Securities Firm Avoids FTC Action for Data Security Practices Due to Adoption of Insider Threat Program

On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the  personal information of the certain of the firm’s wealth management clients to personal devices and a personal website.  Ultimately, the personal data became available on publicly accessible websites.

This action is important for two principal reasons:

First, the FTC has asserted jurisdiction against a securities firm under Section 5 of the FTC Act (prohibiting unfair and deceptive acts and practices), notwithstanding the responsibility of the SEC and FINRA to oversee the confidentiality and security of customer data under Gramm-Leach-Bliley and Regulation S-P.

Second, the FTC closed its investigation of the securities firm, at least in part, because of the firm’s adoption of a comprehensive insider threat information security program, and because it promptly fixed the problem.

The FTC’s closing letter states:

At this time, staff has determined to close this investigation. We considered several factors, including the fact that Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information. For example, the company established and implemented a policy allowing employees to access only the personal data for which they had a business need, monitored the size and frequency of data transfers by employees, prohibited employee use of USB or other devices to exfiltrate data, and blocked employee access to certain high-risk Web applications and websites. In this instance, our investigation determined that the Morgan Stanley employee was able to gain access to client data, despite such controls, because the access controls applicable to a narrow set of reports were improperly configured. However, Morgan Stanley promptly fixed the problem when it came to the company’s attention.

The FTC’s Closing Letter is available here (emphasis added).

Note that Sidley Austin LLP prepared an Insider Threat Guide for SIFMA available here.

Other SIFMA cybersecurity resources are available here.