On September 22, 2015, the SEC announced settled administrative proceedings against R.T. Jones Capital Equities Management, Inc. (“RTJ”), a registered investment adviser, for failing to adopt written policies and procedures regarding the security and confidentiality of sensitive client information and the protection of that information from anticipated threats or unauthorized access pursuant to Rule 30(a) of Regulation S-P under the Securities Act (the “Safeguards Rule”). As noted in the order, the Safeguards Rule, which the SEC adopted in 2000, requires SEC-registered brokers/dealers, investment companies and investment advisers to adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
According to the SEC, RTJ provided portfolio allocation models and recommendations to retirement plan participants through a program that participants could access on RTJ’s public website. The SEC found that from September 2009 through July 2013, in order to verify eligibility to enroll in the program, RTJ required prospective clients to log on to its website by providing certain personal information, which RTJ compared against sensitive “personally identifiable information” (“PII”) of eligible plan participants provided to RTJ by its plan sponsor partners. According to the order, to facilitate the verification process, the plan sponsors provided RTJ with PII of all of their plan participants, which RTJ stored, without modification or encryption, on its third party-hosted web server. Consequently, the order states that “even though [RTJ] had fewer than 8000 plan participant clients, its web server contained the PII of over 100,000 individuals.”
According to the SEC, in July 2013, RTJ discovered a potential cybersecurity breach on its third party-hosted web server, rendering the PII vulnerable to theft. The order states that RTJ promptly hired multiple cybersecurity firms to review the breach, but, ultimately, the cybersecurity firms could not determine the full nature or extent of the breach or whether the PII stored on the server had been accessed or compromised. The SEC noted that RTJ notified the affected individuals and offered them free identity theft monitoring.
The SEC ordered that RTJ cease and desist from committing or causing future violations of the Safeguards Rule, censured the firm and required RTJ to pay a $75,000 civil penalty. In determining to accept RTJ’s settlement offer, the SEC considered RTJ’s remedial efforts, including the appointment of an information security manager to oversee data security and protection of PII, adoption and implementation of a written information security policy, installation of a new firewall and logging system to prevent and detect malicious incursions and the retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
The SEC order in the matter of RTJ is available at: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf.