The personal financial information of thousands of brokerage industry clients stored in a device lost by an Investment Industry Regulatory Organization of Canada (IIROC) employee was not encrypted, according to the regulatory body.
Leaving such data unencrypted is against the organization’s policy on protecting information it collects and IIROC is now conducting a comprehensive review to strengthen its policies and internal controls concerning its IT security and the collection, sharing and protection of confidential information, Becker said in an interview with the online financial publication InvestmentExecutive.com.
Becker said, her organization has a hired an outside expert to review its internal controls and information management practices.
The device containing the information was reportedly lost five or six weeks ago, but IIROC has declined to confirm the details around the incident. It was later reported that the device that was lost was a laptop. Becker said once IIROC learned of the data loss, the organization out to recreate the data and as of March 22, a third party forensic expert had determined the extent of the problem.
It was only early this month that IIROC came out publicly about the data loss.
Ian Russell, president and CEO of the Investment Industry Association of Canada (IIAC) said he expects to meet with IIROC officials next week to find out more about the incident and to offer his help.
It was a disappointment, he said, that as a trade association representing 32 firms that were impacted by the loss the IIAC was not immediately “brought in the loop.”