In this age of growing concerns about cyber-security, firms focus on protecting their computer systems from hackers who try to find a way over, under, around, or through various firewalls. What often gets loss in such intense focus are the more mundane, inadvertent, human follies and foibles that expose an organization's confidential data. A recent FINRA regulatory settlement involving a trip to the bathroom and a forgotten laptop perfectly illustrates this challenge.
Case In Point
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Sterne, Agee & Leach, Inc., submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Sterne, Agee & Leach, Inc., Respondent (AWC 2014041619501, May 22, 2015).
Sterne Agee has been a FINRA member firm 1936, and currently employs about 739 registered individuals. The AWC asserts that the firm had no prior relevant disciplinary history.
An Old Warning Shot
In response to growing concerns about the integrity of confidential customer data being stored on computers, in 2005, FINRA issued a Notice to Members reminding the industry about the need to implement and maintain effective technology policies.
NASD Reminds Members of Their Obligations Relating to the Protection of Customer Information
NASD members are required to maintain policies and procedures that address the protection of customer information and records. Among other things, these policies and procedures must be reasonably designed to protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. This Notice reminds members of their obligation to maintain policies and procedures that are intended to protect customer information and to ensure that their policies and procedures adequately reflect changes in technology or alternative work arrangements.
Corporate Infertility As In Low Laptop Count?
The AWC alleges that in March 2009, Sterne Agee had recognized the need for encryption of its laptops; however, given the firm's purported "low laptop count," the issue was deemed a "moderate risk."
SIDE BAR: Having skyrocketed to October 2007 highs, the major stock indices plummeted over 50% until hitting bottom on March 9, 2009. What followed was a devastating economic crisis known as the Great Recession. As such, I think that in 2009, the cost of implementing a laptop encryption program was more likely Sterne Agee's motivation (or at least a significant consideration) than the low laptop count and risk issues. Notwithstanding, the Great Recession was not an excuse for tepid compliance policies and I merely remind you of those days in an attempt to place things in context.
Byte-ing Down with BitLocker
By 2010, Sterne Agee opted to require laptop encryption and, accordingly, the firm purchased Microsoft's "BitLocker" encryption software. Although additional staffing was needed to implement the software program and attendant encryption, it was only in 2012 that Sterne Agee authorized the necessary funding to hire additional personnel.
That Does Not Compute
In 2012, Sterne Agee hired two additional security analysts, who attempted to implement BitLocker but found it incompatible with their firm-issued laptops. The AWC asserts that
[e]mployee turnover subsequently delayed the Firm's identification of an encryption solution. During the Third Quarter of 2013,a new encryption solution was proposed and funding was requested to outsource intrusion detection and data-loss prevention services, which included laptop encryption.
Did He Wash His Hands Afterwards?
The AWC asserts that on May 29, 2014, the personal and confidential information of 352,551 Sterne Agee customers was placed at risk when an Information Technology employee inadvertently left an unencrypted laptop in a restroom.
The lost lavatory laptop contained a file of:
Tales From The Encrypt
At the time the unencrypted laptop was lost, Sterne Agee's Information Security Policy and Standards still did not require encryption of laptop hard drives. Following the May 2014 lavatory laptop incident, the AWC alleges that Sterne Agee authorized the necessary funding to hire encryption staff. .
Planned Data-hood: Taking Technological Precautions
The AWC alleged that Sterne Agee's supervisory systems were inadequate in light of FINRA NTM 05-49. Specifically, the AWC asserted that the firm's written supervisory procecdures
[D]id not adequately address the technology in use, specifically, laptops, and the Firm failed to take appropriate technological precautions to protect customer and highly sensitive information. There were no WSPs to ensure that the Firm's most sensitive customer and proprietary information stored on laptops were being adequately safeguarded by appropriate technology, such as encryption.
Sterne Agee's failure to adopt WSPs reasonably designed to insure the security of customer information placed sensitive customer information at risk. The Firm did not implement sufficient supervisory systems and WSPs requiring the encryption of laptops until June and July, 2014. This placed the personal and confidential information of 352,551 at risk on May 29, 2014 when an unencrypted laptop containing that information was lost.
FINRA deemed that Sterne Agee's conduct constituted violations of Regulation S-P of the Securities Exchange Act of 1934; NASD Conduct Rule 3010; and FINRA Rule 2010.
In accordance with the terms of the AWC, FINRA imposed upon Sterne Agee a Censure and $225,000 fine. Additionally, the firm will conduct an internal review related to its compliance with Reg S-P and will implement the necessary policies.
Bill Singer's Comment
A nicely presented regulatory settlement from FINRA that should alert member firms to their encryption obligations. It's never a bad idea to hire an outside, independent tech consultant familiar with industry rules to come into your shop once a year and put a fresh set of eyeballs on your policies, procedures, and protocols -- and to make recommendations as to how best to adapt and adopt.
By way of reminder, on February 25, 2006, 10 laptops were stolen from the Boca Raton offices of the NASD, FINRA's predecessor self-regulatory organization. The disclosure of the theft of the regulator's laptops was only first made public on July 7, 2006. Among the data contained on the laptops were social security numbers of targets of the regulator's investigation and inactive account numbers of some 1,000 customers. Although that crime did not involve allegations of inadequate encryption, the incident did involve allegations that the regulator had not implemented satisfactory anti-theft policies and protocols to protect its offices and property. Also, note the lapse between the February 25th break-in and the July 7th public announcement.
One concern about this settlement is the fact that despite having issued a 2005 Notice to Members involving the protection of customer data, NASD/FINRA likely conducted annual examinations and/or investigations of Sterne Agee in 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, and 2014. I'm wondering how the self-regulatory staff failed to notice during those ten years the absence of a compliant data encryption policy at Sterne Agee. After having laptops stolen from its office, you would think that more than most organizations, NASD/FINRA would have been highly sensitive to the need for its member firms to maintain laptop encryption protocols.
Don't misunderstand -- I wholeheartedly support this AWC because FINRA member firms of the size of Sterne Agee cannot hand out laptops without ensuring the safety of the data on the hard drives. No matter how many rules we draft and impose, someone is going to leave a laptop in a bathroom, at a restaurant, at a bar, or wherever. It's just human nature to forget; and that's why we need to implement measures to anticipate such inadvertent lapses. It's also why we depend upon regulators to do their jobs when it comes to examinations and investigations. In the end, there's more of a bit of "gotcha" regulation inherent in this AWC if you consider the number of years during which NASD/FINRA should have discovered Sterne Agee's failed compliance policies. Hopefully, FINRA will take this opportunity to conduct an in-house review of itself.