OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Adviser fined $100, 000 for violating Regulation S-P for failing to install antivirus software

From: Sasha Romanosky (sromanosandrew.cmu.edu)
Date: Fri Oct 16 2009 - 16:21:48 CDT


I spend a lot of time differentiating between policies meant to prevent
breaches from happening beforehand (e.g. speeding tickets, fire safety
codes, PCI, etc) versus policies that allow compensation after a breach
(liability laws).

There are few examples that I've seen of sanctions applied before harm (data
breach) has occurred, though FTC has done this. Here's one case of the SEC
doing it:

http://www.sutherland.com/files/Publication/14250bdc-2b39-4ec7-9d3e-0c162f52
a616/Presentation/PublicationAttachment/bf805e8e-2823-4c04-bb0b-0eeca893c56e
/OctoberIMRR2009.pdf

The SEC charged Commonwealth Equity Services, LLP, a registered
broker-dealer and investment adviser, with violating Regulation S-P, a set
of regulations designed to protect the privacy of certain client
information. The SEC found that Commonwealth recommended-but did not
require-that its registered representatives maintain antivirus software on
their computers, which the registered representatives used to access
customer account information on the firm's intranet and trading platform. As
a result, Commonwealth's customer information was left vulnerable to
unauthorized access.

The SEC also found that Commonwealth did not have procedures in place to
adequately review its registered representatives' computer security
measures. In particular, Commonwealth's internal auditors did not audit
branch office computers to determine whether antivirus software was
installed, nor did Commonwealth have procedures in place to follow up on
potential computer security issues uncovered during branch audits or when
registered representatives contacted Commonwealth's information technology
help desk for computer-related assistance.

As a result of this conduct, the SEC found that Commonwealth willfully
violated Rule 30(a) of Regulation S-P. It fined Commonwealth $100,000.

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php