A notebook computer containing highly confidential personal, financial information of more than 50,000 Canadian investors from three dozen investment firms has been lost … by Canada’s financial industry regulator.
The Investment Industry Regulatory Organization of Canada (IIROC) says it “deeply regrets” the careless loss of the device, which has been identified as a notebook computer, and is now contacting clients whose personal information it has clearly put at risk.
Canada’s financial industry regulator said Friday the missing data is from clients at 32 firms, but would not disclose which ones.
The regulator says that the personal client information had been obtained by IIROC through “regular compliance reviews.” But, it unclear as to why this kind of highly confidential information is being retained by the regulator who doesn’t appear to need the consent of Canadian investors to do so.
“IIROC deeply regrets this unfortunate but isolated incident and apologizes for the disruption caused to clients and the affected firms,” IIROC president and CEO Susan Wolburgh Jenah said in a statement.
It appears that IIROC’s Board has ordered an internal investigation and the regulator has brought in a third-party security company to help it identify what type of information may have been lost.
“We are concerned that disclosing further details surrounding the incident may put clients’ information at greater risk of being targeted for unauthorized use,” IIROC Vice -President Lucy Becker said in an email.
IIROC has declined to say where the device was misplaced and what type of information it may have contained. But sources at the regulator and at member firms say the personal information IIROC collects on Canadian investors is vast.
The compliance officer at one IIROC regulated firm in Montreal said, ”It is a constant point of contention with IIROC audit staff, as to what information they cart away from our premises and why. They just tell us that they are authorised to take whatever they want without our client’s permission or the firm’s. Much of this data should never leave the offices of a member firm. This kind of thing was bound to happen again.”
IIROC said they haven’t noticed any attempts to access the data on the portable device as of yet. The regulator says they have informed the relevant privacy commissions. It is likely that an investigation and possibly sanctions against IIROC will occur.