Aug 122015

Securities Firm Avoids FTC Action for Data Security Practices Due to Adoption of Insider Threat Program

Alan Charles Raul
, , , ,

On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the  personal information of the certain of the firm’s wealth management clients to personal devices and a personal website.  Ultimately, the personal data became available on publicly accessible websites.

This action is important for two principal reasons:

First, the FTC has asserted jurisdiction against a securities firm under Section 5 of the FTC Act (prohibiting unfair and deceptive acts and practices), notwithstanding the responsibility of the SEC and FINRA to oversee the confidentiality and security of customer data under Gramm-Leach-Bliley and Regulation S-P.

Second, the FTC closed its investigation of the securities firm, at least in part, because of the firm’s adoption of a comprehensive insider threat information security program, and because it promptly fixed the problem.

The FTC’s closing letter states:

At this time, staff has determined to close this investigation. We considered several factors, including the fact that Morgan Stanley had established and implemented comprehensive policies designed to protect against insider theft of personal information. For example, the company established and implemented a policy allowing employees to access only the personal data for which they had a business need, monitored the size and frequency of data transfers by employees, prohibited employee use of USB or other devices to exfiltrate data, and blocked employee access to certain high-risk Web applications and websites. In this instance, our investigation determined that the Morgan Stanley employee was able to gain access to client data, despite such controls, because the access controls applicable to a narrow set of reports were improperly configured. However, Morgan Stanley promptly fixed the problem when it came to the company’s attention.

The FTC’s Closing Letter is available here (emphasis added).

Note that Sidley Austin LLP prepared an Insider Threat Guide for SIFMA available here.

Other SIFMA cybersecurity resources are available here.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.