On September 26, 2018, there were two significant data privacy developments. First, the Securities and Exchange Commission announced that it has settled a claim with an investment adviser related to claims related to Voya Financial Advisors (“Advisor”) cyber security policies and procedures to protect personally identifiable information (“PII”). Second, the Senate Committee on Commerce, Science, and Transportation (the “Commerce Committee”) held a hearing “Examining Safeguards for Consumer Data Privacy”. Both the SEC Settlement and Commerce Committee hearing are discussed below.
The settlement decree described that the cyber criminals impersonated the registered representatives of the Advisor by calling the Advisor’s support line and requesting that they reset the registered representatives’ passwords. Ultimately, through the resetting of passwords, the intruders were able to gain access to the PII of over 5,000 of the Advisor’s customers.
This marks the first SEC settlement related to its Safeguards Rule and Identity Theft Red Flags Rule. The Safeguards Rule was enacted with Gramm-Leach Bliley Act and requires that investment advisers and broker dealers adopt written policies and procedures that address the protection of customer records and information. The Identity Theft Red Flags Rule requires that financial institutions develop and implement an identity theft program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of an account.
The settlement agreement described that the Advisor did not comply with the Safeguards Rule because its policies and procedures were not reasonably designed to protect customer information. Similarly, the settlement agreement described that the Advisor violated the Identity Theft Red Flags Rule because it had not updated its program since 2009 and failed to provide adequate training to its employees.
This settlement serves as another reminder to those in the retirement space that the world is evolving and the risks associated with operating within the retirement space is changing as well. Moreover, regulators in this space are becoming much more sophisticated and interested with these issues as privacy and data breaches continue to make headlines. At a minimum, those in the retirement space should review and update their data security policies and procedures as necessary and schedule regular updates to such policies to ensure that they stay current. Those handling PII should also provide regular training to employees to ensure that the data security policies and procedures are properly implemented.
The Commerce Committee heard from a panel of executives from communications firms and tech companies and suggested that federal legislation may be forthcoming. Chairman John Thune stated that “there is a strong desire by both Republicans and Democrats, and by both industry and public interest groups, to work in good faith to reach a consensus on a national consumer data privacy law.” The Commerce Committee indicated that there will likely be a second hearing next month with testimony from privacy advocates, such as Andrea Jelenik, the head of GDPR enforcement.
This Congressional interest builds on a wave of state and international initiatives to protect consumer data. In the past year, a number of states, ranging from California, to Colorado, and even to Alabama have enacted legislation. In addition, the European Union’s General Data Privacy Regulation took effect in May.
While it is unlikely that a data privacy law is passed before the end of the current Congressional term (January 2019), it is likely that Congress remains focused on enacting a uniform federal standard.
Groom attorneys have been following these developments closely. If you have any questions about how cybersecurity and data privacy issues may affect you, please contact your regular Groom attorney.