Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
$1.99
per week
for 24 weeks
// //

Canada’s brokerage regulator waited at least a month to disclose that it lost the private financial data of 52,000 investors on a single laptop that went missing. Now, the brokerage industry is demanding a full explanation for the delay, which left sensitive client information vulnerable to a security breach.

KACPER PEMPEL/Reuters

Canada's brokerage regulator waited at least a month to disclose that it lost the private financial data of 52,000 investors on a single laptop that went missing.

Now, the brokerage industry is demanding a full explanation for the delay, which left sensitive client information vulnerable to a security breach.

The Investment Industry Association of Canada (IIAC), the industry group representing investment dealers, sent a letter to the Investment Industry Regulatory Organization of Canada (IIROC), demanding to know why the brokerage community was not notified sooner about the loss by IIROC of detailed information on clients of 32 firms.

Story continues below advertisement

The data loss happened some time before the end of February. Some affected firms were not told until early April, industry sources said. Letters informing individual clients went out last week.

IIROC publicly disclosed the loss April 11, when it issued a news release that did not give details on the size and scope of the breach. The regulator later released figures on the number of clients and firms affected.

"There's a lot of questions we have and not really very many answers," said Ian Russell, the head of the industry group. "The extent of the delay is something we are unsure of. Obviously it is something that is of critical importance because clients need to be informed at the earliest possible time to protect their interests. So is the explanation adequate for the delay?"

IIROC spokeswoman Lucy Becker said Thursday that "we moved as quickly as possible under the circumstances" and the regulator will be discussing the industry association's concerns with IIAC.

Ms. Becker confirmed that IIROC learned of the device's disappearance in late February, but she declined to give an exact date out of concern that doing so might put client data at further risk.

IIROC said it hired a third-party expert to recreate the information, which took until March 22. At that point, the regulator began preparing letters for each of the affected individuals to contact them directly, Ms. Becker said. Firms were contacted individually.

"Our desire was to inform those affected as quickly as possible and in order to do so in a responsible manner, we needed a thorough understanding of the information on the device," she said in an e-mailed response to questions. The letters explained that IIROC was setting up a dedicated call centre in each official language, and that a credit alert would be placed on the credit files of the individuals.

Story continues below advertisement

The loss led Ontario's privacy commissioner to tell the industry publication Investment Executive that she was "appalled." The office of the Ontario privacy commissioner, in a guide to best practices in such a situation, says that one of the first priorities is to identify whose privacy was breached and "barring exceptional circumstances, notify those individuals accordingly" with details on the lost information.

Mr. Russell said the first the industry association heard of the situation was the public disclosure on April 11. He said IIAC was also concerned that it was not consulted early on because "we could have been very helpful" with such matters as dealing with concerned members.

Mr. Russell said he is now seeking assurances that his members will not be asked to pay for something that was not their fault. The brokerage community funds IIROC through fees, and he argues investment dealers should not have to cover the expense of a "fairly costly" process to deal with IIROC's loss of the data. Instead, he urged that monies set aside from fines levied by the regulator be used to cover any costs for such things as data reconstruction and call centres.

He pointed out that if a brokerage firm failed to disclose a loss of client data immediately there would be consequences.

"There would be very severe repercussions on a member firm if a similar episode would have happened at the firm," he said, adding that "regulators have to held to the same high standard as the industry."

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies