“Is Your Company Complying with the SEC’s Safeguards Rule?”
Safe and Sound 06/15/16 By James I. Kaplan and Jennifer L. Rathburn
The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the so-called “Safeguards Rule,” Rule 30(a) of the SEC’s Regulation S-P, which requires broker-dealers and registered investment advisers to adopt written policies and procedures to safeguard client information. But the case is really a cautionary tale about what companies must do to protect confidential data from their own wayward employees.
MSSB had the standard industry code of conduct and policies that protected customer personally identified information (“PII”). But it did not have adequate policies and procedures in place to ensure that employees could not access PII for customers that they did not personally work with; nor did MSSB have adequate testing to determine that its restricted access procedures actually worked (in fact, they didn’t); nor did MSSB adequately monitor and analyze employee access to customer PII.
The result of these failings was that one employee, Galen Marsh, who worked between 2011 and 2014 as a Customer Sales Associate before being promoted to Financial Advisor, was able to misappropriate data from 730,000 customer accounts associated with approximately 330,000 separate households. Mr. Marsh accessed the PII and transferred it all to his personal server, located outside MSSB. The PII included customers’ names, phone numbers, addresses, account numbers, balances and securities’ holdings. Once in Mr. Marsh’s possession, the data was hacked from his personal server by cyber criminals, and then between December 15, 2014 and February 3, 2015, portions of the data were posted on at least three internet sites along with an offer to sell a larger quantity of stolen data in exchange for payment in speed coins, a digital currency. MSSB itself discovered the data breach through one of its routine internet sweeps on December 27, 2014. MSSB identified Marsh as the likely source of the breach two days later.
The lessons of the case are pretty clear:
- It is not enough to have safeguards restricting employee access to customer PII that you believe are adequate. The safeguards themselves must be periodically stress-tested and audited to see if the firewalls are really holding, or are simply providing a false sense of security.
- The continual monitoring of employee access to customer PII is critical as well. Supervisors and compliance staff must at all time have a good sense for what every employee is, in fact, doing on their computer. Unannounced spot checks and unsupervised after-hours prohibitions of access are important, but there is no replacement for close and continual contact with employees by supervisors and/or compliance staff.
- Software and IT configuration that prevents transfer of customer data outside the company’s system without supervisory approval must be implemented and then tested to make sure of its security.
As it turned out, MSSB’s own discovery of the breach, prompt investigation and remediation, noted by the SEC, limited the company’s fine to only $1 million; relatively small considering the number of accounts breached, the size of MSSB, and the criminal nature of both the violation by its own employee, and by cybercriminal hackers. In addition to the fine, MSSB was censured and was also subjected to a cease and desist order. The unfortunate Mr. Marsh was, of course, fired, criminally prosecuted, convicted and received 36 months of probation and a $600,000 restitution order. He was also barred from the industry for at least five years. But the damage to any company that suffers this sort of breach is mainly reputational, and the best way to avoid this sort of public humbling is to implement the most advanced safeguards known to prevent employee misappropriation of data, and then to religiously monitor and audit those safeguards thereafter to make sure they are really working.