The loss of a laptop computer full of personal information on about 52,000 investors has prompted Canada’s market watchdogs to launch a review of the Investment Industry Regulatory Organization of Canada (IIROC), the self-regulatory agency for brokerage firms.
The Canadian Securities Administrators (CSA), an umbrella group for the country’s securities commissions, announced Friday that it was reviewing IIROC’s “policies, procedures and controls as a result of the recent accidental loss of a portable device containing personal information about clients of some IIROC member firms.”
The loss of the data, and IIROC’s delay in going public about the issue, has raised concerns in the brokerage business. Ontario’s privacy commissioner was quoted as saying she was “appalled” by the loss of the data.
The CSA said it is reviewing the incident itself, as well as looking at all of IIROC’s procedures “relating to information security, the encryption of data, and the collection and storage of personal information for regulatory purposes.”
IIROC said it was co-operating with the review.
“The protection of confidential information is critical to IIROC,” spokeswoman Lucy Becker said in an e-mail. “We welcome and are co-operating fully with the CSA’s review as part of their oversight.”
IIROC has set up a call centre and a toll-free number to deal with inquiries about the breach.
Last week, an industry group representing investment dealers sent a letter to IIROC demanding to know why brokers were not notified sooner about the loss of data on clients from 32 firms, which occurred some time in February. Firms were notified in early April, and IIROC first publicly disclosed the breach April 11.
IIROC has explained the delay by saying that it hired an expert to recreate the information, which took until March 22. At that point, the regulator began preparing letters for each of the affected individuals to contact them directly. Firms were then contacted individually, a spokeswoman said last week.