IIROC to support clients whose personal information was on a lost portable device

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.iiroc.ca/Documents/2013/d8d465f9-0a37-4325-8732-1b12cbd2ddb8_en.pdf

April 11, 2013 (Toronto, ON) – The Investment Industry Regulatory
Organization of
Canada (IIROC) deeply regrets the accidental loss of a portable device
that contained personal
information relating to clients of a number of investment firms. IIROC
has taken several
measures to notify the firms and their clients and to provide them
with support services.
As soon as IIROC learned of the loss, it conducted an internal
investigation and retained an
independent third-party security expert in forensics to determine what
information was
contained on the device.
While there has been no indication of third parties attempting to
access the information to
date, IIROC:
• Has communicated with the relevant investment firms whose client
information was on
the device;
• Is writing to those firms’ clients and providing a comprehensive
checklist that includes
additional steps clients can take to protect personal information;
• Set up a dedicated call center, starting Monday, April 15, which
will be available from 9
a.m. to 5 p.m. Monday to Friday, to help answer client questions and
concerns and, if
needed, to walk them through the support materials provided; and
• Arranged, at no cost to clients, a six-year alert flag to be placed
on their credit files
through Equifax Canada.
IIROC has strict policies in place that require all information it
collects to be protected which
should have prevented this unfortunate incident. IIROC immediately launched a 2
comprehensive review of all its information technology and business
policies, procedures and
protocols in order to reinforce existing security controls.
“IIROC deeply regrets this unfortunate but isolated incident and
apologizes for the disruption
caused to clients and the affected firms. The protection of
confidential information is critical to
us and we have taken steps to address the situation and to immediately
strengthen our
internal controls,” said Susan Wolburgh Jenah, IIROC CEO and President.
IIROC has notified the relevant privacy commissioners.
IIROC will publish updates and other information that may be helpful
on its web site at
www.iiroc.ca.
***
IIROC is the national self-regulatory organization which oversees all
investment dealers and
trading activity on debt and equity marketplaces in Canada. Created in
2008 through the
consolidation of the Investment Dealers Association of Canada and
Market Regulation Services
Inc., IIROC sets high quality regulatory and investment industry
standards, protects investors
and strengthens market integrity while maintaining efficient and
competitive capital markets.
IIROC carries out its regulatory responsibilities by creating and
enforcing rules regarding the
proficiency, business and financial conduct of dealer firms and their
registered employees and
through the creation and enforcement of market integrity rules
regarding trading activity on
Canadian marketplaces.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.