On December 26, 2018, the Massachusetts Securities Division of the Office of the Secretary of the Commonwealth (the “Division”) issued a consent order accepting an offer of settlement from Summit Equities, Inc. (“Summit”), a broker-dealer and investment adviser that was registered with FINRA and the SEC.1 In the consent order, Summit admits that it failed to reasonably supervise its agents’ handling of customers’ personal identifiable information (“PII”) in violation of the Massachusetts Uniform Securities Act2 and Summit’s own privacy policies and procedures.
Summit’s privacy policies and procedures, among other things, prohibited independent contractors and employees from disclosing customers’ PII to third parties without the customer’s consent, with limited exceptions; required all independent contractors and employees departing the firm to return copies of all records containing customers’ PII; and required independent contractors and employees to complete various forms of training and acknowledgements regarding privacy and security. Notwithstanding these policies and procedures, four of Summit’s agents entered customer PII into a third-party customer relationship management (“CRM”) system over which Summit had no access or control.
Accordingly, Summit was unable to monitor unauthorized users who had access to the third-party CRM systems; remotely wipe or otherwise remove customers’ PII from the third-party CRM systems; or ensure customers’ PII was returned or destroyed upon its agents’ departures from Summit. As set forth in the consent order, Summit’s noncompliance with its privacy policies and procedures resulted in at least one unauthorized third party gaining access to Summit customers’ PII without the customers’ consent.
As a result of Summit’s failure to reasonably supervise its agents’ use and potential sharing of customers’ PII, the Division ordered Summit to, among other things, pay a fine of $100,000 and notify all of its Massachusetts customers potentially impacted by the foregoing events that their PII may have been shared with or accessed by unauthorized parties.
S&K Observations
The Summit case is an example of state enforcement activity related to the mishandling of PII. In light of this action, firms are reminded to carefully assess the adequacy and effectiveness of their controls and safeguards with respect to the use and potential sharing of PII. In particular, firms should evaluate their awareness of and ability to monitor CRMs and other third-party systems where customer PII may be stored.
______________________________________________________
1 The consent order follows an investigation into Summit conducted by the Registration, Inspections, Compliance and Examinations Section of the Division.
2 MASS. GEN. LAWS ch. 110A, § 204(a)(2)(J).