National Post (National Edition)
CLEANING UP
The fallout of IIROC’s inexcuseable breach.
Almost three months after a computer laptop containing sensitive personal financial data about more than 50,000 Canadian brokerage clients was lost in Montreal, a regulatory audit is now in full force.
At least two supervisory bodies are probing how staff at the Investment Industry Regulatory Organization of Canada (IIROC) lost a portable device containing the sensitive data of 52,000 clients from 32 investment firms. IIROC, the self-regulatory body that oversees investment dealers operating in Canada, announced the breach on April 11. Worse, IIROC later admitted that not only had it lost the client information it routinely collects from investment firms as part of its regular compliance reviews, more importantly, the intelligence was not encrypted.
This stunning violation puts IIROC offside its own rules on how to treat sensitive data and has raised the ire of the brokerage industry, the Investment Industry Association of Canada and the Ontario privacy commissioner.
Quite frankly, it’s an inexplicable and inexcusable breach. There are so many troubling questions and issues of competency and integrity at stake, not the least of which is sorting out IIROC’s obligations to the brokerage firms it oversees and their clients.
IIROC president and CEO Susan Wolburgh Jenah said she “deeply regrets” this “unfortunate but isolated incident.” A “comprehensive review” of its internal policies and proced- ures is under way led by an unnamed third-party expert to figure out what was lost, how it happened and what the not-for-profit organization needs to fix it.
In the early stages, this smacks of a cover up. The “isolated” breach happened in February, but IIROC only fessed up publicly about it in midApril. Presumably, there has been a mad scramble inside the self-regulatory body to figure out what was lost, and to notify the affected firms and clients.
Furthermore, the timing is unfortunate for IIROC. Since it was newly constituted in 2008, the organization has broken through the long-standing
An inexplicable and inexcusable breach
mold of self-interested, self-regulatory bodies and has raised the bar for compliance and toughened compliance of its members. Now, its own integrity is on the line.
Let’s consider the facts: At least one of its employees chose not to encrypt sensitive data, then left the vulnerable information exposed to potential harm. How does Wolburgh Jenah know it’s a single mistake? To what extent have IIROC employees been carrying around laptops that weren’t — and maybe still aren’t — encrypted? Can IIROC declare with certainty this breach was random? If so, how does IIROC know that much? Having a code in place looks good on paper, but whose job was it to ensure private client information is safe? The bottom line: If IIROC’s initial comments are taken at face value, someone at the watchdog took a fairly lazy approach to dealing with client information and in doing so, has comprised the entire organization.
And not just with the public. The securities industry is populated by tough players who have largely griped about the new set of teeth IIROC has grown in recent years under Wolburgh Jenah’s tutelage. The new industry sheriff has cost firms a lot of money in penalties even though an SRO has a fine line to walk between keeping its industry members who fund it happy while ensure they’re onside with the rules. So there will likely be a more than a few folks on the Street happy to see Wolburgh Jenah take the fall. Already, some member firms are privately expressing concern about handing over client information to an organization that has made them potentially vulnerable.
That’s why a close and thorough examination of the privacy breach is in everyone’s interest. The Canadian Securities Administrators (CSA), an umbrella group of Canada’s 13 provincial and territorial securities regulators, that just began probing the matter referred to the incident as an “accidental loss.” In these early stages, it’s hard to know if that’s the whole truth or just wishful thinking.
Ontario’s privacy commissioner doesn’t buy it. Dr. Ann Cavoukian says human error is no excuse, adding that financial data requires the strictest level of security because of its sensitive nature. For its part, IIROC says there’s no evidence that any unauthorized party has attempted to access the information for nefarious purposes to date. Even so, stolen data is commonly stored for future use.
So how does a regulator investigate, and possibly discipline, another regulator? Presumably, the same way they deal with industry participants. In that case, IIROC will be scrutinized over how effectively it supervised staff and ensured its rules and policies were enforced. Clearly, an employee screwed up in more ways than one because after all, even if the information was accidentally lost or misplaced, had it been encrypted the consequences wouldn’t be as potentially problematic. By the time it’s over, expect a mea culpa from the investment dealer watchdog and at least one head to roll.