BreachExchange mailing list archives
Adviser fined $100, 000 for violating Regulation S-P for failing to install antivirus software
From: "Sasha Romanosky" <sromanos () andrew cmu edu>
Date: Fri, 16 Oct 2009 17:21:48 -0400
I spend a lot of time differentiating between policies meant to prevent breaches from happening beforehand (e.g. speeding tickets, fire safety codes, PCI, etc) versus policies that allow compensation after a breach (liability laws). There are few examples that I've seen of sanctions applied before harm (data breach) has occurred, though FTC has done this. Here's one case of the SEC doing it: http://www.sutherland.com/files/Publication/14250bdc-2b39-4ec7-9d3e-0c162f52 a616/Presentation/PublicationAttachment/bf805e8e-2823-4c04-bb0b-0eeca893c56e /OctoberIMRR2009.pdf The SEC charged Commonwealth Equity Services, LLP, a registered broker-dealer and investment adviser, with violating Regulation S-P, a set of regulations designed to protect the privacy of certain client information. The SEC found that Commonwealth recommended-but did not require-that its registered representatives maintain antivirus software on their computers, which the registered representatives used to access customer account information on the firm's intranet and trading platform. As a result, Commonwealth's customer information was left vulnerable to unauthorized access. The SEC also found that Commonwealth did not have procedures in place to adequately review its registered representatives' computer security measures. In particular, Commonwealth's internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did Commonwealth have procedures in place to follow up on potential computer security issues uncovered during branch audits or when registered representatives contacted Commonwealth's information technology help desk for computer-related assistance. As a result of this conduct, the SEC found that Commonwealth willfully violated Rule 30(a) of Regulation S-P. It fined Commonwealth $100,000. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Adviser fined $100, 000 for violating Regulation S-P for failing to install antivirus software Sasha Romanosky (Oct 16)