The U.S. Commodity Futures Trading Commission today simultaneously filed and settled charges against Interbank FX, LLC (Interbank), ordering Interbank to pay a $200,000 civil monetary penalty for violating rules designed to protect the confidential personal information of consumers. The CFTC order also requires Interbank to establish a comprehensive security program that provides administrative, technical, and physical safeguards for the protection of consumer records and information.
According to the order, in March 2008, an Interbank customer discovered that personal information about herself, such as her name, address, phone number, date of birth, social security number, driver’s license number, and bank account numbers was accessible on the Internet through a Google search. Interbank began an immediate investigation and learned that one of its Information Technology employees had placed files containing the confidential personal consumer information of approximately 13,000 customers and prospective customers on a personal website that was accessible on the Internet for at least a year. This security breach was possible because Interbank did not have policies or procedures directed to the protection of confidential consumer information at the time its employee uploaded the information to the Internet.
Despite a lack of effective procedures, Interbank continuously issued a Privacy Notice to its customers as early as December 2004 that stated erroneously that Interbank maintained safeguards that complied with federal standards to guard customer information. Interbank’s lack of effective procedures and issuance of the erroneous Privacy Notice violated several provisions of the CFTC’s regulations concerning the privacy of consumer financial information.
The order recognizes that Interbank engaged in substantial remedial efforts after discovering the security breach and fully cooperated with the CFTC’s investigation of the matter. The sanctions imposed on Interbank take into account those remedial efforts and cooperation, without which the CFTC would likely have imposed a more severe sanction.
Specifically, in addition to the $200,000 monetary penalty, the order requires Interbank to establish, implement, and maintain a documented comprehensive security program that addresses administrative, technical, and physical safeguards for the protection of consumer information. It further requires Interbank to obtain an assessment of that program from a certified security professional within 180 days of the entry of the order and annually for the next five years.
“This order recognizes that the CFTC takes very seriously the obligations of our registrants to protect the confidential personal information of their customers from public exposure. The undertakings imposed in this order are a model for the industry on how to maintain a comprehensive security program that safeguards private consumer information,” commented CFTC Acting Director of Enforcement Stephen Obie.
The CFTC thanks the National Futures Association for its cooperation in this matter.
The following Division of Enforcement staff was responsible for this matter: Elizabeth M. Streit, Joy McCormack, Rosemary Hollinger, and Richard Wagner.
Source: CFTC Press Release
Prior coverage: Interbank FX security breach leaves some customers files unsecured — for 9 months