Regulators aren’t protecting client data

Your clients’ data isn’t safe.

Case in point: This year, IIROC accidentally lost a portable device that housed the data of 52,000 clients from 32 member firms. IIROC went public with the loss April 11, 2013, but in a May letter to dealer members, admitted it had known about the loss since at least March 22, 2013.

In the same letter, the regulator said it had contacted law enforcement and affected firms before announcing the loss publicly.

And, IIROC revealed the device was not encrypted (encoded so only authorized parties can read it), contrary to policy.

The regulator says there’s no evidence of third parties attempting to access the information. In statements, CEO Susan Wolburgh Jenah said a third-party security expert was brought in following the incident to determine what information was lost.

The regulator also said it had contacted affected firms in the weeks that followed. Further, it has set up a dedicated hotline for concerned clients, notified all relevant privacy commissioners, and placed alerts on affected client credit files at Equifax Canada and TransUnion. It also offered one-year credit monitoring services through Equifax.

The regulator is also reviewing its policies to help prevent further losses and address staff accountability. Beyond these statements, the regulator provided background but declined comment to Advisor’s Edge Report.

Tales from the encrypt

An industry consultant close to IIROC, Patrick Fraser*, told AER the lost device was likely an examiner’s laptop that held brokerage account and audit information.

The regulator has not confirmed the type of device or type of information.

But, says Fraser, “It matters what kind of data was lost. Was it KYC information and account information from dealers, or was it brokerage account data? The latter is less of a concern since people can’t easily use that data to ask for third-party transfers of funds or perform trades.”

In reaction to the data loss, Ontario’s information and privacy commissioner, Ann Cavoukian, stated in a release, “It’s too easy for [information] to be stolen or lost. We [should] remove the sensitivity of the data by encrypting it [so] it’s completely inaccessible to a third party.”

Anita Fineberg, a Toronto privacy lawyer, adds, “There’s no excuse for not having something encrypted on a mobile device. You can also adopt systems that allow you to work remotely off a database, meaning you don’t have to hold identifiable data directly on a device.”

Fraser says organizations looking to prevent data loss may adopt tools like remote destruction programs for all devices.

But Toronto technology expert Tom Johnson* warns these programs won’t kick in unless lost devices are connected to the Internet.

Tech-savvy thieves won’t make that mistake, he says, adding hackers rarely attempt to use sensitive information right away.

To shield clients, the industry must prioritize data protection. And it should also train those who handle sensitive client information accordingly.

Firms should create data storage policies and review them regularly, as well as monitor employee activities (see “Protect client data,” page 1).

Protect client data

Client protection starts with tough internal policy, but here are some additional hardware and software measures firms can take.

• Encrypt all devices (desktops, laptops, smartphones, USBs and other portable devices) and their files;
• Never store sensitive files directly on computers;
• Back up data once a week;
• Change passwords once a month;
• Avoid printing client data files, or shred them ASAP;
• Assign a team to monitor data protection internally; and
• Review policies regularly.

Cavoukian said in the same statement, “Regulatory bodies, above all others, should have the most responsible processes in place. It’s not enough to have a policy. It has to be reflected in concrete action. You have to train staff and give them […] devices like USB keys that are encrypt-only.”

A top-down approach to change

Johnson says IIROC should have stored files on a secure remote server and backed up that information routinely. Firms need to do the same.

However, he says he’s seen lax behaviour. In his previous jobs, auditors asked him for large amounts of client data via email, which isn’t secure.

He says he’s also seen examiners transporting data on USBs, which, he adds, “I doubt were ever encrypted.”

He says most firms and regulators don’t change passwords monthly, nor do they back up data weekly.

Instead, they do it once a month since “back ups must be done during business hours when computers are on. The process is a pain and affects productivity.”

In fact, Johnson says he’s seen executives at his own firm purposely unplug computers and disrupt the backup process so they can continue working.

But backups are important because they allow for faster data recovery. Otherwise, a firm could be forced to reconstruct data from scratch. In the event of data theft or loss, clients will then have to wait longer before being alerted.

Fraser agrees backups save time and effort, as he experienced a few years ago.

Someone stole his employee’s laptop from his firm’s reception desk. It stored the data of approximately 1,000 clients. The employee had walked away but didn’t lock up or hand off the computer as required.

After the theft, Fraser’s firm followed the same general steps as IIROC, and completed the reconstruction and announcement process in fewer than 10 days, thanks to the backup.

He says regulatory guidance would have eased the process. But our review of IIROC policy shows no specific guidance on client data storage.

Instead, the regulator’s recordkeeping policies are general in nature.

Fraser says he also would have created tougher privacy policies and trained staff if guidance existed. As it was, consequences were relatively minor, since Canadian regulators, along with Ontario’s privacy commissioner, don’t have jurisdiction over breaches and losses—rather, the Office of the Privacy Commissioner of Canada (OPCC) leads these investigations.

After reporting the incident to the privacy commissioner, Fraser says he was asked to improve security and better train employees.

The OSC and CSA have launched an investigation into IIROC’s data loss (see “What do IIROC and OSC say about client data?”, this page).

But sources we spoke to say it is unlikely that IIROC will be fined or sanctioned because Canada’s weak privacy laws constrain regulators.

Privacy laws won’t help

Legislators are still developing Canadian privacy laws, so privacy commissioners don’t have much influence.

Compromised data falls under the jurisdiction of the OPCC. But, most privacy commissioners have no authority over entities that don’t use data for commercial purposes—this includes regulators.

Instead, when someone reports that her information has been misplaced, or a company admits it has lost data, the OPCC or provincial body in charge examines the structure and activities of the alleged violator (see “Canada’s privacy laws,” this page).

If OPCC finds the company earns profits from client data collection, it determines whether privacy policies exist and whether they were followed.

And that’s the end of the process. Though the OPCC monitors the company and issues a public report, it can’t sanction or fine the company.

The government recognizes this deficiency. In December 2012, Privacy Commissioner of Canada Jennifer Stoddart admitted the Personal Information Protection and Electronic Documents Act (PIPEDA) needs to be modernized, particularly regarding digital property.

It has a “soft approach, based on non-binding recommendations and the threat of reputation loss,” she says.

“[The OPCC has] seen organizations ignore our recommendations until the matter goes to court, and we have seen large corporations…pay lip service to our concerns and then ignore our advice.”

What do IIROC and OSC say about client data?

IIROC’s privacy code says it “makes reasonable efforts to ensure that the personal information it collects is limited to what is necessary for its intended use.”

It also says, “IIROC has put in place procedures and practices reasonably appropriate to the sensitivity of the personal information IIROC collects, uses, retains and discloses for protecting it against loss, theft, unauthorized access and similar risks.

“IIROC reviews and updates its policies and controls on a reasonable basis to ensure ongoing personal information security.”

The SRO also reviews firms’ policies when they apply to be members. One of the checklists they use to ensure firms are compliant includes a section entitled “Privacy legislation procedures,” which details the privacy policies that must be in place at dealers.

This section refers advisors to “IDA MR0256” and “IDA Bulletin 3218,” references that explain how federal privacy laws apply to their activities. It also refers potential members to the regulator’s policy and procedures manual.

Otherwise, the regulator doesn’t specifically tell firms how to best store and protect client information, though regulatory bodies have started releasing disclosure and information use guidance.

The Ontario Securities Act references client information collection this way: “The [OSC and firms] may collect personal information within the meaning of section 38 of the Freedom of Information and Protection of Privacy Act—[the privacy act used by the Commissioners in many provinces]—for the purpose of carrying out its duties and exercising its powers under this or any other Act. 1997, c. 10, s. 37.”

In other sections, the act says information can be kept private during investigations or audits, for instance, depending on its sensitivity and on the situation.

Canada’s privacy laws

Canada has two federal privacy laws:

›The Privacy Act, enacted in 1983

›The Personal Information Protection and Electronic Documents Act (PIPEDA), enacted in 2000

The commission regulates companies that collect data for commercial purposes.

The Privacy Act ensures 250 federal departments and agencies respect Canadians’ privacy rights by limiting collection, use and disclosure of data. It also lets people access and correct their information.

Any organization that collects personal information in the course of commercial activity is covered by PIPEDA.

The Office of the Privacy Commissioner of Canada doesn’t have much power over Quebec, Alberta and British Columbia since these provinces have developed independent provincial legislations to govern organizations operating within each province. Their laws aim to better define digital property and prescribe how it must be handled.

Scott Hutchinson of the OPCC told AER, “These acts generally apply to organizations even where they are not involved in a commercial activity. As a result, the provincial entities overseeing those pieces of…legislation could have some latitude in addressing the personal information practices of non-governmental regulatory bodies operating within their [jurisdiction].”

In other words, ASC, BCSC and AMF could fall under the jurisdiction of their respective provincial privacy laws.

Source: Government of Canada

=