FINRA Fines Member Firms for Violation of Its Recordkeeping Provisions and Issues Cybersecurity Warning

FINRA fined twelve of its largest member firms a combined $14.4 million for violation of its Rule 4511 and SEC Rule 17a-4(f) for their failure to keep hundreds of millions of electronic documents in a WORM or “write once, read many” format.  The WORM format is designed to ensure that important firm records including customer records containing Personally Identifiable Information are not altered after they are written.

The firms included Wells Fargo & Co., RBC Capital Markets, LPL Financial, RBS Securities, SunTrust Robinson Humphrey, Georgeson Securities Corp and PNC Capital Markets.  FINRA also found that these firms violated its Rule 3110, Supervision, and several other SEC recordkeeping provisions, Securities Exchange Act Section 17(a) and Rules 17a-4 (b) and (c), thereunder.

FINRA noted that such records must be maintained in order to ensure member firm compliance with investor protection rules and that over the last decade the volume of such data being stored electronically has risen exponentially.  In a cybersecurity warning, FINRA stated:

there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format.

P&D is pleased to note that its newest partner, John R. “Jack” Hewitt is one of the country’s foremost cybersecurity authorities, and a major part of his practice is advising broker-dealers, RIAs and banks on their adherence to SEC, FINRA, CFTC and state cybersecurity requirements.  Among other things, he advises firms on information security programs, guides them through cyber-incidents and represents them in the event of a regulatory inquiry.  Mr. Hewitt regularly conducts cybersecurity audits for broker-dealers and investment advisers, and was the SEC appointed independent outside consultant in the first major SEC cybersecurity enforcement action.  He is the author of Cybersecurity in the Federal Securities Markets, a BloombergBNA publication, and Securities Practice & Electronic Technology, an ALM treatise. Mr. Hewitt is the Co-Chair of the American Bar Association, Business Section, White Collar Crime Subcommittee on Cybersecurity.

Read FINRA’s official announcement

NYS DFS Cybersecurity Regulation Webinar 4/20/17: Presented by P&D’s Jack Hewitt and CohnReznick’s Jim Ambrosini

John R. Hewitt, Partner at Pastore & Dailey LLC, and Jim Ambrosini, Managing Director at CohnReznick Advisory, will be conducting a complimentary Webinar on Thursday, April 20, 2017 at 12:00 PM EDT.  Mr. Hewitt is recognized as a national authority in cybersecurity and Mr. Ambrosini is a leader in cybersecurity and technology assurance service offerings at CohnReznick.

Mr. Hewitt and Mr. Ambrosini will discuss the New York State’s Department of Financial Services (DFS) regulation, effective as of March 1, 2017, providing an overview of the regulation, a summary of what controls must be in place, how to implement controls using a risk-based approach, key DFS regulation issues, and how to develop a roadmap towards compliance.

Please join us for this Webinar on April 20, 2017 at 12:00 PM EDT by registering below:

https://event.on24.com/eventRegistration/EventLobbyServlet

The Facebook-FTC Settlement and the Future of Privacy Regulation

In the wake of a landmark Federal Trade Commission (FTC) settlement imposed on the social media giant Facebook, it is fair to speculate whether other companies will be forced to pay hefty fines and prioritize compliance with privacy standards in order to escape punishing federal regulation. The settlement, which was announced on Wednesday, July 24th, compels Facebook to pay a five billion dollar fine, the largest ever penalty leveled on a social media company in connection with privacy violations.1 Though the fine is relatively trivial in the context of Zuckerberg and co.’s multi-billion dollar annual earnings, the settlement also forces Facebook to “submit to quarterly certifications from the FTC to acknowledge that the company is in compliance with the [settlement’s] privacy program,” a major defeat for a company whose business model revolves around the collection and analysis of user data.2 The settlement also forces Facebook to reform its corporate structure and submit to oversight from an internal “privacy committee” tasked with ensuring the integrity of user data, among other impositions.2

All in all, the settlement is important not so much for its impact on Facebook as its implications for legal scrutiny of other technology companies. Although the federal government lacks the congressional mandate required to more expansively scrutinize the privacy standards of technology companies, such a mandate may well be in the offing, especially considering that political interest in privacy violations is cresting among members of both parties. Moreover, even if Congress elects not to craft a comprehensive online privacy law, future settlements imposed by the FTC could cripple rival companies lacking the social media giant’s seemingly inexhaustible resources.

Although the FTC settlement represented a major shift in the regulatory landscape, social media companies innocent of the sort of grave violations committed by Facebook can rest easy for the moment, given that the agency must target offending companies one-by-one in the absence of a sweeping congressional privacy mandate. In fact, the sort of stringent legal protections for user data commonplace in the European Union have not yet been approved by American lawmakers, who have so far refrained from devising a tough privacy law in the mold of the E.U.’s General Data Protection Regulation. Specifically, the European regulation requires social media companies to “inform users about their data practices and receive explicit permission before collecting any personal information,” a level of government oversight unheard-of stateside.3 Without the sweeping powers afforded to their European counterparts, American regulators have chosen to target serious individual offenses – like the unauthorized collection of user data by third party programs that sparked the inquiry into Facebook.2

But it would be a mistake to assume that the legal and political landscape will become more favorable to technology companies in the foreseeable future. Conservatives and liberals alike have entered into an uneasy alliance to promote a stringent new privacy law,4 and both Marco Rubio and Ron Wyden – lawmakers on distinct poles of the ideological spectrum – have proposed new regulations on social media giants.5 As a consequence of broad-based political support for privacy restrictions, future settlements reached with technology companies are bound to be at least as costly as the one recently reached with Facebook – a prospect that should trouble smaller companies that lack the ability to maintain profitability in the wake of a federal crackdown. Although federal regulation may prove burdensome and costly, compliance seems to be the vastly more preferable alternative.

 

 

  1. https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions
  2. https://www.cnbc.com/2019/07/24/facebook-to-pay-5-billion-for-privacy-lapses-ftc-announces.html
  3. https://www.nytimes.com/2019/06/08/opinion/sunday/privacy-congress-facebook-google.html
  4. https://www.nytimes.com/2019/07/14/technology/big-tech-strange-bedfellows.html
  5. https://blog.malwarebytes.com/security-world/privacy-security-world/2019/03/what-congress-means-when-it-talks-about-data-privacy-legislation/