Broker-dealers And Registered Investment Advisers Need To Ensure That They Are Complying With Regulation S-P
On September 20, 2022, the SEC settled charges against a dually registered broker-dealer and investment adviser and (the “Firm”) for violations of Regulation S-P (“Reg S-P”).1 The Firm was fined a total of $35 million. The SEC found that the Firm violated Reg S-P’s requirements for registrants to adopt written policies and procedures to safeguard customer records and information (the “Safeguards Rule”) and to take reasonable measures to protect against unauthorized access or use of consumer report information and records in connection with disposal of this material (the “Disposal Rule”). This matter is the first SEC enforcement action under Reg S-P’s Disposal Rule. Consequently, broker-dealers (“BDs) and registered investments advisers (“RIAs”) should be prepared for examinations, investigations, and settlements focused on the inadequate disposal of customer personal identifying information (“PII”), and consumer report information.
This matter arose out of the Firm’s failure to protect its customer records and information, including PII), and properly dispose of consumer report information, in connection with the decommissioning of two data centers in 2016. The Firm contracted with a moving and storage company (“Moving Company”) to remove thousands of electronic devices from the data centers and to “remove, destroy, or delete” any data contained on such devices. Moving Company had no experience with, or expertise in, providing such data destruction services. According to the contract with the Firm, Moving Company would work with an e-waste management company (“IT Corp A”) to wipe or destroy any data present on the decommissioned devices. However, at some point during the engagement, Moving Company stopped working with IT Corp A and instead began selling unwiped devices removed from the Firm’s data centers to another third party (“IT Corp B”). As a result of the Firm’s failure to oversee its vendor, Moving Company sold approximately 4,900 information technology assets, including unwiped hard drives, some of which, cumulatively, contained thousands of pieces of PII of the Firm’s customers.
In addition, the Firm failed to properly safeguard customer PII and properly dispose of consumer report information on servers decommissioned from various local Firm offices or branches. In 2019, the Firm decommissioned approximately 500 of these local devices as part of a broader hardware refresh program. When the Firm undertook a cross-check and reconciliation of all of its records to confirm the destruction of these and previously decommissioned local storage devices, the Firm was unable to locate 42 of the devices. The 42 missing devices all potentially contained unencrypted customer PII and consumer report information. The local devices were equipped with encryption capability, but the Firm failed to activate the encryption software until 2018. Once activated, however, due to a manufacturer flaw, the encryption software only encrypted newly created data. As a result of this flaw and the Firm’s failure to activate the encryption software until 2018, some data stored on the devices prior to 2018 remained unencrypted.
The Safeguards Rule and Disposal Rule
The Safeguards Rule, Rule 30(a) of Regulation S-P, requires registered broker-dealers and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” The Safeguards Rule requires that such written policies and procedures be reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Disposal Rule, Rule 30(b) of Regulation S-P, requires that covered entities that maintain or possess consumer report information for a business purpose take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.
The Firm Failed to Adopt Written Policies and Procedures for Decommissioning.
The SEC found that the Firm failed to adopt written policies and procedures that identified the high level of risk associated with device decommissioning and relating to the resale of old or decommissioned devices.
The Firm Failed to Adopt Reasonably Designed Policies and Procedures for Vendors.
The SEC found that the Firm’s written policies and procedures were not reasonably designed because they failed to ensure the use of a qualified vendor for the decommissioning projects. The Firm retained the Moving Company even though it was aware as documented in its internal risk assessment that the Moving Company was not capable of carrying out the required work. The Firm’s policies and procedures also did not ensure that it reviewed and approved sub-vendors and would be subsequently made aware of a change in sub-vendors. Additionally, the SEC found that the Firm’s policies and procedures also failed to provide sufficient monitoring of the Moving Company’s performance, even though it was aware of problems involving its record maintenance.
The Firm Failed to Take Reasonable Measures to Protect Customer PII or Consumer Report Information in Connection with Decommissioning Data-Bearing Devices.
The SEC found that the Firm did not follow its own requirements for documenting the destruction of data (including consumer PII or consumer report information) and failed to implement and monitor compliance with its own policies and procedures for the destruction of backup tapes (even though these policies and procedures recognized the “significant risk” associated with them). Here, the SEC noted that the Firm failed to comply with its policies and procedures in connection with the destruction of 40,000 backup tapes handled by the Moving Company.
BDs and RIAs subject to Safeguards and Disposal Rules should consider addressing the risk stemming from the improper safeguarding and disposal of data that may contain consumer PII or consumer report information. Establishing specific policies and for such data can help prevent mishandling of that data. According to Gurbir S. Grewal, Director of the SEC’s Enforcement Division, “The Firm’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and the Firm fell woefully short in doing so.” He additionally stated that “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.” Accordingly, BDs and RIAs need to ensure that they are properly disposing of devices containing its customers’ PII. Moreover, they need to properly monitor any vendors in charge of the disposal. This oversight could include periodic review and verification of documentation provided by a vendor related to handling and disposal of consumer PII or consumer report information. Consequently, BDs and RIAs must ensure that they are properly safeguarding customer PII and properly disposing of consumer report information.
Who should you talk to if you have further questions?
If you would like further information concerning the matters discussed in this Legal Insights, please contact the following: