In a press release last week,the Financial Industry Regulatory Authority (FINRA) announced that it fined brokerage D.A. Davidson & Company $375,000 for failing to protect confidential customer information after a group of cyber criminals hacked into the firms systems. The data breach occurred on December 25, 2007 and affected about 192,000 consumers.
"FINRA found that prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm's procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place."
FINRA is the largest non-governmental regulator for all securities firms doing business in the United States. Factors that led to the fine:
"... between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007."
The company learned about the breach after one of the hackers sent am e-mail message on January 16, 2008, blackmailing the firm. Reportedly, the U.S. Secret Service has investigated the breach and identified four of the cyber criminals, who have been extradited from Eastern Europe, arrested, and now face charges in federal court in Montana.
Sounds to me like the fine is appropriate but perhaps not enough. In my opinion, senior company executives will only take data security seriously when jail time is a consequence. Short of that, they will play the odds and when caught pay any fines.