On September 22, the U.S. Securities and Exchange Commission (“SEC”) and R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”), a St. Louis-based investment adviser, settled charges that R.T. Jones failed to adopt “written policies and procedures reasonably designed to protect customer records and information” in connection with a July 2013 data breach in violation of the SEC’s safeguards rule, Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)).  The company consented to the entry of an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 203(e) and 203(k) of the Investment Advisers Act of 1940, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order.  Pursuant to the settlement, R.T. Jones was censured and ordered to pay a civil money penalty of $75,000. 

According to the SEC order, for almost four years, R.T. Jones maintained personally identifiable information (“PII”) of the company’s clients and others on a web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.”  The server was attacked in July 2013 by an unauthorized user “who gained access rights and copy rights to the data on the server.”  Due to the intrusion, the PII “of more than 100,000 individuals, including thousands of R.T. Jones’s clients, was rendered vulnerable to theft.”

When the data breach came to light, R.T. Jones retained multiple cybersecurity firms to analyze the extent of the breach.  The SEC order states that “[o]ne of the forensic cybersecurity firms reported that the cyber-attack had been launched from multiple IP addresses, all of which traced back to mainland China.”  Soon after the breach was uncovered, R.T. Jones notified affected individuals and offered free identity monitoring.

The SEC found that R.T. Jones violated the safeguards rule because the company had not adopted the written policies and procedures required by the rule.  The order states, for example, that R.T. Jones’s policies did not include “conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident” and, overall, the company’s relevant controls “were not reasonable to safeguard customer information.”  Nevertheless, the SEC recognized that R.T. Jones has implemented certain cybersecurity remedial measures and took these actions under consideration in coming to the agreed settlement.  For instance, to help prevent future cyber-attacks, the company “appointed an information security manager to oversee data security and protection of PII, and adopted and implemented a written information security policy.”  In addition, R.T. Jones “no longer stores PII on its webserver and any PII stored on its internal network is encrypted.”

On the same day as the R.T. Jones settlement was announced, the SEC’s Office of Investor Education and Advocacy released an Investor Alert titled “Identity Theft, Data Breaches, and Your Investment Accounts,” in which the agency outlines a few key steps for investors to take in the event their PII is compromised in a data breach.  The alert advises investors to reach out to their broker-dealers or investment advisers immediately if they believe their data may have been exposed and report the relevant incidents.  Further, affected investors should change any online account passwords, assess whether compromised accounts should be closed, and consider placing a fraud alert on their credit files with a credit bureau such as Equifax.

The R.T. Jones settlement and related investor alert are additional evidence of the SEC’s recent focus on cybersecurity matters.