In a recent Securities and Exchange Commission (“SEC”) enforcement action, the SEC concluded that a registered broker-dealer and investment adviser (the “Firm”) violated Rule 30 of Regulation S-P by failing to adopt sufficient policies and procedures governing decommissioning of data-bearing devices. During a decommissioning project in 2016, the Firm sold unwiped hard drives containing unencrypted customer personal identifying information (“PII”) and consumer report information to a third party.

The SEC found that the Firm’s policies and procedures did not adequately ensure that a qualified vendor was responsible for destroying data on the decommissioned devices and were not “reasonably designed” to discover changes in sub-vendors.

Overview of the Enforcement Action

The Firm contracted with a vendor specializing in moving and storage to decommission two of the Firm’s data centers. The contract provided that the vendor would work with an e-waste management company to destroy data on the decommissioned devices. Significantly, the vendor had no experience in data destruction services.

During the decommissioning project, the vendor ceased working with the e-waste management company. Without notifying the Firm, the vendor sold the Firm’s unwiped devices to a sub-vendor that then sold the devices yet again to downstream purchasers. Later, a downstream purchaser notified the Firm that the hard drives enabled him to access the Firm’s data, and the Firm eventually repurchased the hard drives for an unknown cost.

The SEC concluded that the Firm’s written policies and procedures relating to vendors and sub-vendors were not “reasonably designed” to safeguard customer information against unauthorized access, as required under the Safeguards Rule, Rule 30(a) of Regulation S-P. 17 C.F.R. § 248.30(a).

Specifically, the Firm’s policies and procedures did not ensure the use of a “qualified” vendor for data decommissioning. This resulted in the Firm contracting with a vendor that had no experience in data destruction services. The Firm’s policies and procedures also failed to ensure discovery of a change in sub-vendor or the use of an unapproved sub-vendor. For instance, the SEC noted that, had the Firm reviewed Certificates of Indemnification provided by the sub-vendor that took possession of the unwiped devices, the vendor’s use of the unapproved sub-vendor would have been revealed. Even more, the Firm continued to work with the vendor after becoming aware of issues with its maintenance of records and did not conduct a broader investigation into the issues. This delayed the Firm’s discovery of the problems with the decommissioning project.

Additionally, the SEC found that the Firm failed to take “reasonable measures” to protect the customer PII and consumer report information on the decommissioned devices, as required under the Disposal Rule, Rule 30(b) of Regulation S-P. 17 C.F.R. § 248.30(b). Against its own policies and procedures, the Firm did not monitor the database used for document wiping of the devices or obtain Certificates of Destruction for devices that were resold.

What This Means for You

This case is somewhat unique because Regulation S-P applies to all broker-dealers, investment advisers, and investment companies operating within United States securities markets, and is not otherwise applicable to public and private companies. Nevertheless, at a more macro level, this case serves as an example of best practices to protect PII and avoid embarrassing incidents. Companies focused on cybersecurity and data protection should ensure that their policies and procedures relating to employment of vendors and sub-vendors adequately protect customer PII and consumer information against unauthorized access, especially when resale of decommissioned devices is involved.

A company’s policies and procedures should provide for continuous monitoring and review of vendor and sub-vendor performance to ensure that devices likely to contain customer PII and consumer information are properly handled.

V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.