One of the many examples we use in presenting seminars and panel discussions on cyber security is the “lost laptop problem:” how do broker dealers and individuals handle the situation where a laptop is left at the airport and never returned to its owner? It may seem ridiculous. After all, who would possibly leave a laptop (or iPad, etc.) behind? There is a reason we return to this example again and again—it happens.
FINRA recently published a Letter of Acceptance Waiver & Consent (AWC) involving Sterne, Agee & Leach, Inc. (Sterne Agee) in which it censured the firm and fined it $225,000 for a lost laptop containing confidential customer information. Without naming names, the AWC explains that the laptop was inadvertently left in a restroom by an IT employee and was lost. The laptop was believed to contain extremely sensitive files that contained clients’ names, addresses, account numbers, and tax identification numbers. Not only did the laptop contain confidential customer information about its clients, it also contained confidential information for accounts opened on the firm’s systems (even accounts at correspondent firms) from 1992 through June 2013.
If the contents of the laptop were not enough to give you pause, this might: the lost laptop was unencrypted when it was left in that restroom.
Sterne Agee had written supervisory procedures (WSPs) in place, some of which addressed data management and cyber security issues, prior to and after the loss of the laptop. When these WPSs were adopted, the firm did not require that laptop hard drives be encrypted, because it had few laptops. As laptop use increased, the firm attempted to address the security of its devices, but from 2010 through 2014, its implementation of new software solutions and funding for security tools were regularly delayed.
FINRA alleged that Sterne Agee violated several regulations and SRO rules, including Regulation S-P (relating to the protection of confidential customer information), FINRA Rule 3010 (requiring appropriate WSPs), and Rule 2010 (fair conduct rules). Without admitting or denying the allegations, Sterne Agee agreed to a censure, a fine of $225,000, and to review and revise its WSPs related to Regulation S-P. To date, there have been no reports of the customers suffering identify theft or losses from their accounts.
Whether it is the advisor who leaves his iPad at the airport or the IT person that leaves an unencrypted laptop in the restroom—people will lose things. The Sterne Agee AWC provides some guidance about the written supervisory procedures, IT policies, and training practices that will help your firm that address the “lost laptop” issue:
- Accounting for the firm’s devices, thorough assessment of the devices’ capabilities and contents, and understanding risks associated with the inadvertent loss or theft of one of those devices;
- Guidelines on what data can and cannot be stored on iPads or laptops to ensure that advisors have the information they need to work while on the road, without unnecessarily exposing customer data if the devise is lost;
- Installation of security software or other security measures to ensure that information on lost devices is inaccessible to third parties or that it can be remotely destroyed when a loss or theft occurs; and
- Chains of command for reporting security problems with devices (e.g., malfunctioning security software), or when a device is lost or stolen from an advisor or employee.