What a mess! In February, an employee of the enforcement division of IIROC carelessly misplaced highly sensitive financial information of 52,000 Canadian investors when she lost a “portable device”, resulting in the biggest breach of investor privacy in Bay Street history. What’s more is that contrary to IIROC’s own rules, the data was not encrypted, no explanation has been offered as to what IIROC was doing with that data in the first place, and it has been clumsily revealed that the regulator attempted to cover up the breach until it was clear that this breach of investor privacy was about to be leaked.
In what was a panic of mass proportions, the Investment Industry Regulatory Organization of Canada scrambled to announce the lost data just 2 weeks ago, in what some say was a deliberate attempt to mislead the investing public. In a press release, the regulator went to great lengths to give the appearance that the security breach had just taken place and that they were responding rapidly, and pro-actively. But in the days following this revelation it became clear that nearly 9 weeks had passed since the breach of security was known by IIROC and that orders were given by its CEO, Susan Wolburgh Jenah to cover the matter up.
Sources inside the IIROC say that its board has met and is contemplating the firing of Jenah, and two other IIROC senior executives namely; Joe Yassi, IIROC VP of Business Conduct Compliance and Paul R. Riccardi, Senior Vice President of Enforcement. The source says that tensions are high at IIROC head office and that an announcement of a major management shakeup is pending.
Bay Street, and Canada’s investing public have been waiting to hear from the regulator regarding its on-going internal investigation, and to find out whom if anyone would be held responsible. Its own regulatory body; the Canadian Securities Administrators has said that it has launched a separate investigation into the matter, but Bay Street remains skeptical that anything will come from it. “It’s kind of like being investigated by your mom. CSA won’t do anything that makes IIROC look bad,” said one investment advisor at Scotia McLeod.
The class action being brought by the law firm of De GrandprÃ© Chait, estimates that the damage caused by stress, potential for fraudulent information use, and inconvenience amounts to $1,000 per customer. Lawyer, Louis Demers says he believes IIROC has contravened the Privacy Act, which provides that “business must take security measures to protect personal information they have collected.”
Lucy Becker, Vice President, Public Affairs has refused to address the lawsuit saying that, “It is inappropriate to comment as the matter is before the courts.” Interestingly, IIROC’s has no problem with its own process of press-releasing endless amounts of unproven allegations against registrants when it drags them through its own enforcement process. Many on Bay Street are more than amused by the pickle IIROC is now finding itself in. “IIROC has no friends in the investment industry. They have built up their own brand, and are doing nothing but trying to maintain their own jobs by trying to malign the reputations of the firms they regulate. Its beyond unethical. They are like an ignorant mafia,” says one former IIROC employee who left last year citing what she said was cultural shift away from regulating from a basis of knowledge to a strategy of bullying everyone and hoping nobody realized that they were becoming progressively more incompetent as they continue to lose veteran industry staff.
IIROC announced that it is taking additional measures to protect the credit ratings of any concerned clients. Perhaps IIROC member firms and the Canadian banks should stand up for investors and refuse to hand over this kind of data in the first place.