On September 29, the Securities and Exchange Commission (SEC) issued an administrative cease and desist order, under Sections 15(b) and 21C of the Securities Exchange Act of 1934, and Sections 203(e) and 203(k) of the Investment Advisers Act of 1940, against Commonwealth Equity Services, LLP d/b/a Commonwealth Financial Network. See Release No. 34-60733 at www.sec.gov/litigation/admin.shtml. The SEC’s cease and desist order—to which Commonwealth consented without admitting any wrongdoing—found that Commonwealth Financial violated Regulation S-P by leaving its customer information “vulnerable to unauthorized access.” How did Commonwealth Financial do this? According to the SEC’s order, Commonwealth Financial did this by only recommending—but not requiring—that its registered representatives have anti-virus software on their computers used to access Commonwealth Financial’s intranet trading platform. Equally bad, according to the SEC, Commonwealth Financial also did not audit registered reps’ branch office computers to see if they had anti-virus software and did not put in place procedures to follow up on potential computer security issues uncovered during branch audits or when reps reported issues. The end result was that “bad guys” could potentially crack into Commonwealth Financial confidential customer information.
As a result, the SEC found that Commonwealth Financial willfully violated Rule 30(a) of Reg S-P. An expanded discussion of Reg S-P is below, but one thing that Reg S-P requires is for firms regulated by the SEC to adopt security measures to protect nonpublic personal information about their customers.
Does Commonwealth Financial’s slip up here sound like a trivial violation of Reg S-P? Not so says the SEC, which imposed a whopping $100,000 civil monetary penalty on the firm and banned it from ever violating Rule 30(a) Reg S-P going forward.
What’s our takeaway from this? The securities defense team at Holme Roberts & Owen (HRO) sees the Commonwealth Financial case as yet another example of the SEC’s stepped-up enforcement efforts to make sure firms are really protecting customer information under Reg S-P. This means that firms need to audit their customer data security measures now. As the Commonwealth case suggests, even seemingly simple oversights on security measures can land firms in hot water and cost them significant amounts.
Now a little refresher on Regulation S-P and what’s been going on with it in the last year or so. Reg S-P was adopted in 2000 to implement certain provisions of the Gramm-Leach- Bliley Act and the Fair Credit Reporting Act. It requires firms regulated by the SEC to adopt security measures to protect nonpublic personal information about customers and to inform customers about the firms’ privacy policies and practices. It also limits when firms may disclose nonpublic personal information to any nonaffiliated third party without first giving the customer an opportunity to opt out of the disclosure.
As the securities defense group at HRO previously reported, Reg S-P is in the process of being overhauled to increase restrictions on what information broker dealers and reps may transfer when registered reps leave firms and requiring firms to adopt procedures to prevent and respond to improper disclosure of private customer information. The proposed new Reg S-P is still not yet final. In the meantime, the SEC has instituted a number of enforcement actions under Regulation S-P where broker dealers are accused of failing to adequately protect customer information. In some cases, the SEC is going after broker dealers for apparent sloppiness. For example, on July 17 the SEC issued an order instituting administrative cease and desist proceedings against a broker dealer accused of leaving 5,000 customer records curbside for a trash pick up that never happened. See Rel. 34-60325 at www.sec.gov/litigation/admin.shtml. In other cases, the SEC is reacting to overly aggressive account transfer tactics, such as where a broker dealer was found to have, among other things, pre-populated account transfer forms for incoming reps using detailed client and bank account information taken directly from the reps' still-current firms. See HRO Alert re SEC's First Enforcement Action Under Reg S-P; see also Initial Decision Release No. 349 at www.sec.gov/alj/aljdec/aljdecarchive/aljdecarc2008.shtml. We expect the SEC to continue to step up its enforcement efforts under Reg S-P. We also expect to see similar enforcement efforts under Regulation S-AM (Reg S-Am), which prohibits entities regulated by the SEC (e.g., broker dealers, registered investment advisors and registered transfer agents) from using “eligibility information” received from affiliates to market to customers without first getting permission to do so. See Regulation S-AM: SEC Publishes Final Rules for Affiliate Marketing.