Brokerage client data loss entirely preventable, Ontario’s privacy commissioner says

The device contains information on clients of 32 firms, says Lucy Becker, vice president public affairs with IIROC, which announced the lost last Thursday evening. The regulator refuses to disclose when or how the data was lost.

“We are concerned that disclosing further details surrounding the incident may put clients’ information at greater risk of being targeted for unauthorized use,” Becker says.

In a news release issued Thursday, IIROC said “there has been no indication of third parties attempting to access the information to date.”

Cavoukian has dealt with similar incidents in the healthcare sector — her office is responsible for ensuring compliance with privacy laws in the province’s public sector, and in the healthcare sector (both public and private) — and stresses that the loss of sensitive personal information is entirely preventable.

Although it’s inevitable that portable devices will be lost or stolen from time to time, she says that sensitive personal information should never be at risk because it should only be transferred to a portable device with either strong encryption, or with the personal identifiers stripped out of the data first. “People say, ‘it’s human error, it can’t be helped’ — of course it can be helped,” she says. “The disclosure of sensitive, personally-identifiable data should never, ever happen.”

Moreover, she takes no comfort from the fact that there’s no evidence that any of the lost data has been misused. “That means nothing,” she says, noting that those who would try to use the data for nefarious purposes will sit on stolen data for a long time before they try to do anything with it. “You don’t stop worrying just because it hasn’t been immediately activated,” she says.

Cavoukian says that her office does not have jurisdiction to investigate this case. She also notes that it appears that IIROC is doing all of the right things, in terms of notifying affected firms and clients, and ensuring it has the proper policies in place to prevent these sorts of incidents. That said, she also stresses that it’s not enough to just have policies — these policies must be reflected in practice, and backed up by training to ensure that the policies are followed.

Gordon Gibson, senior vice-president and managing director with National Bank Financial (NBF) in Montreal, says that the missing device is a laptop computer. Gibson says the personal data of a small number of NBF clients — fewer than100 — has been lost.

“IIROC notified us that we do have a small number of clients who have been affected and it was concentrated in the hands of a relatively small number of investment advisors,” says Gibson. “At this time it is our understanding that only the client’s name and client account number that was compromised.”

NBF notified its advisors early Friday and was told that IIROC had already distributed client letters to those individuals who were affected.

A spokeswoman for Bank of Nova Scotia said a small number of clients of its online brokerage have been affected.

Vancouver-based Canaccord Wealth Management said that IIROC informed the firm that Canaccord client information was not on the portable device that was lost, but it’s unclear as to what other firms have been affected by the data loss.

Toronto-based Richardson GMP Ltd. declined to comment. But a spokesperson for TD Bank Group of Toronto says that no client information from TD Securities or TD Waterhouse (including financial planning, private investment advice, direct investing and institutional services) is on the missing laptop. As well, a spokesperson for Raymond James Ltd. of Toronto says the investment firm is unaffected.

The regulator reports that when it discovered the loss of the device, it conducted an internal investigation and retained an outside forensics expert to determine what information was contained on the device.

“We want to reinforce that we have communicated with all affected firms and are notifying their clients whose information was on the device,” Becker says. “We also want to make it clear that the firms were not responsible in any way and that IIROC obtained the information as part of regular compliance reviews.”

IIROC says that it has set up a dedicated call center, which will start operations on April 15, to help answer client questions; and, it has arranged for a six-year alert to be placed on client credit files through Equifax Canada.

“IIROC deeply regrets this unfortunate but isolated incident and apologizes for the disruption caused to clients and the affected firms. The protection of confidential information is critical to us and we have taken steps to address the situation and to immediately strengthen our internal controls,” said Susan Wolburgh Jenah, IIROC CEO and president, in a statement.

Speaking on behalf of the Canadian Securities Administrators (CSA), which oversees IIROC, Jill Homenuk, director of communications and public affairs at the Ontario Securities Commission (OSC), says that, “The CSA has been satisfied that IIROC is taking appropriate action in the circumstances, and we will be staying engaged as IIROC communicates with clients of the affected firms over the coming days.”

The self-regulatory organization stresses that it has policies in place that require all the information it collects to be protected “which should have prevented this unfortunate incident”. As a result of this episode however, it has reviewed of all its information technology and business policies, procedures and protocols in order to reinforce its security controls.

Homenuk adds that the CSA, “will undertake a further review of [IIROC’s] systems and controls,” in order to ensure that it is doing enough to protect confidential information.

IIROC has already “reviewed and strengthened” its internal controls, and says its security policies “have been reinforced with all employees to ensure that they adhere to such policies,” Becker says.

“We have confidence in the safeguards we have in place to protect the client information that dealers provide us,” she adds.

“IIROC is also undertaking an independent review of our policies, procedures and practices to ensure that the safeguards we have in place are consistent with best practice and designed to ensure maximum protection of information in our possession,” Becker says.

With files from Clare O’Hara and Fiona Collie