The Investment Industry Regulatory Organization of Canada (IIROC) has announced the accidental loss of a portable device that contained personal information relating to clients of a number of investment firms.
IIROC has taken several measures to notify the firms and their clients and to provide them with support services.
As soon as IIROC learned of the loss, it conducted an internal investigation and retained an independent third-party security expert in forensics to determine what information was contained on the device.
While there has been no indication of third parties attempting to access the information to date, IIROC:
- Has communicated with the relevant investment firms whose client information was on the device;
- Is writing to those firms’ clients and providing a comprehensive checklist that includes additional steps clients can take to protect personal information;
- Set up a dedicated call center, starting Monday, April 15, which will be available from 9 a.m. to 5 p.m. Monday to Friday, to help answer client questions and concerns and, if needed, to walk them through the support materials provided; and
- Arranged, at no cost to clients, a six-year alert flag to be placed on their credit files through Equifax Canada.
In an updated release, the regulator said it will also monitor peoples’ credits for one year through Equifax Canada. Clients must opt in to receive this service by calling Equifax Canada at 1-866-205-0679, or 1-866-466-9577 if they speak French.
IIROC has arranged, at no cost to clients, for a fraud warning to be placed on their credit files through TransUnion for six years as well. Clients can choose to opt out of this service at any time by calling 1-800-663-9980, or 1-877-713-3393 if they speak French. The number for Montreal is 514-335-0374.
IIROC has strict policies in place that require all information it collects to be protected which should have prevented this unfortunate incident. IIROC immediately launched a comprehensive review of all its information technology and business policies, procedures and protocols in order to reinforce existing security controls.
“IIROC deeply regrets this unfortunate but isolated incident and apologizes for the disruption caused to clients and the affected firms. The protection of confidential information is critical to us and we have taken steps to address the situation and to immediately strengthen our internal controls,” said Susan Wolburgh Jenah, IIROC CEO and president.
IIROC has notified the relevant privacy commissioners.
IIROC will publish updates and other information that may be helpful on its web site at www.iiroc.ca.