Financial firms must value client privacy

Canadian regulators don’t push firms to protect client data. As AER reported in June, regulatory recordkeeping rules in Canada are basic, and don’t prescribe how advisors should store sensitive information or bolster firm security.

That’s because most of our SROs rely on federal privacy authorities to govern data collection and use. Federal bodies also have jurisdiction over security breaches that affect investors.

But while the CSA and OSC are reviewing IIROC’s security measures after its breach earlier this year, they likely won’t penalize the regulator since they don’t have specific rules to address data compromises. And, even though IIROC says it plans to boost security systems and is co-operating with reviews, the SRO won’t face pressure to guide member firms. Why?

• Regulators aren’t under the jurisdiction of most privacy authorities in Canada. Ann Cavoukian, Information & Privacy Commissioner of Ontario, oversees the province’s municipal and provincial government organizations, and health institutions. Federal privacy commissioner Jennifer Stoddart, of the Office of the Privacy Commissioner of Canada (OPCC), regulates national companies that profit from data collection; and
• Canada’s privacy laws are weak. Even companies that do collect data for profit can’t be sanctioned for losses by the OPCC. And companies aren’t legally required to report breaches, meaning firms could put them under wraps.

Since advisory firms do profit from managing clients’ portfolios, national privacy laws apply; and any transgressions reported to OPCC (by businesses or clients through complaints) are made public by the commission and could affect their reputations.

What’s more, Stoddart is advocating for legislative changes, since she wants to give organizations even greater incentive to invest in secure data management systems.

Cavoukian adds firms must do more than implement basic data protection policies, because “financial files have the sensitivity of currency.” And since some advisors may not be tech-savvy, regulators should offer more direction for properly training staff.

Time to get tough

Stoddart has been fighting for a privacy law overhaul for more than 10 years. Her second term ends this December, and she wants to pave a path so her successor can ensure companies are better held responsible for mishandling data.

She says fining and sanctioning businesses would likely cut down on the number and costs of data breach cases. In an April 2013 statement, she said, “Some companies are very co-operative [during investigations], but the process is…drawn-out and resource-intensive… Canadian taxpayers [can’t be] footing…large bills to fund the privacy improvements of businesses.”

In May 2013, Stoddart published a paper that officially called for legislative reforms to Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA), which was enacted in 2000 and reviewed in 2006. She wants the government to:

• allow enforcement powers to hand down statutory damages (administered by the Federal Court), or allow the federal privacy commission to make orders and impose monetary penalties;
• require organizations to report breaches of personal information to the federal commissioner, as well as notify affected individuals where warranted; and
• require organizations to publicly report on the number of disclosures they make to law enforcement, without knowledge or consent, to shed light on the frequency and use of this measure.

In a release accompanying the paper, Stoddart says these measures are crucial since “personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.”

Though she says PIPEDA should remain technology-neutral, these changes would push companies to better protect their clients’ interests.

The intensity of her efforts over the past decade suggests further change is coming. And more stringent rules could impact best practices and data management program requirements. If firms fail to implement thorough internal policies, future breaches may cost them money.

Stoddart faces opposition. As she said in December 2012, many in government argue her office “cannot be judge, jury and executioner.”

In response, she points out many of her counterparts, provincially and internationally, have taken the steps she’s suggesting.

“In the UK, stronger enforcement powers have not precluded an ombudsman approach and, where appropriate, fines are issued where a softer touch has failed,” she says, adding, “Our UK counterparts tell us that businesses that invest in good privacy…feel it’s only fair to impose…financial burdens on those [that] do not.”

Further, “My fellow Commissioners in Quebec, Alberta and British Columbia [also] have ordermaking powers and jurisdiction over the private sector. They also have other functions, prescribed in legislation, that enable them to perform multiple roles, such as educator, adjudicator, enforcer [and] advocate,” says Stoddart.

Canada is on its way to change; Bill C-12 (The Safeguarding Canadians’ Personal Information Act), which was introduced in 2011, includes some measures Stoddart is pushing for. It was developed after the 2006 review of PIPEDA and is at the second reading stage (see “Legislative changes coming,” this page).

U.S. ahead of Canada

In the U.S., regulators have more control over misuse of financial data, thanks to the adoption of Regulation S-P by the Securities and Exchange Commission in November 2000. These privacy rules—included under section 504 of the Gramm- Leach-Bliley Act—let the Commission regulate firms’ data policies.

The SEC also requires firms to provide clients with outlines of their privacy policies and practices, as well as report any breaches to authorities and affected clients. In 2008, the SEC proposed significant upgrades to Reg S-P, and outlined how much time firms should spend implementing practices and dealing with breaches.

In the case of the latter, it estimated small firms should spend about $18,000 to implement policies and $10,000 per year to maintain them, while larger, more complex institutions should spend more than $100,000 at the start and $50,000 per year to uphold client safety. Due to measures like Reg S-P, there’s been a massive drop in data breaches in global financial services sectors. A 2012 KPMG study found financial breaches have been reduced by 80% over the past five years, though the sector is still on the list of the top five most vulnerable. It’s hit most by fraud (30%) and hackers (35%).

Since there are still risks, the SEC has used Reg S-P to crack down on firms. In April 2011, the SEC targeted three Florida-based executives. In a release about that case, the SEC explained the CEO of a closing broker-dealer authorized one of his sales managers to “download customer names and addresses, account numbers, and asset values to a portable thumb drive [so that manager could] provide [those] records to his new employer after resigning.”

The SEC says investors weren’t informed of the data transfer, and weren’t able to opt out. Further, the broker’s chief compliance officer didn’t ensure proper policy was followed during the transfer.

Glenn Gordon, associate director of the SEC’s Miami Regional Office, added, “[the firm had ignored] several red flags from security breaches…in previous years” and hadn’t implemented proper policies. As a result, the CEO and manager were fined $20,000, while the compliance officer was fined $15,000.

So, the SEC is willing to take a firm hand in these dealings, and does lay out its expectations to firms. In October 2011, the SEC further issued guidance on cyber risks and security that outlined federal and municipal laws and storage trends in America.

FINRA, the self-regulatory organization that governs most U.S. broker-dealers, also has prioritized investors’ privacy, and added a “customer information protection” section on its website. There it highlights Regulation S-P and provides news, takeaways and e-courses on data protection.

Canadian regulators, by contrast, only offer general record-keeping guidance, so you’ll need to brush up on cyber threat and data protection knowledge independently. If privacy legislation is bolstered in Canada, you need to be prepared to meet any upgraded data storage and reporting requirements.

Legislative changes coming

Bill C-12, the Safeguarding Canadians’ Personal Information Act, was brought forward by the Conservative government in 2011 following a 2006 review of the Personal Information Protection and Electronics Documents Act.

C-12 proposes requiring businesses to report data breaches to both federal authorities and customers. It doesn’t, however, seek to give authorities the power to fine businesses since it focuses most on data-sharing best practices in Canada.

It turns out amendments have been in the works since 2010, according to spokespeople at Industry Canada, who add, “The government tabled amendments to PIPEDA under Bill C-29 on May 25, 2010, but the Bill died on the order paper when Parliament was dissolved on March 26, 2011. Amendments to PIPEDA were reintroduced as Bill C-12 on September 29, 2011. The Bill is still awaiting second reading.”

They also note it proposes “to update and enhance Canada’s private sector privacy law. The changes…proposed in the Bill…have been called for by Canadians and stakeholders.”

Christian Paradis, Canada’s minister of industry, has said, “Opposition [has] decided to play political games and needlessly delay the bill.”

NDP minister Charmaine Borg and her colleagues oppose C-12 because they say it’s too soft. In contrast, Borg’s private member’s Bill C-475—also at second reading—takes a tougher approach.

Along with requiring that firms report breaches, Bill C-475 wants to issue fines of up $500,000 if businesses don’t reasonably improve practices following investigations by the OPCC.