IIROC notifies investment firms and clients after device with personal information lost (updated)

From their press release of yesterday:

The Investment Industry Regulatory Organization of Canada (IIROC) deeply regrets the accidental loss of a portable device that contained personal information relating to clients of a number of investment firms.  IIROC has taken several measures to notify the firms and their clients and to provide them with support services.

As soon as IIROC learned of the loss, it conducted an internal investigation and retained an independent third-party security expert in forensics to determine what information was contained on the device.

While there has been no indication of third parties attempting to access the information to date, IIROC:

• Has communicated with the relevant investment firms whose client information was on the device;
• Is writing to those firms’ clients and providing a comprehensive checklist that includes additional steps clients can take to protect personal information;
• Set up a dedicated call center, starting Monday, April 15, which will be available from 9 a.m. to 5 p.m. Monday to Friday, to help answer client questions and concerns and, if needed, to walk them through the support materials provided; and
• Arranged, at no cost to clients, a six-year alert flag to be placed on their credit files through Equifax Canada.

IIROC has strict policies in place that require all information it collects to be protected which should have prevented this unfortunate incident.  IIROC immediately launched a comprehensive review of all its information technology and business policies, procedures and protocols in order to reinforce existing security controls.

“IIROC deeply regrets this unfortunate but isolated incident and apologizes for the disruption caused to clients and the affected firms. The protection of confidential information is critical to us and we have taken steps to address the situation and to immediately strengthen our internal controls,” said Susan Wolburgh Jenah , IIROC CEO and President.

IIROC has notified the relevant privacy commissioners.

IIROC will publish updates and other information that may be helpful on its web site at www.iiroc.ca.

***

IIROC is the national self-regulatory organization which oversees all investment dealers and trading activity on debt and equity marketplaces in Canada.  Created in 2008 through the consolidation of the Investment Dealers Association of Canada and Market Regulation Services Inc., IIROC sets high quality regulatory and investment industry standards, protects investors and strengthens market integrity while maintaining efficient and competitive capital markets.

IIROC carries out its regulatory responsibilities by creating and enforcing rules regarding the proficiency, business and financial conduct of dealer firms and their registered employees and through the creation and enforcement of market integrity rules regarding trading activity on Canadian marketplaces.

Six years of credit monitoring is unusual.

Disappointingly, the release does not indicate when the loss occurred, when it was discovered, where it happened, and what types of data were on the device.  Hopefully, they’ve been more forthcoming in their notification letter to those affected.  If anyone received a letter from them and can share it, please email it to breaches[at]databreaches.net.

Update: Media reports indicate that 52,000 investors from 32 brokerage firms were affected, but it is still not known what type of device, where it was lost, when it happened, and what types of information were on it and whether there was any encryption.

Update 2:  A reader submitted a copy of the notification letter, which I’ve uploaded here.