Canada's brokerage regulator waited at least a month to disclose that it lost the private financial data of 52,000 investors on a single laptop that went missing.
Now, the brokerage industry is demanding a full explanation for the delay, which left sensitive client information vulnerable to a security breach.
The Investment Industry Association of Canada (IIAC), the industry group representing investment dealers, sent a letter to the Investment Industry Regulatory Organization of Canada (IIROC), demanding to know why the brokerage community was not notified sooner about the loss by IIROC of detailed information on clients of 32 firms.
The data loss happened some time before the end of February. Some affected firms were not told until early April, industry sources said. Letters informing individual clients went out last week.
IIROC publicly disclosed the loss April 11, when it issued a news release that did not give details on the size and scope of the breach. The regulator later released figures on the number of clients and firms affected.
"There's a lot of questions we have and not really very many answers," said Ian Russell, the head of the industry group. "The extent of the delay is something we are unsure of. Obviously it is something that is of critical importance because clients need to be informed at the earliest possible time to protect their interests. So is the explanation adequate for the delay?"
IIROC spokeswoman Lucy Becker said Thursday that "we moved as quickly as possible under the circumstances" and the regulator will be discussing the industry association's concerns with IIAC.
Ms. Becker confirmed that IIROC learned of the device's disappearance in late February, but she declined to give an exact date out of concern that doing so might put client data at further risk.
IIROC said it hired a third-party expert to recreate the information, which took until March 22. At that point, the regulator began preparing letters for each of the affected individuals to contact them directly, Ms. Becker said. Firms were contacted individually.
"Our desire was to inform those affected as quickly as possible and in order to do so in a responsible manner, we needed a thorough understanding of the information on the device," she said in an e-mailed response to questions. The letters explained that IIROC was setting up a dedicated call centre in each official language, and that a credit alert would be placed on the credit files of the individuals.
The loss led Ontario's privacy commissioner to tell the industry publication Investment Executive that she was "appalled." The office of the Ontario privacy commissioner, in a guide to best practices in such a situation, says that one of the first priorities is to identify whose privacy was breached and "barring exceptional circumstances, notify those individuals accordingly" with details on the lost information.
Mr. Russell said the first the industry association heard of the situation was the public disclosure on April 11. He said IIAC was also concerned that it was not consulted early on because "we could have been very helpful" with such matters as dealing with concerned members.
Mr. Russell said he is now seeking assurances that his members will not be asked to pay for something that was not their fault. The brokerage community funds IIROC through fees, and he argues investment dealers should not have to cover the expense of a "fairly costly" process to deal with IIROC's loss of the data. Instead, he urged that monies set aside from fines levied by the regulator be used to cover any costs for such things as data reconstruction and call centres.
He pointed out that if a brokerage firm failed to disclose a loss of client data immediately there would be consequences.
"There would be very severe repercussions on a member firm if a similar episode would have happened at the firm," he said, adding that "regulators have to held to the same high standard as the industry."