On September 20th, 2022, the Securities and Exchange Commission (“Commission”) entered a settled order (“Order”) against the wealth management arm of a global financial services firm (“Firm”) for its failure to protect customer records and information in violation of the Safeguards and Disposal Rules of Regulation S-P. The Order found that the Firm improperly disposed of hard drives and servers containing customer personal identifying information (“PII”) and consumer report information, and failed to adopt and implement written policies and procedures to safeguard the same.
From 2015 to 2020, the Firm used a third-party moving and storage company with no experience in data destruction services to decommission IT devices, including hard drives and servers containing customer information. During this period, there were multiple occasions in which the moving company improperly disposed of devices containing PII and/or consumer report information, or incorrectly kept records relating to the destruction of this data. In some cases, the records were missing altogether.
In the Commission’s view, these occurrences were the result of the Firm’s failure to monitor the moving company’s work, to adopt adequate written policies and procedures for the safeguarding and disposal of customer PII and consumer report information, and to implement the policies that it did have in place. The Commission found, among other things, that the Firm continued to engage the moving company despite awareness of the risk associated with doing so, and that its policies and procedures failed to ensure that qualified candidates would be responsible for data destruction. The Commission found that these failures violated both the Rules 30(a) and 30(b), the Safeguards and Disposal Rules, of Regulation S-P. As a result of these violations, the Firm was censured and fined $35 million.
S&K Observations
The Order is the largest Regulation S-P enforcement action, in terms of penalty, brought by the Commission to date. In 2021, eight firms were fined a total of $750,000 for Regulation S-P violations in what was widely considered a sharpening of the Commission’s focus on cybersecurity and consumer data protection.
The Safeguards Rule requires covered entities, including registered broker-dealers and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards reasonably designed for the protection of customer records and information. The Disposal Rule requires covered entities take reasonable measures to protect against unauthorized access to, or use of, consumer report information in connection with its disposal. What is considered “reasonable” generally depends on the size of the firm, the costs and efficacy of disposal methods, and the sensitivity of the data.
We recommend all covered entities take this opportunity to review their policies and procedures regarding the protection and disposal of customer data in their care. If you have any questions concerning the matters covered in this alert, please contact your primary attorney at Seward & Kissel, or any of the partners or counsel listed below.