The Investment Industry Regulatory Organization of Canada (IIROC) may now be facing a $52 million class action suit on behalf of 52,000 brokerage industry clients who are affected by a privacy breach that was reported by the self-regulatory organization last month.

A Montreal-based law firm, De Grandpré Chait LLP, has filed suit against IIROC in Québec Superior Court on behalf of investors whose personal financial data was reportedly contained on an unencrypted mobile device lost by IIROC several weeks ago. The proposed class action, which names accountant Paul Sofio as the representative plaintiff, is seeking $1,000 per client to compensate them for the impact of the privacy breach, including stress and inconvenience.

The allegations have not been proven, and the suit has not been certified as a class action. IIROC vice president, public affairs, Lucy Becker, declined to comment on the action, noting, “It is inappropriate to comment as the matter is before the courts.”

Since the breach was discovered, IIROC has been notifying affected clients, and their firms. It also set up a dedicated call center to help answer client questions; it has arranged for a six-year alert to be placed on client credit files through credit reporting services Equifax Canada and TransUnion; and it is providing clients with a year of free credit monitoring through Equifax Canada.

In the meantime, IIROC is also facing an investigation into the incident by the Canadian Securities Administrators (CSA), which said last week that it is examining both the circumstances of the lost device and IIROC’s internal controls.

CSA reviewing IIROC data loss

IIROC has also said that it is undertaking its own review to strengthen its IT security policies and internal controls.