By: Marissa Louro
Customers of the financial services industry should place a stronger emphasis on trust when selecting a financial institution. Why? Many financial institutions collect customers’ personal information in order to provide personal benefits. Clients should be at ease knowing their respective financial institutions are protecting their private information, but are they? In a world driven by technology and money, the rising number of information security breaches is no surprise. More than ever, financial institutions must implement safeguards to protect customer information.
The Securities and Exchange Commission (“SEC”) addressed this issue in 2000 by adopting Rule 30(a) of Regulation S-P (the “Safeguards Rule”) under the Securities Act of 1933. See 17 C.F.R. § 248.30(a). The Safeguards Rule requires brokers, dealers, registered investment advisers, and investment companies to protect customer records and information. Specifically, they must implement policies and procedures to ensure protection against potential security threats and unauthorized access to customer records and information. As of 2005, these required policies and procedures must be in writing. In a recent SEC press release, Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, stated, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Thus, the Safeguards Rule must be enforced even in cases where there is no financial harm to customers.
On September 22, 2015, the SEC deemed R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”), a registered investment adviser, in violation of the Safeguards Rule. Throughout September 2009 and July 2013, it stored personally identifiable information (“PII”) of its clients and other individuals on its third party-hosted server. The information was derived from potential clients who were interested in enrolling in one of its managed account programs. Interested individuals provided their names, date of birth, and social security numbers, which R.T. Jones received on a third-party hosted web server. In July 2013, the web server was attacked—compromising the PII of over 100,000 potential clients, consisting of thousands of R.T. Jones’ actual clients.
While investigations show no financial injuries to clients, R.T. Jones violated the Safeguards Rule because it failed to adopt the required, written policies and procedures to protect customer records and information from cyber attacks and/or unauthorized access. R.T. Jones settled all allegations and faced censure, a cease and desist from committing future violations of the Safeguards Rule, and a $75,000 penalty.
While some might question why R.T. Jones faced penalties given there was no financial injury to clients, the SEC handled this case ideally. From a client’s perspective, financial institutions should be penalized for not taking steps to ensure the protection of its clients’ personal information. How secure and trustworthy are web servers? Can we really trust financial institutions with our personal information? One thing we can trust is the SEC’s commitment to protecting consumer financial information. Hopefully the R.T. Jones case garners significant attention to serve as a reminder to all financial institutions. Why wait for a breach? Financial institutions must take preventative security measures now. Something worth considering is the BT Assure Ethical Hacking for Finance service, which is designed to help financial institutions safeguard themselves from cyber attacks. In the mean time, clients should have a new perspective when hedging their investments; they should trust their financial institution with personal information to lessen the risk of financial harm. Even if customers have difficultly in measuring trust, at least they have the Safeguards Rule to keep financial institutions accountable for their personal information and documents.
Marissa is a Staff Member on the Journal of High Technology Law. She is a 3L at Suffolk University Law School with a concentration in Business Law. Marissa holds a B.A. in Political Science from Providence College.