Bruce Kelly of Investment News has more on the recent LPL Financial breach reported previously here. Kelly reports that LPL’s chief risk officer, John McDermott, says that LPL advisers guilty of mishandling or losing client data face an escalating series of punitive measures — “starting with a formal reprimand, then fines and ultimately termination.”
McDermott disagrees with any suggestion that the firm has had more problems with data security with other firms:
“We don’t feel our instances of these are high, compared to the rest of the industry — we have a very large and widely distributed adviser force,” Mr. McDermott said.
That’s possible, of course, as we don’t get to see all breach notices from all states and LPL is reportedly the nation’s largest independent-contractor broker-dealer. That said, having PII stolen because a device is left in a car is somewhat unacceptable in this day and age, isn’t it?
Kelly also reminds us of what the federal laws do not require:
Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC’s Regulation S-P would add this.
That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending. It is unclear when it will be finalized.
Both bodies recommend — but don’t mandate — the use of encryption to protect client personal data.
In a companion piece on Investment News, Brandon Tavelli of Proskauer Rose provides an overview of the patchwork of privacy laws that apply to investment advisors.