Firm's sloppy cybersecurity results in SEC action, fine

Lack of pro-active defenses throwing companies into legal trouble post-breach regardless if data stolen or not
Written by John Fontana, Contributor

The Securities and Exchange Commission is the latest federal agency turning up the heat on companies whose lax cybersecurity has contributed to breaches of user data.

The SEC's action, along with those last month at the Federal Trade Commission and in federal courts, is starting to sketch out a pattern of dwindling tolerance for negligence by companies in protecting their computer systems.

Last week, the SEC announced a settlement with St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people.

The more interesting twist is that the firm was charged even though several cybersecurity-consulting firms hired by R.T. Jones could not determine the extent of the breach or whether PII had been accessed or compromised. And to date, none of the victims have reported any financial harm as a result of the attack.

Nevertheless, the SEC saw fit to charge R.T. Jones over its lax policies and procedures under the agency's Regulation S-P Safeguards Rule adopted in 2000. The rule requires brokers, dealers, investment companies, and registered investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."

"While this enforcement is by no means the first under Regulation S-P against an investment advisor or company for failing to have a written information security program in place, it may mark a shift in the enforcement strategy at the SEC," Jason Wool, an associate in the Cybersecurity Preparedness & Response Team at the law firm of Alston & Bird, wrote on the JD Supra Business Advisor web site.

SEC officials seemed to take a hard line in the R.T. Jones case.

"Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs," Marshall S. Sprung, co-chief of the SEC Enforcement Division's Asset Management Unit, said in a statement.

In 2014, the SEC began more closely examining cybersecurity compliance and controls, and that activity continued into 2015. But the SEC isn't the only federal agency closely scrutinizing cybersecurity.

In late August, the Federal Trade Commission (FTC), which also has a Safeguards Rule, was given the go-ahead by a U.S. appellate court to sue Wyndham Hotels over inadequately investing in computer security after it was discovered that 600,000 customer records were exposed in 2008 and 2009. The company had made claims via its privacy policy to safeguard user data.

A week earlier, the FTC showed the other side of the spectrum, shutting its investigation into a hack at Morgan Stanley and saying the firm had acted quickly after a breach was discovered and had adequate internal security policies in place at the time.

The FTC casts a wide net with its Safeguards Rule. Companies that must adhere to the FTC rule include check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. It also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. In addition to developing their own safeguards, companies covered by the Safeguards Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

Is putting teeth in these rules a sign of the times and enough to foster pre-breach cybersecurity action?

Will the feds and other regulatory bodies judge hacked companies by their pro-active defenses rather than post-breach declarations of "a sophisticated attack" and repentant PR statements?

Will negligence become the damning scarlet letter for hacked companies?

In the R.T. Jones case, the firm was charged with violating the Safeguards Rule during a four-year period for failing to establish required cybersecurity policies and procedures in advance of the breach, which began in July 2013. The company failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on servers, and maintain a response plan for cybersecurity incidents. The company also stored the sensitive data on third party-hosted web servers.

R.T. Jones agreed to pay a $75,000 fine after getting its systems and policies in order and providing victims with identity theft monitoring.

Editorial standards