Alert May 26, 2009

FINRA Disciplines Broker-Dealer for Failure to Protect Customer Information and Inadequate Breach Notification

A registered broker-dealer recently executed a Letter of Acceptance, Waiver and Consent (the “AWC”) with FINRA regarding alleged violations of Regulation S-P and certain FINRA Rules with respect to its computer firewall and a computer fax server set up to facilitate submission of time sensitive client information by the Broker-Dealer’s registered representatives.  This article describes FINRA’s findings set forth in the AWC.

Factual Background

FINRA found that from April 2006 through July 2007, the Broker-Dealer failed to protect certain confidential customer records and information by using an improperly configured computer firewall and employing an ineffective username and password (username = “Administrator” and password = “password”) on its computer fax server.  These failures permitted unauthorized persons to access stored images of faxes received by the Broker‑Dealer that contained confidential customer information, such as social security numbers, account numbers and other sensitive, personal and confidential data.

FINRA found that when the Broker-Dealer became aware of the failure to protect customer information, it conducted an inadequate investigation and then proceeded to send a misleading notification letter to affected customers and their brokers.  In particular, the Broker-Dealer improperly limited its investigation to a one-month period during which it was aware that a so-called “phishing” scam had been making unauthorized use of the firm’s computer fax server.  According to FINRA’s findings, the Broker-Dealer should have expanded its investigation to the date almost a year before on which the computer fax server was put into operation since the lack of safeguards to protect customer information had existed since that time.  This more complete investigation would have revealed multiple unauthorized logins to the computer fax server long before the start of the phishing scam.  

The letter that the Broker-Dealer provided to affected customers and the firm’s registered representatives incorrectly indicated that unauthorized access to the computer fax server was limited to one “benevolent” person (a third person who had alerted the Broker-Dealer to the breach) and also omitted certain facts that made the letter misleading.  In particular, the letter failed to indicate that the unauthorized access to the computer fax server was made possible by the firm’s inadequate firewall and weak username and password, both of which the Broker‑Dealer was aware of when it provided the letter to its customers and their brokers.

Violations

FINRA found that, as a result of the actions described above, the Broker-Dealer violated Rule 30 of Regulation S-P, which provides that brokers, dealers and other financial institutions must adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.  

FINRA further found that the Broker-Dealer’s insecure firewall, weak username/password and inadequate investigation following notice of unauthorized access violated NASD Rule 3010, which states the requirements for a member firm’s supervisory systems, and NASD Rule 2110, which states the general standard of conduct for member firms.  In addition, FINRA found that, by sending a misleading notification letter to clients and its registered representatives, the Broker‑Dealer violated NASD Rules 2210 and 2211, which specify standards for communications with the public and registered representatives, and NASD Rule 2110.  

Summary of Sanctions

The Broker-Dealer consented to certain sanctions, including the following:

  • a censure
  • a $175,000 fine
  • certain undertakings, including (a) to provide corrected and accurate notification letters to affected clients and their brokers, (b) to offer to provide affected clients at no cost credit-monitoring services for a period of one year and (c) to submit certifications by the Broker-Dealer’s CEO regarding various remedial measures.

Corrective Action Statement

In connection with the AWC, the Broker-Dealer submitted a Corrective Action Statement in which it described its efforts to improve its information technology systems and related procedures, which included the following:

  • installing a state-of-the-art enterprise-class firewall
  • restricting third party connectivity to its systems
  • making substantial upgrades to the physical security of the network, including keycard access and door force open and ajar notifications
  • enhancing password restriction protocols for employees and administrators
  • performing a forensic audit and implemented recommendations to harden and securing the network
  • installing two state-of-the-art “instrusion detection devices” that identify and protect against outside threats to the network
  • revising its Written Supervisory Procedures and Work Flow Procedures