September 29, 2022

SEC Fines Adviser for Failed Oversight of Data Disposal that Led to Leak of PII

An investment adviser settled SEC charges for failing to properly oversee a third-party contractor hired to remove, wipe and destroy decommissioned hardware containing customers' personal identifying information ("PII"). The failure resulted in unauthorized access to unencrypted, protected consumer data and was a violation of the adviser's policies and procedures for vendor management.

According to the Order, the adviser hired a moving company to remove and dispose of a number of devices, and instructed the company to work with a designated e-waste management company to remove any data from the devices prior to disposal. The employees of the moving company sold the unwiped devices to a different IT firm that was not vetted and approved by the adviser and which did not itself wipe the devices before selling them to third parties, causing consumer data (which remained on the devices) to be transmitted to unintended third parties.

The adviser only found out about this misconduct nearly a year after the hard drives were decommissioned - from a third party that purchased the devices and found the adviser's data on it. The adviser subsequently worked to repurchase the compromised devices and notify approximately 15 million customers of the incident.

In separate instances, the SEC found that the adviser (i) failed to follow its own internal policies regarding back up tape disposal, (ii) could not produce sufficient documentation reflecting the number or types of devices destroyed or the data that was on them and (iii) failed to safeguard consumer data when it was misplaced during a hardware refresh program.

As a result, the SEC determined that the adviser violated the Safeguard Rule, Regulation S-P Rule 30(a) ("Procedures to safeguard customer records and information; disposal of consumer report information") as well as the Disposal Rule, Regulation S-P Rule 30(b). To settle the charges, the adviser agreed to (i) cease and desist, (ii) accept a censure and (iii) pay a civil monetary penalty of $35 million.

Tags