The Canadian Securities Administrators (CSA) is reviewing IIROC's policies, procedures and controls following the recent accidental loss of a portable device containing personal information about clients of some of the regulator's member firms. This review is being conducted as part of its ongoing oversight of the industry.
The CSA says IIROC must, subject to applicable legislation, collect, use and disclose personal information only to the extent reasonably necessary to carry out its regulatory activities and mandate. It's also required to adopt policies and procedures that ensure confidential information about the operations of its dealer members isn't shared inappropriately.
As a result, the CSA is reviewing the facts surrounding the incident. This includes a review of IIROC's current policies, procedures and controls relating to information security, the encryption of data, and the collection and storage of personal information for regulatory purposes.