The loss of the financial information of some 52,000 brokerage firm clients last week could have been prevented if the Investment Industry Regulatory Organization (IIROC) was not heavily reliant on policies alone and had used security technologies as well, according to the head of Ontario’s Information and Privacy Commissioner.
“This sort of thing sends me through the roof because it was completely preventable,” said Commissioner Ann Cavoukian. “What is so ironic is that it was the regulatory body that lost the financial information of 52,000 people. Fnancial information is probably the most sensitive information next to medical data.”
“We are concerned that disclosing further details surrounding the incident may put clients’ information at greater risk of being targeted by unauthorized users,” said Lucy Becker, vice-president of public affairs for IIROC.
“As far as I know, data from IIROC servers was downloaded onto a laptop and that laptop was lost,” said Cavoukian. “It’s surprising that in this day and age, they could not have equipped that mobile device with the technology to protect the data inside.”
The IPCO’s mandate is to promote open government and the protection of personal privacy in Ontario. The commission has jurisdiction how Ontario government and healthcare agencies handle private information, but this does not extend to the IIROC.
“Policies are not enough,” according to Cavoukian who also said IIROC could look to the province’s health-care sector for pointers in securing sensitive data stored in mobile devices.
“In Ontario, we have regulations that state that you can’t move health care records or patient data out of the network servers without the data being encrypted,” she said. “If the data is not encrypted, it should not contain any personally identifiable information – that means any information that can connect it back to the person concerned.”
At least one security expert agrees.
“Policies are important but they are just rules on paper if they are not followed by people,” said Tony Busseri, CEO of Route 1 Inc., a Toronto-based company that develops security and identity management tools for large enterprise and government institutions. “Policies should be enforced and strengthened by technology.”
“There are just too many financial firms and government agencies that use security policies as a crutch,” he said. “I think local companies and some government agencies are not making a serious effort to investigate what types of technologies they can use to protect their mobile devices.”
For example, he said, even before the IIROC data loss last week, Human Resources and Skills Development Canada reported in February that one of its employees had lost an unencrypted USB key containing the personal information of 583,000 Canada Student Loan borrowers. The same department reporting losing the social insurance and medical information of 5,000 people in November last year. Also last year, the Toronto Dominion Bank reported losing data tapes containing information on 250,000 United States bank customers.
“The proliferation of mobile tools such as laptops, smart phones and USB keys has made it very easy for people to download data from corporate servers and take it with them,” he said. “Policies alone are not enough to prevent people from exposing sensitive information to risks.”