SEC Uses Safeguard Rule to Sanction, Penalize Investment Firm for Data Breach
By Daniel L. Farris
Following a decision in August not to pursue penalties or other sanctions against Target for the company's massive 2013 data breach, the Securities and Exchange Commission announced new penalties last week against investment firm R. T. Jones Capital Management for its role in a much smaller 2013 breach involving investor data. The SEC's announcement came on the same day that it issued guidance to investors about how to protect their personal and financial information in the event of a financial institution data breach.
Under section 504 of the Gramm-Leach-Bliley Act, which regulates disclosure of consumer information, the SEC has the authority to impose penalties on companies that don’t disclose the magnitude of data breaches, fail to properly detail their policies and procedures in protecting consumer data, or fail to implement adequate cybersecurity measures. To-date, however, the SEC has largely left data breach enforcement activities to the Federal Trade Commission.
Whether the SEC’s decision in the R.T. Jones case marks a shift in enforcement philosophy is unclear, particularly given the facts of the R.T. Jones case, which all but forced the SEC’s hand. According to the SEC, R.T. Jones “failed to adopt written policies and procedures designed to protect consumer records and information, such as employing a firewall or encrypting data to protect the web server it used to store sensitive client information. As a result, the personal data of nearly 100,000 people was compromised in the hack.”
Requirements for Financial Institutions & SEC Authority to Sanction
The SEC “Safeguards Rule” was adopted and promulgated under section 504 of the Gramm-Leach-Bliley Act. Section 504 requires the SEC and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers. Under the Gramm-Leach-Bliley Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure.
Background on R.T. Jones Breach
R.T. Jones entered agreements with retirement plan administrators and sponsors to provide managed account services, including model portfolios, to retirement plan participants. Individuals seeking to enroll in the program were instructed to fill out a questionnaire on the adviser’s public website regarding their investment objectives and risk tolerance. In order to verify prospective clients were eligible to enroll in the R.T. Jones program, personal information was compared against the personal information of more than 100,000 eligible participants provided by the retirement plan sponsor partners.
Despite the storage of Personally Identifiable Information (PII) – including social security numbers and dates of birth – R.T. Jones did not implement a firewall, encrypt data, or establish a breach response plan. Upon learning of the breach, R.T. Jones quickly retained two cybersecurity firms, which tracked the intrusion to China, and later notified all individuals whose PII was compromised of the breach, and provided free credit monitoring services.
Nonetheless, the SEC brought an enforcement action against R.T. Jones, claiming that the failure to implement a firewall, encrypt investor PII at rest, or establish a breach response plan violated the Safeguards Rule. Without admitting any fault, R.T. Jones settled the matter by agreeing to commit no future violations of the Safeguards Rule, and to pay a $75,000 fine.
Although the fine in this instance was small, and the facts were pretty damning – R.T. Jones failed to implement even basic data security measures – the matter is nonetheless instructive.
Financial institutions must adopt, implement, and audit information security policies, as well as technical security measures.
Ongoing monitoring and regular reporting on the efficacy of security measures is critical, as is vendor management when it comes to cybersecurity.
Companies should appoint a Chief Information Security Officer, or similar person, to be responsible for the company’s privacy and data security activities and compliance, and the CISO should report to senior management or the Board.
Encrypt and protect the information you collect, and do not collect or keep more data than is necessary for business purposes.
For assistance in understanding how the SEC Safeguards Rule may affect your company, auditing privacy and data security compliance programs, or drafting information security policies, please contact the author or a Polsinelli Privacy and Data Security team member.
Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts – SEC’s September 22nd, 2015 guidance to investors
SEC Hits Investment Firm With $75K Fine For 2013 Data Breach: Law360, September 27, 2015
SEC Won’t Recommend Enforcement Action Over Target’s Data Breach: Bloomberg BNA, August 27th, 2015