Published on Sep 21st, 2022 |

SEC Charges $35 Million Over Failures to Protect “PII”

Brief Introduction

On September 20th, the SEC charged a well known Firm with a $35 Million penalty over failures to protect Personal Identifying Information (“PII”) over a 5 year period of approximately 15 million customers.

6 Failures EXAMS Identified (Dating back to as far as 2015)

  1. Failure to properly dispose of devices containing its customers’ PII.
  2. moving and storage company with no experience or expertise in data destruction services was hired to decommission thousands of hard drives and servers which contained the PII of millions of its customers.
  3. The moving company’s work was not properly monitored.
  4. Thousands of devices, which included servers and hard drives, were sold to a third party from the moving company and were eventually resold on an internet auction site with no removal of such customer PII.
    • The majority of the devices have still not been recovered.
  5. Failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program.
  6. The local devices being decommissioned had been equipped with encryption capability, but the firm had failed to activate the encryption software for years.

Vigilant’s Final Conclusion

The SEC was left baffled by the failures in this charge and believes that this serves as a crucial warning to financial institutions to make it a top priority to safeguard sensitive information to avoid a horrendous consequence for investors.

Investor protection is a top priority of the SEC, and this charge highlights the importance for financial institutions to focus on doing just that, and much more.


If you are in need of Compliance Support, contact us.

Contact Us