October 2, 2015
Following a decision in August not to pursue penalties or other sanctions against Target for the company's massive 2013 data breach, the Securities and Exchange Commission announced new penalties last week against investment firm R. T. Jones Capital Management for its role in a much smaller 2013 breach involving investor data. The SEC's announcement came on the same day that it issued guidance to investors about how to protect their personal and financial information in the event of a financial institution data breach.

Under section 504 of the Gramm-Leach-Bliley Act, which regulates disclosure of consumer information, the SEC has the authority to impose penalties on companies that:
  • don't disclose the magnitude of data breaches;
  • fail to properly detail their policies and procedures in protecting consumer data; or
  • fail to implement adequate cybersecurity measures.

To-date, however, the SEC has largely left data breach enforcement activities to the Federal Trade Commission.

Whether the SEC’s decision in the R.T. Jones case marks a shift in enforcement philosophy is unclear, particularly given the facts of the R.T. Jones case, which all but forced the SEC’s hand. According to the SEC, R.T. Jones “failed to adopt written policies and procedures designed to protect consumer records and information, such as employing a firewall or encrypting data to protect the web server it used to store sensitive client information. As a result, the personal data of nearly 100,000 people was compromised in the hack.”

For more information on the SEC’s authority, the penalties issued against R.T. Jones, and ongoing best practices for financial institutions, please click here.