The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

Skip to Content

Investment Adviser Settles SEC Charges After Data Breach

Lock Computer Chip

Last week, the Securities and Exchange Commission (SEC) settled charges against a registered investment adviser for failing to comply with Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (“Safeguards Rule”). The Safeguards Rule requires that every registered investment adviser must adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

According to the SEC order, St. Louis, Missouri adviser R.T. Jones Capital Management, Inc. had agreements with a retirement plan administrator and various retirement plan sponsors to provide a managed account service offering model portfolios to retirement plan participants. Individuals seeking to enroll in the program were instructed to fill out a questionnaire on the adviser’s public website regarding their investment objectives and risk tolerance.

To verify eligibility to enroll in the program, the adviser required prospective clients to log onto its website by entering their name, date of birth and social security number (PII). The login information was then compared against the PII of eligible plan participants, which was provided to the adviser by plan sponsors. The adviser stored this PII, without modification or encryption, on its third party-hosted web server. To facilitate the verification process, the plan sponsors provided the adviser with information about all of their plan participants even for those who did not select the managed account option. Thus, even though the adviser had fewer than 8,000 plan participant clients, its web server contained the PII of over 100,000 individuals.

In July 2013, the adviser discovered a potential breach of the third party-hosted web server and promptly retained multiple cybersecurity firms that traced the attack to mainland China. The breach potentially allowed the intruder free reign over the access and copy rights of the PII data. The adviser notified all affected individuals and offered free identity monitoring. To date, the breach has not caused any financial losses to the affected individuals.

Despite the adviser’s quick response and actions to mitigate the breach impact, the SEC concluded that the adviser’s failure to adopt written policies and procedures reasonably designed to safeguard customer records and information resulted in the breach and a violation of the Safeguards Rule.  The adviser entered into a cease and desist order and paid a $75,000 penalty.

This matter is instructive on several points:

  • Just because no one is financially harmed does not mean that you cannot be sanctioned.
  • You must adopt and implement a written information security policy (WISP).
  • You should have personnel responsible for overseeing data security and protection of PII.
  • PII should be encrypted.
  • Systems should be put in place to prevent and detect breaches.
  • Ongoing systems monitoring and regular reporting to management on the effectiveness of security systems should be instituted.
  • Know what your outside vendors and suppliers are doing to protect PII and other proprietary business information they have access to.
  • Collect the minimum amount of PII needed for your business purposes.

This is not an exhaustive list of all the steps registered investment advisers should be taking but does serve as a reminder that the SEC is serious about making sure investment advisers are taking action to mitigate cyber risks.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.