The Financial Industry Regulatory Authority (FINRA) announced on April 28, 2009 that it had fined Centaurus Financial, Inc., of Anaheim, California, $175,000 for Centaurus’s failure to protect confidential customer information. FINRA also required Centaurus to send notifications to affected customers and their brokers, provide one year of credit monitoring at no cost to the affected customers, and certify to FINRA that its procedures and systems are in compliance with privacy requirements. See FINRA News Release (April 28, 2009).
In particular, FINRA found that between April 2006 and July 2007, Centaurus failed to safeguard customer information because it maintained an improperly configured firewall and an ineffective user name and password system on its computer facsimile server. These failures resulted in unauthorized persons accessing stored images of faxes that contained confidential information, including social security numbers, account numbers, and dates of birth. Moreover, on July 15, 2007, Centaurus’s fax server was used by an unauthorized third party to host a phishing scam. Phishing is is the fraudulent process of attempting to acquire confidential personal information (like usernames, passwords and account numbers) by masquerading as a trustworthy entity in an electronic communication.
To make matters worse, after Centaurus discovered the phishing scam, it sent some 1,400 customers and their brokers a misleading letter, which indicated that the unauthorized access was limited to one person and that the information on the fax server was not openly available. The letter did not tell the customers and their brokers that other unauthorized log-ins had occurred or that the unauthorized access was possible because of the inadequate security protections on the fax server.
FINRA concluded that Centaurus’s conduct violated 17 C.F.R. Part 248 (Regulation S-P) and FINRA Rules. Regulation S-P “governs the treatment of nonpublic personal information about consumers” by certain covered financial institutions. 17 C.F.R. Part 248.1. Among other things, the Regulation requires brokers, dealers, and investment companies to provide an initial privacy notice to new customers, an annual privacy notice to existing customers, and a revised privacy notice under certain circumstances. See 17 C.F.R. Parts 248.4, 248.5, and 248.8. Further, brokers, dealers, and investment companies “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 17 C.F.R. Part 248.30.
FINRA is the largest independent regulator for all securities firms doing business in the United States. FINRA performs a broad array of functions, from registering industry participants to examining securities firms to writing and enforcing rules to providing trade reporting and other industry utilities. It also performs market regulation under contract for The NASDAQ Stock Market, the American Stock Exchange, the International Securities Exchange and the Chicago Climate Exchange. FINRA oversees nearly 4,900 brokerage firms, about 172,000 branch offices and approximately 660,000 registered securities representatives. FINRA was created in July 2007 through the consolidation of NASD and the member regulation, enforcement and arbitration functions of the New York Stock Exchange.