To avoid having the coverup become worse than the crime, securities regulators need to come clean about the loss of the personal financial data of thousands of the investment industry’s clients.

Since the Investment Industry Regulatory Organization of Canada (IIROC) first disclosed the news of losing material contained on a portable device, the regulator has been extremely reluctant to provide any details of the incident – refusing to reveal exactly what was lost, where or when.

IIROC justifies its reticence on the grounds that it doesn’t want to put the lost data at greater risk of falling into the wrong hands. Although that may be an understandable concern, silence is unacceptable. There simply are too many questions left unanswered, not only for the affected clients but for all investment industry clients and the industry itself.

How is it that personal financial data is being shuttled around on mobile devices by a self-regulatory organization (SRO)? Why was this information not completely secured, either through strong encryption or the severing of personal identifiers from the rest of the data? And how can the regulators be certain this won’t happen again?

The answers must come from the regulators, as it seems that SROs reside in a void between government privacy watchdogs: being neither government agencies nor commercial ventures, SROs aren’t subject to the usual authorities that would investigate significant privacy breaches.

Rather, it appears that this job falls to the Canadian Securities Administrators (CSA), which has oversight responsibility for the SROs; however, the various members of the CSA are not privacy experts. Nevertheless, it appears the CSA has begun an investigation. For this effort to have any credibility, the CSA must be much more forthcoming than IIROC has been to date. The CSA must give a full account of the incident, as well as a detailed explanation of what has been done to ensure that it can never happen again.

The entire securities regulatory system is premised on the pre-eminence of full, true and plain disclosure. This principle also must apply to the regulators’ own affairs.

© 2013 Investment Executive. All rights reserved.