PMAC calls on CSA to review privacy and data protection policies
PMAC wrote to the Canadian Securities Administrators (CSA) following the cybersecurity incident at CIRO, which impacted registrants’ personal information. We believe this incident serves as an opportunity for CIRO, the CSA and CSA member jurisdictions to review their privacy and data protection policies and to consider improvements. We are particularly concerned about personal information collected on the National Registration Database (NRD) that may pose more identify fraud risk and that may not be needed for regulatory purposes, beyond a certain length of time. Areas for possible examination include the type of personal data collected, the purpose of collection and use, data retention and destruction policies, and data sharing and transfer policies. We urged the CSA to prioritize transparency and to communicate with firms and individual registrants regarding the steps the CSA is taking to protect their information.
The full letter is available on our website.