This past week, two US government agencies levied stiff penalties against a couple of companies for non-compliance with US Privacy laws. The FTC imposed penalties against SettlementOne Credit Services for failing to protect the credit records of individuals while FINRA imposed a fine against Lincoln Financial Securities and their associated Advisory branch for exposing non-public customer information. The compliance failures came with significant fines and additional requirements for ensuring future compliance that will likely cost more than the initial fine itself.
SettlementOne Credit Services was charged with violating the Fair Credit Reporting Act by not providing adequate security on their web portal which allowed hackers to gain unauthorized access to over 1800 credit reports. In addition, this charge came with a bonus of being in violation of the Gramm-Leach-Bliley Act for failure to design and implement appropriate security safeguards. The penalties incurred by SettlementOne require them to:
- maintain comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients
- obtain independent audits of their security programs, every other year for 20 years
- furnish credit reports only to those with a permissible purpose
- maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose
The FTC is also allowed to monitor SettlementOne’s compliance by reviewing information that they are now required to collect. I’m not certain what fine was levied, if any, but the processes above are likely to cost the company a significant amount of money to modify and augment existing processes.
Lincoln Financial Securities was fined $450K and Lincoln Financial Advisory was fined $150K by The Financial Industry Regulatory Authority (FINRA) for failure to adequately protect non-public customer information. In this case, the failure was process-based and could have been completely avoided. Employees at LFS and LFA had access to the systems that contained non-public customer information via a URL and a shared login. These shared logins could also be used outside of the LFS and LFA offices, so it was quite possible that an authorized employee could use a computer in a public library for example, and leave the system open for perusal by the next user of that computer. Also, since the login information was shared across many users, this complicated the problem of access revocation should an LFS or LFA employee leave the company. As it turns out, many employees left and the shared usernames and passwords were never changed. Moral of the story? Use individual accounts with proper access credentials, have a solid revocation process documented and followed, and consider restricting access to such sensitive systems through the use of VPN software that is installed on each computer that should actually have access. LFS and LFA did reach out to all customers whose records could have been compromised and offered them credit monitoring and restoration services which FINRA took into consideration before handing out fines.
Data privacy and security cannot be taken lightly. While technology related compliance issues such as SettlementOne are common, it is far more common that the issues are process related. Making sure appropriate technical safeguards are in place and are properly configured is easily confirmed by running any number of scanning tools or by contracting a firm to conduct such a scan. Have written policies and procedures in place is also important but making sure they are followed is the real safeguard. Bottom line: Don’t neglect data privacy or you may find yourself with a new best friend from your favorite government agency making sure it’s no longer neglected.