On September 22, 2015, the SEC announced the settlement of a first-of-its-kind enforcement action involving a data security breach at R.T. Jones Capital Equities Management, a St. Louis-based investment adviser. In July 2013, R.T. Jones’ web server was hacked, compromising the Personally Identifiable Information (PII) of approximately 100,000 individuals. The action arose out of the company’s alleged failure to adopt written policies and procedures to ensure the security and confidentiality of PII, as required by Rule 30(a) of Regulation S-P under the Securities Act of 1933. The SEC charged that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents. Commenting on the case, an SEC official noted that it is important for firms “to have clear procedures in place rather than waiting to react once a breach occurs.” The SEC’s order ultimately found that R.T. Jones had violated Rule 30(a). Without admitting any wrongdoing, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a), to be censured, and to pay a US$75,000 penalty. As of September 22, R.T. Jones had not received any indication that a client suffered financial harm as a result of the data theft. The SEC’s press release on the action can be found here.