The industry body regulating Canada’s insurance brokerage industry yesterday issued a warning that one of its personnel has lost a “portable device” containing the personal information of some 52,000 brokerage firm customers.
“IIROC deeply regrets this unformtunate but isolated incident and apologizes for the disruption caused to clientts and affected firms,” Susan Wlburgh Jenah, CEO of the Invetment Industry Regulation Organization of Canada said in statement yesterday. “The protection of confidential information is critical to us and we have taken steps to address the situation and to immediately strengthen our internal controls.”
The statement did not specificy how much data was contained in the device but the Globe and Mail newspapre reported yesterday that a spokeswoman for IIROC revealed that data belonging to 52,000 clients of 32 brokerage firms may have been lost.
The body creates and enfroces rules regarding the proficiency, business and financial conduct of investment firms and their registered employees.
The incident highlights the importance of employing security measures and technologies that could render data stored in mobile devices un-accessible to unauthorized users, said Tom Ward, VP of Markham, Ont-based endpoint security and data protection firm No Panic Computing.
“We still don’t have much information,” said Ward. “However, much of this consternation could be avoided if the lost device were equipped with some data wiping capability that would enable administrators to remotely destroy the data in the device.”
No Panic Computing provides enterprise and small and medium sized business with what it calls “notebook-as-a-Service”. Essentially, businesses lease from the firm laptops and desktop PCs that have security features such as encyption and biometric access technologies. The service includes intrusion detection, malware protection and remote data wiping. NPC also provides daily automatic secure data backup, which stores a client’s data in a secure database operated by Autonomy.
Ward noted that incidents of data loss have become almost regular content for newspapers lately.
For instance in January this year, the Human Reosurces and Skills Development Canada admitted that it lost an unencrypted device containing the personal information of 585,000 student loand borrowers. Last year, the same department reported that it couldn’t lcoate a USB key that contained the information of 5,000 people.
In its statement yesterday, IIROC said after learning that it lost the device it has done the following:
– Informed the relevant investment firms whose client information was on the device
– Is writing to those firms’ clients and providing a comprehensive checklist that includes additional steps clients can take to protect personal information;
– Set up a dedicated call center, starting Monday, April 15, which will be available from 9 a.m. to 5 p.m. Monday to Friday, to help answer client questions and concerns and, if needed, to walk them through the support materials provided; and
– Arranged, at no cost to clients, a six-year alert flag to be placed on their credit files through Equifax Canada.