On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.
The Order with R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) alleged that R.T. Jones violated Regulation S-P, the SEC’s version of the Gramm-Leach-Bliley Act’s Safeguards Rule, by storing sensitive personally identifiable information (“PII”) on its third party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Their server was attacked in 2013, which resulted in the exposure of PII of more than 100,000 individuals. Pursuant to the Order, R.T. Jones agreed to pay a $75,000 penalty, appoint an information security manager to oversee data security, and adopt and implement a written information security policy. The firm also agreed to (1) no longer store PII on its webserver, (2) encrypt any PII stored on its internal network, (3) install a new firewall and logging system to prevent and detect future attacks, and (4) retain a cybersecurity firm to provide ongoing reports and advice on the firm’s information security.
In announcing the Order, Marshall S. Sprung, Co-Chief of the SEC Division of Enforcement’s Asset Management Unit, noted that companies “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The Alert, which was published by the SEC’s Office of Investor Education and Advocacy, contains practical advice for investors on what steps to take if their investment accounts have been the subject of a data breach. These steps include:
- contacting the investment firm and other financial institutions immediately;
- changing online account passwords;
- consider closing compromised accounts;
- activating two-step verification, if available;
- monitoring investment accounts for suspicious activity;
- placing a fraud alert on their credit file;
- monitoring credit reports;
- consider creating an Identity Theft Report; and
- documenting all communications related to the incident in writing.