Data on missing device at risk
Federal regulator’s staffer loses information on more than 50,000 investment clients
TORONTO A portable device containing personal information of about more than 50,000 investment dealer clients that was lost by a staff member of Canada’s investment industry regulatory agency was passwordprotected, but the information on it was not encrypted as required by the regulator’s own rules for the treatment of sensitive data.
“This one had not been encrypted, which is contrary to our policy,” said Lucy Becker, a spokesperson for the Investment Industry Regulatory Organization of Canada (IIROC).
“We are engaging a thirdparty expert to independently review our internal controls and information management practices to ensure they conform to best practice,” she added.
IIROC policies require two levels of security for all portable devices — password protection and encryption. But for some reason, in this case, the information was not encrypted, Becker said.
Since revealing the loss of personal information related to about 52,000 clients of 32 investment firms a week ago, the regulator has been tightlipped about the data on the device and where and how it was lost. Becker has said the regulator is concerned that the details could put the client information at greater risk of being targeted for unauthorized use.
A source told the Post that the device was a notebook computer lost in Montreal, details IIROC would not confirm or deny.
Some industry players have quietly expressed concern about continuing to hand over sensitive data to IIROC, which routinely collects client information from the investment dealers it regulates to ensure the firms are complying with industry rules.
IIROC is among a class of industry watchdogs know as a self-regulatory organization, or SRO. It operates under the authority of a recognition order granted by the Canadian Securities Administrators, an umbrella group for the country’s provincial and territorial securities regulators.
“The CSA has been satisfied that IIROC is taking appropriate action in the circumstances and we will be staying engaged as IIROC communicates with clients of the affected firms,” the Canadian Securities Administrators said in a statement Friday. “We will undertake a further review of their systems and controls to be satisfied that they protect information as well as possible.”
Becker said IIROC is in the midst of a “comprehensive review” aimed at strengthening policies and internal controls related to the agency’s “IT security environment, as well as the practices relating to the collection, sharing and safeguarding of confidential information.”