Like other federal agencies exercising regulatory power in the data privacy and security arena, the Financial Industry Regulatory Authority (“FINRA”) is cracking down on firms that fail to meet required data security practices. Recently, FINRA imposed a significant fine upon a regulated firm that lost a laptop containing confidential customer, even though the lost data had not yet resulted in any known identity theft or customer financial loss.
- The Sterne Agee Sanctions Settlement
On May 15, 2015, FINRA reached a settlement with financial services firm Sterne Agee & Leach Inc. (“Sterne Agee”), by which the firm agreed to certain sanctions, including public censure and a $225,000 fine. FINRA’s enforcement action stemmed from the firm’s loss of an laptop computer that contained unencrypted confidential financial and personal information on over 350,000 customers. FINRA concluded that between 2009 and 2014, the firm’s “written supervisory procedures were not reasonably designed to protect confidential customer and proprietary information.” See Financial Industry Regulatory Authority Letter of Acceptance, Waiver and Consent No. 2014041619501.
Although Sterne Agee had previously established policies relating to data management, access controls, confidentiality and integrity, infrastructure, acceptable use, threat and vulnerability management and education and awareness, it failed to follow through on a key data protection protocol: encryption of laptop computers that contain confidential customer data.
FINRA reported that by 2009, the firm became aware of the need for encryption of confidential data kept on laptops, but considered it only a “moderate risk” due to the low number of laptops it used. Over the next five years, the firm’s support for encryption increased, but various funding delays, employee turnover issues and technical glitches caused the critical laptop encryption program to be repeatedly put off until it was too late.
In May 2014, just a month before the laptops finally were to be encrypted, one of the firm’s information technology employees left an unencrypted laptop in a restroom. It was lost. The laptop was believed to have the names, addresses, account numbers and tax identification numbers for all accounts created or closed on Sterne Agee systems from 1992 to 2013. Losing the laptop, according to FINRA, “placed the personal and confidential information of 352,551 customers at risk.” There was no record that the lost customer data had been used for identity theft or that any customer had suffered a financial lost – at least not yet. But as with most enforcement actions of this kind, FINRA focused on the firm’s failure to adequately protect and secure the customer data (such as with encryption) in the first place, instead of whether the lost or stolen data actually had been misused by whoever may have found it, if anyone did.
FINRA determined that Sterne Agee violated Rule 30 of SEC Regulation S-P, NASD Conduct Rule 3010 and FINRA Rule 2010. Sterne Agee was censured, required to pay a $225,000 fine and certify that it had reviewed and updated its policies to comply with the law within 60 days.
- Rule 30 of SEC Regulation S-P
Regulation S-P of the Securities Exchange Act of 1934 (Regulation S-P, 17 C.F.R. §248.30), Rule 30, provides that every broker, dealer and investment company “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” These written policies must be reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Sterne Agee Settlement wasn’t the first time that FINRA assessed fines against a firm for failing to provide adequate data protection and security for customer information. In 2010, FINRA censured and fined Valores Finamex International, Inc. $27,500 for failing to comply with Regulation S-P, among other violations, by failing to establish policies and procedures that address and review administrative, technical, and physical safeguards for the protection of customer records and information. See Financial Industry Regulatory Authority Letter of Acceptance, Waiver and Consent No. 2009016196001. Again, no evidence indicated that the lapse in precautions had yet caused any identity theft or financial harm to customers, but as with Sterne Agee, actual loss by the customer is not the threshold test for imposing sanctions.
- How to Implement Regulation S-P
The SEC Division of Investment Management recently published a Guidance Update on cybersecurity describing measures to consider when addressing cybersecurity risk. These measures include:
- conducting periodic assessments of the nature of the firm’s information and technology systems, the internal and external cyber security threats to these systems, security controls currently in place and the potential impact of any breach to these systems;
- developing strategies to prevent, detect and respond to cybersecurity threats; and
- implementing this strategy through written policies and procedures and training for officers and employees and, in some cases, investors and clients.
Companies that hold confidential customer information – particularly those in regulated industries in which data protection and security regulations have been issued by the government – will not be excused for failing to comply with those regulations, especially for failing to encrypt mobile devices that contain customer data.
Companies should also recognize that in the technology ecosystem we now live, with broad internet access and mobile devices allowing the transfer of and access to gigabytes of confidential customer/client/ patient/corporate information, data loss – for whatever reason – is not a matter of “if”, but “when”. And when it occurs, firms that have insufficient information security policies, practices and procedures may find themselves subject to increasingly harsh financial penalties and other consequences.