The Sec's Data Dilemma: Addressing a Modern Problem by Encouraging Innovation, Responsibility, and Fairness

• Publication year: 2021
• Citation: Vol. 96

96 Nebraska L. Rev. 446. The SEC's Data Dilemma: Addressing a Modern Problem by Encouraging Innovation, Responsibility, and Fairness

The SEC's Data Dilemma: Addressing a Modern Problem by Encouraging Innovation, Responsibility, and Fairness

Gregg Moran

TABLE OF CONTENTS

I. Introduction .......................................... 447

II. Modern Threats to Sensitive Data ..................... 450

III. The FTC's Approach to Data Security ................. 452

IV. The SEC's Approach to Data Security ................. 457
A. The Safeguards Rule .............................. 457
1. Development of the Safeguards Rule ........... 458
2. Safeguards Rule Enforcement Actions .......... 460
a. NEXT Financial Group .................... 460
b. LPL Financial Corp. . ...................... 462
c. J.P. Turner and Co. and Stephen Bauman . . . . 463
d. Commonwealth Equity Services ............. 464
e. GunnAllen Financial ....................... 465
f. R.T. Jones Capital Equities Management . . . 466
g. Craig Scott Capital ........................ 467
h. Morgan Stanley Smith Barney .............. 469
B. Other Statutes and Regulations ................... 470
1. Statutes and Regulations the SEC Has Threatened to Use ............................. 471
2. Statutes and Regulations the SEC Has Actually Used .......................................... 473

1

V. Reasons to Reject the Status Quo ..................... 474
A. Reasons Opponents of the FTC's Approach Would Reject the SEC's Approach ........................ 474
B. Reasons Proponents of the FTC's Approach Would Reject the SEC's Approach ........................ 478

VI. A Three-Part Proposal for Achieving the SEC's Data-Security Goals ........................................ 482
A. Amendments to the Safeguards Rule ............... 482
1. Text of the Proposed Regulation ............... 482
2. Good Faith Obligation ......................... 484
3. Duty to Update ................................ 487
4. Recordkeeping Requirement ................... 488
5. Definitions .................................... 491
6. Removal of the Current Subsection (b)......... 492
B. Application of the Safeguards Rule Amendments to Other Statutes and Regulations ................... 492
1. Investment-Company and Investment-Adviser Compliance Rules .............................. 492
2. Identity Theft Red Flags Rules ................. 493
3. Investment-Company Redemption Rules ........ 493
4. Rule 10 of Regulation S-P ...................... 494
5. Broker-Dealer Recordkeeping Rules ............ 494
C. Enforcement of the New Safeguards Rule .......... 494

VII. Possibilities the SEC Should Reject .................... 496
A. Establish a Checklist of Specific Data-Security Standards with Which Investment Intermediaries Must Comply ...................................... 496
B. Aggressively Enforce the Safeguards Rule as It Currently Exists .................................. 498
C. Cease Regulating Data-Security Practices .......... 498

VIII. Conclusion ............................................ 499

Appendix: Safeguards Rule Proceedings ....................... 501

I. INTRODUCTION

It was the story of every investor's nightmares. In late 2014, investment bank Morgan Stanley discovered a data breach-one that potentially compromised private information from hundreds of thousands of customer accounts-during a routine sweep.(fn1) Although Morgan Stanley had taken precautions against outside attackers, its defenses had a major weak point: threats from within the company. An employee of Morgan Stanley had exploited a security weakness in Morgan Stanley's employee server and taken the data in an attempt to

2

educate himself about market trends and investment strategies.(fn2) Though the employee did not have any desire to release the customer information, an outside attacker hacked into his home server and stole the data.(fn3)

Stories such as the Morgan Stanley breach have captured the public's attention. Hundreds of news articles appear online every week regarding data breaches and cybersecurity in general. Cybercrime has led to millions of dollars in losses for businesses and individuals around the world.(fn4) In response, state and federal government entities have gotten involved in the fight against data theft and lax security practices.(fn5)

This Comment will focus on the SEC's role in regulating key investment intermediaries: brokers,(fn6) dealers,(fn7) investment companies,(fn8) and investment advisers.(fn9) While the SEC has a number of statutes

3

and regulations it can use to require data protection,(fn10) its most obviously applicable regulation is Rule 30 of Regulation S-P, also known as the "Safeguards Rule."(fn11) The Safeguards Rule requires investment intermediaries to develop policies and procedures "reasonably designed" to protect sensitive client data.(fn12) Using this rule, the SEC has brought a number of penalty actions against investment intermediaries over the past decade.(fn13) It has also issued a number of releases, providing additional guidance to regulated entities and informing them of liability they might face in the event of a databreach.(fn14)

For many reasons, the SEC's approach to data security for investment intermediaries has been laudable. It has recognized the need to protect sensitive client data while still granting investment intermediaries freedom to develop solutions based on their unique situations.(fn15) The SEC's enforcement approach, however, is inconsistent and, in many cases, overly harsh. Fortunately, the SEC can use its regulatory authority over investment intermediaries to create regulations that promote responsible data security while still being fair to regulated entities.(fn16)

4

This Comment begins by giving a background of the threats investment intermediaries face and the regulatory scheme they must navigate. Part II examines some modern threats to sensitive customer data. Part III offers a brief overview of the FTC's role in data-security regulation and a comparison of the FTC's approach to the SEC's. Part IV describes current statutes and SEC regulations that a cyberattack against an investment intermediary might implicate. Part IV also gives an overview of each one of the SEC's enforcement actions under the Safeguards Rule.

Part V rejects the SEC's current approach, focusing primarily on the unfairness of assessing penalties against investment intermediaries that are, in most cases, victims themselves. Part VI offers a three-part solution that will enable the SEC to continue its important work regarding data security while also promoting the market's ability to develop creative solutions to modern threats. Finally, Part VII examines problems that the SEC would create by adopting other proposals for handling data security.

II. MODERN THREATS TO SENSITIVE DATA

Popular legend says that bank robber Willie Sutton, when asked why he chose to rob banks, replied, "That's where the money is."(fn17) In many ways, modern investment intermediaries present the same type of target to cybercriminals as banks do to robbers. Two things are true about investment intermediaries: (1) they often have large amounts of confidential client data and (2) their clients are people who have money to invest, which makes their information valuable.(fn18)

While stories about cyberattacks and hackers capture the public's attention, the SEC's regulations in this area of the law are not explicitly about cybersecurity. Rather, they are about customer data security in general.(fn19) Thus, an investment intermediary that leaves paper files in an unsecure location would be just as liable under the Safeguards Rule as one that fails to take reasonable cybersecurity precautions.(fn20) However, modern technology has brought about "a previously unimaginable explosion" in the connectivity of devices, including those devices that companies use to store sensitive customer data.(fn21) With

5

that has come a corresponding explosion of cybercrime-to paraphrase Willy Sutton, cyberspace is "where the [data] is."(fn22)

Outside actors pose the most obvious source of data-security threats for investment intermediaries. These actors have a number of driving motivations. Some seek to steal sensitive customer data for monetary gain, especially if the information they can take is valuable and easy to use/sell (e.g., credit card information).(fn23) Others-such as terrorist organizations-might want primarily to cause widespread damage and fear by announcing their attacks on key targets to undermine the public's sense of security.(fn24) Further, bad actors can use cyberattacks to cause real-world damage, such as a terrorist organization shutting down a power grid.(fn25) Regardless of the motivation, investment intermediaries are clear targets for cyberattacks because of the valuable information they hold and their importance to the national economy.(fn26)

Another threat investment intermediaries face-and one that can be easy to overlook-is theft by employees themselves. In fact, employee theft of data led to the biggest settlement for the SEC in any Safeguards Rule proceeding: one million dollars paid by Morgan Stanley.(fn27) Some employees might steal data for the same reasons as other cybercriminals, such as the desire to sell the information for a profit. Others might steal data for less obvious purposes, such as the employee in the Morgan Stanley breach who took data in an effort to educate himself about market trends.(fn28)

6

Another easy-to-overlook threat is the one posed by third-party vendors and service providers. Many companies outsource their backoffice processes, such as management of payment systems or other IT services, to third-party vendors.(fn29) Those vendors often have access to their clients' sensitive data. Thus, those...