ACLU Submits Comment Letter on FINRA CARDS Proposal (with Lofchie Comment)
The American Civil Liberties Union ("ACLU") submitted a comment letter to FINRA voicing cybersecurity and privacy concerns regarding FINRA's proposed Comprehensive Automated Risk Data System ("CARDS").
According to the ACLU, creating a centralized database of investors' financial information, as proposed in CARDS, could increase privacy risks through the threat of a serious data breach. The ACLU stated that this data breach threat far outweighs FINRA's increased ability to "reduce fraudulent and abusive behavior." Aggregating personal financial data into a centralized repository, according to the ACLU, makes FINRA's database a "honeypot", incentivizing cyber criminals to exploit.
The ACLU explained that despite removing personally identifiable information ("PII"), the personal data collected by CARDS still remains vulnerable because (i) anonymized data sets can be easily "deanonymized" when cross-referenced with other data and (ii) "broad surveillance . . . implicates core privacy values of great importance." Americans, the ACLU explained, increasingly feel that they have "lost control over their personal information" and their ability to retain confidences in sensitive personal activity, including finances. This perceived loss of control "leads to diminished engagement in civic life, less vigorous political discourse, and consequent reduction in accountability for public officials."
The ACLU likened the civil liberties issues associated with the CARDS' data collection to those of the mass phone surveillance program, stating that the programs are similar in that they collect "all information and then search it for bad patterns." Furthermore, the ACLU expressed concern that the CARDS proposal lacks an explanation of how the database could or would be accessed by non-government or government actors to generate leads for enforcement purposes or foreign intelligence gathering.
Lofchie Comment: Even if well intentioned and with some compliance benefit, is FINRA's proposal worth the accompanying economic costs and cyber risks? Given that virtually every U.S. financial institution has been under cyberattack at one time or another, and many seem to have suffered at least some breach, the ACLU's concerns that FINRA's data security would be likewise breached seems to be quite realistic. After all, the financial institutions would appear to have both more technology resources and experience than FINRA, yet they can not claim a perfect record in data security. So how can FINRA be assured that it would do any better? Certainly, news of the recent events at Sony should prove (appropriately) discouraging to FINRA.
It would also seem that there are far safer ways of addressing FINRA's supervisory issues. For example, if the firms regulated by FINRA were able to better standardize the regulatory information that they maintain, that would ease FINRA's burdens when it reviews a broker-dealer's books and records, without requiring the broker-dealer to transmit customer information directly to FINRA.
See: ACLU Comment Letter.
Related news: SIFMA Expresses Serious Concerns Regarding FINRA CARDS Rule Proposal (December 1, 2014); Congressman Garrett Issues Statement Questioning Need for FINRA CARDS Proposal (October 15, 2014); FINRA Requests Comment on Rule Proposal to Implement CARDS (FINRA Reg. Notice 14-37) (with Lofchie Comment) (September 30, 2014).