The SEC settled charges against a financial services firm for failing to protect customer information, some of which was accessed by hackers and offered for sale online. The SEC found that the firm violated the "Safeguards Rule" of Regulation S-P.
The SEC Order stated that the accused firm failed to adopt written policies and procedures reasonably designed to protect customer data. For a period of over 10 years, the firm's policies and procedures did not include effective authorization modules to restrict employee access to customer data based on each employee's legitimate business need. The SEC determined that the firm failed to (i) audit or test the relevant authorization modules, and (ii) monitor and/or analyze employee access to and use of the portals. As a consequence of this failure, an individual employed by the firm during this period accessed and transferred data impermissibly from approximately 730,000 accounts to his personal server, which was hacked by third parties.
The firm agreed to pay a $1 million penalty.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.