The financial industry can look to Ontario

IIROC data loss preventable: Privacy commissioner

The loss of the financial information of some 52,000 brokerage firm clients last week could have been prevented if the Investment Industry Regulatory Organization (IIROC) was not heavily reliant on policies alone and had used security technologies as well, according to the head of Ontario’s Information and Privacy Commissioner.

“This sort of thing sends me through the roof because it was completely preventable,” said Commissioner Ann Cavoukian. “What is so ironic is that it was the regulatory body that lost the financial information of 52,000 people. Fnancial information is probably the most sensitive information next to medical data.”

Last week, the IIROC reported that one of its employees lost a “portable device” containing the personal information of 52,000 brokerage firm customers. The IIROC is a national self-governing organization that oversees all investment dealers and trading activity on debt and equity market places in Canada. The IIROC has since said that it has beefed up its security procedures and informed the affected brokerages and clients.
(Image from ShutterStock.com)

“We are concerned that disclosing further details surrounding the incident may put clients’ information at greater risk of being targeted by unauthorized users,” said Lucy Becker, vice-president of public affairs for IIROC.

“As far as I know, data from IIROC servers was downloaded onto a laptop and that laptop was lost,” said Cavoukian. “It’s surprising that in this day and age, they could not have equipped that mobile device with the technology to protect the data inside.”

The IPCO’s mandate is to promote open government and the protection of personal privacy in Ontario. The commission has jurisdiction how Ontario government and healthcare agencies handle private information, but this does not extend to the IIROC.

RELATED CONTENT

Insurance regulator loses data of 52,000 people
McAfee offers whitelisting solution for Android

“Policies are not enough,” according to Cavoukian who also said IIROC could look to the province’s health-care sector for pointers in securing sensitive data stored in mobile devices.

“In Ontario, we have regulations that state that you can’t move health care records or patient data out of the network servers without the data being encrypted,” she said. “If the data is not encrypted, it should not contain any personally identifiable information – that means any information that can connect it back to the person concerned.”

At least one security expert agrees.

“Policies are important but they are just rules on paper if they are not followed by people,” said Tony Busseri, CEO of Route 1 Inc., a Toronto-based company that develops security and identity management tools for large enterprise and government institutions. “Policies should be enforced and strengthened by technology.”

One of Route 1’s primary product is the MobilKEY device, a USB-like device that enables users to long onto any computer and access their organization’s network securely with the help of a multi-factor authentication system.
“Data doesn’t need to be downloaded onto a device,” Busseri said.”The user can have Web access to the corporate server as long as the user has the MobilKEY and a corresponding unique personal indentification number for logging on.”
The company’s technology, according to Busseri, is used by Canada Federal Privacy Commissioner’s office, the United States Department of Defense and Homeland Security, as well as other Canadian and U.S. government and military organizations.

“There are just too many financial firms and government agencies that use security policies as a crutch,” he said. “I think local companies and some government agencies are not making a serious effort to investigate what types of technologies they can use to protect their mobile devices.”

For example, he said, even before the IIROC data loss last week, Human Resources and Skills Development Canada reported in February that one of its employees had lost an unencrypted USB key containing the personal information of 583,000 Canada Student Loan borrowers. The same department reporting losing the social insurance and medical information of 5,000 people in November last year. Also last year, the Toronto Dominion Bank reported losing data tapes containing information on 250,000 United States bank customers.

“The proliferation of mobile tools such as laptops, smart phones and USB keys has made it very easy for people to download data from corporate servers and take it with them,” he said. “Policies alone are not enough to prevent people from exposing sensitive information to risks.”

Related Download
The New Workplace: Supporting “Bring your own”							Sponsor: IBM Canada Ltd
The New Workplace: Supporting “Bring your own”
“Bring Your Own Device” (BYOD) and the “consumerization of IT” have taken hold in the enterprise, and employees using their own personal smartphones and tablets for business have become pervasive.
Register Now
Share on LinkedIn Share with Google+ Comment on this article