commissioner, Dr. Ann Cavoukian, has sharply criticized the data breach, saying that personal financial data is some of the most sensitive information (second only to health information), and that it therefore requires the strictest level of security. She’s also said that the loss of mobile devices is to be expected, but that personal financial data should never be at risk because it should only be transferred on such a device with strong encryption.
In its statement, the CSA does say that “IIROC must, subject to applicable legislation, collect, use and disclose personal information only to the extent reasonably necessary to carry out its regulatory activities and mandate. IIROC is also required to adopt policies and procedures designed to ensure that confidential information about the operations of its dealer members is maintained in confidence and is not shared inappropriately with other persons.”
In the wake of this incident, IIROC has said that it is undertaking “a comprehensive review to further strengthen policies and internal controls relating to our IT security environment as well as practices relating to the collection, sharing and safeguarding of confidential information.”
It also said that it has hired an outside expert to independently review its internal controls and information management practices to ensure they conform with best practices.