InfoBytes Blog
SEC Settles with New York Financial Firm and Employee Over Alleged Failure to Protect Customer Data
On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.