Three weeks after learning that their personal information, including social insurance numbers, had been released in a data breach, some Mackenzie Investments clients say they are having problems accessing promised supports and are questioning why their data was retained by a third party in the first place.
In late April, a number of Canadian investors holding funds from Mackenzie Investments were informed that their data had been compromised as part of a January breach of popular data-transfer tool GoAnywhere. Hackers accessed names, addresses and SIN numbers through InvestorCOM Inc., a printing and delivery service provider for financial institutions that uses GoAnywhere software. The breach affected some current and former investors.
Franklin Templeton, which uses InvestorCOM, was also affected, but client SINs were not compromised. GoAnywhere’s clients include fund manager Gluskin Sheff + Associates Inc., which learned of the breach from GoAnywhere in early March.
The breach raised questions about how many Canadians were affected and why InvestorCom still held records for investors who had not held Mackenzie or Franklin Templeton funds for several years.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, companies that suffer breaches are required to share that information with the Office of the Privacy Commissioner of Canada (OPC). The OPC declined to share how many Canadians or companies had been affected by the GoAnywhere breach, saying only that it was aware of the situation.
“We are reviewing the report and are in ongoing communication with the company to obtain more information and to determine next steps,” said Vito Pilieci, spokesperson for the OPC.
Former Mackenzie executive Terry Beck is among the list of individuals who was notified by letter on April 27 that his personal information, including SIN, had been comprised. But Mr. Beck said he divested his Mackenzie investments upon his retirement four years ago. In a letter to Mackenzie Investments, Mr. Beck asked why a third-party vendor had been allowed to retain his SIN.
“I have not been in receipt of any client materials from Mackenzie Investments since spring 2019,” Mr. Beck wrote in the letter. “Why wasn’t my SIN purged from their database?”
According to PIPEDA, Canadian companies are required to dispose of personal information “that does not have a specific purpose or no longer fulfills its intended purpose.” But there are no specific requirements related to the retention and deletion of SINs, Mr. Pilieci said.
How long a financial-services company has to store client information can vary based on different legal requirements, said Mackenzie spokesperson Nini Krishnappa in an e-mail.
“Securities, insurance, mortgage, tax, anti-money laundering, privacy, employment and corporate legislation all have varying minimum record-retention requirements,” Mr. Krishnappa added.
For example, Mr. Krishnappa said it’s generally six years under the Income Tax Act, five years under anti-money-laundering legislation, and seven years for securities and SRO requirements with “variances based on type of record and trigger events” – such as the date of record creation or date of account closing.
“The retention of any particular data point is fact specific, having regard to its use and type, and often dependent on the reading of multiple requirements together.”
Other investors have experienced challenges accessing the support offered by Mackenzie. After the data breach, the fund manager offered two years of identify and credit free protection through TransUnion, a consumer credit reporting agency, and up to $1-million in insurance in the case of financial loss through fraud.
Customers have until Aug. 31 to sign up. Mr. Krishnappa said that Mackenzie has increased its own contact centre resources, and has worked with TransUnion to expand the agency’s call capacity and hours of operation. In a statement, TransUnion said it is directing clients to register online.
Steve Pozgaj, who was chief information officer at Mackenzie from 1994 to 2001, said that when he tried to log on to TransUnion with the code he was provided by Mackenzie, the platform told him that the code had already been used. He later received a message saying his account had been suspended.
Mr. Pozgaj said he then spent more than two hours on hold on eight different business days in an attempt to set up his account with TransUnion, and in some instances the call was dropped after hours on hold.
TransUnion spokesperson Hyunjoo Kim said the company has faced high call volumes from an unexpected surge of calls to its technical support line.
When he did log in, Mr. Pozgaj saw that the amount listed under “Aggregate Limit of Insurance” was only $50,000, instead of the $1-million promised by Mackenzie. TransUnion did not respond to questions about this inconsistency.
Jason Jack, an independent financial adviser in Drayton, Ont., who had clients affected by the breach, said he finds the protection offered “very inadequate” and will hesitate to offer clients Mackenzie products in the future.
“I don’t want my reputation being controlled by people that make me accountable for their mistakes,” Mr. Jack said.
Experts see growing need for cybersecurity workers as one in six jobs go unfilled