9.29.2009 The SEC charged Commonwealth Equity Services, LLP, a registered broker-dealer and investment adviser, with violating Regulation S-P, a set of regulations designed to protect the privacy of certain client information. The SEC found that Commonwealth recommended—but did not require—that its registered representatives maintain antivirus software on their computers, which the registered representatives used to access customer account information on the firm’s intranet and trading platform. As a result, Commonwealth’s customer information was left vulnerable to unauthorized access.

The SEC also found that Commonwealth did not have procedures in place to adequately review its registered representatives’ computer security measures. In particular, Commonwealth’s internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did Commonwealth have procedures in place to follow up on potential computer security issues uncovered during branch audits or when registered representatives contacted Commonwealth’s information technology help desk for computer-related assistance.  

As a result of this conduct, the SEC found that Commonwealth willfully violated Rule 30(a) of Regulation S-P. It fined Commonwealth $100,000.

Click http://www.sec.gov/litigation/admin/2009/34-60733.pdf for the administrative action.