The revelation that a national securities regulator lost a mobile device containing the personal financial details of thousands of brokerage-sector clients is bad enough. The uncertainty that has followed in the wake of this news – and the regulator’s apparent lack of accountability to privacy watchdogs – makes this situation doubly worrying.

On April 11, the Investment Industry Regulatory Organization of Canada (IIROC) announced that it had lost a mobile device containing the personal financial data of about 52,000 clients from 32 brokerage firms. IIROC has been reluctant to confirm many other details of the incident, citing fear that doing so could put the clients at greater risk of their data being misused.

Indeed, IIROC since has admitted that the device – a laptop, according to sector sources – was not encrypted as it should have been under IIROC policy, heightening concerns that the data could be accessed. Moreover, although IIROC has refused to confirm the precise timeline, it’s clear that the loss happened several weeks before it was publicly disclosed.

The circumstances of these initial revelations caused Ian Russell, president and CEO Investment Industry Association of Canada (IIAC), to express concern that IIAC was not alerted to the situation sooner. Russell is “disappointed, to say the least” that the IIAC, the trade association that represents the 32 firms that are affected by the loss, learned of the incident only when IIROC announced it publicly.

IIROC says that the long gap between discovering the loss and the public disclosure was due to the fact that IIROC first had to establish exactly what was missing so that it could start informing affected clients and their firms.

Lucy Becker, IIROC’s vice president, public affairs, says that after IIROC learned of the loss, it immediately set out to recreate the data; by March 22, a third-party forensic expert had managed to do just that. Says Becker: “It is important to understand this is a highly complex and intense process to recreate information on a lost device.”

Russell suggests that he has heard the same thing from dealers, who report that it’s not just a matter of restoring a backup. Russell adds that not only do the data include a large number of clients, but that there also was a fair amount of historical information, as well. Moreover, he notes, there are complications, such as clients who have switched firms.

Once the data were recreated, Becker says, IIROC began communicating with the affected clients and contacted each affected dealer firm directly. That communication process is ongoing. IIROC has launched a call centre to assist clients and arranged to put an automatic credit alert flag on their files through Equifax Inc.’s Canadian division.

So far, IIROC says, there is no evidence that anyone has attempted to misuse any of the missing data. However, the fact that client data haven’t been compromised yet shouldn’t provide much comfort to clients, says Ann Cavoukian, Ontario’s information and privacy commissioner.

“That means nothing,” she says, noting that those who would try to use the data for nefarious purposes will sit on stolen data for a long time before they try to do anything with it. “You don’t stop worrying just because it hasn’t been immediately activated.”

Moreover, what’s less clear is where clients can go for answers regarding why this happened in the first place and what measures are being taken to prevent such incidents in future. It appears that the activities of self-regulatory organizations (SROs)such as IIROC are not captured under existing privacy legislation.

In Ontario, for instance, Cavoukian’s office has jurisdiction over only government agencies (except in the health-care sector, in which jurisdiction extends to the private sector, too).

The private sector generally is covered under federal legislation, which is enforced by the Office of the Privacy Commissioner of Canada (OPCC). But the OPCC’s jurisdiction is limited to groups that collect personal information in the course of “commercial activities.” And, says Scott Hutchinson, manager, external communications, with the OPCC: “Generally, the work of self-regulatory organizations, such as IIROC, is not commercial in nature.”

However, he notes, the OPCC does not provide definitive advance rulings on whether privacy legislation applies in a particular case; that would have to be assessed within the context of a specific complaint.

Nevertheless, the work of an SRO apparently exists outside the reach of both federal and provincial legislation designed to protect personal privacy. The only real source of accountability, then, appears to be the provincial regulators, which provide the SROs with their authority.

In the case of the recent loss of data, the Canadian Securities Administrators (CSA) have begun an investigation into the lost laptop incident, with the Ontario Securities Commission (OSC) taking the lead in that inquiry. The OSC has declined to provide any details of its probe.

However, the CSA’s routine oversight reviews of the SROs generally are geared toward examining their compliance with the recognition orders that are the source of the SROs’ authority – which is where any investigation is likely to focus.

IIROC’s recognition order, which was issued in 2008, doesn’t specifically address its obligation to protect the privacy of any client data that it collects. However, the recognition order does require that the SRO maintain internal controls to “ensure [the] integrity and security of information”; and to promptly report any material failures in those controls to the provincial regulators.

The CSA’s most recent oversight review of IIROC (published in 2011) makes no mention of any concerns about lack of internal controls regarding data security. But a CSA report released on April 17 clearly indicates that the CSA did flag exactly this issue during its latest oversight review of the Mutual Fund Dealers Association of Canada (MFDA).

That report notes that the CSA found that MFDA staff were using mobile devices that were not password-protected or encrypted. In response to that review, the report says, MFDA staff immediately began using encrypted USB keys and that all of its other mobile devices now are either password-protected or encrypted.

Cavoukian warns that it’s not enough simply to have the right data-security policies in place. These policies must be reflected in practice, she says, and be backed by training to ensure they are followed.

In the IIROC case, that regulator has a policy requiring that mobile devices be encrypted. Yet, the device it lost wasn’t encrypted.

For more on the IIROC data loss, see page 8.

© 2013 Investment Executive. All rights reserved.