I've Been Mugged Blog

Many companies and financial services Web sites advertise "bank-level" security. This news story is a sober reminder that data security is only as good as the employees who handle your sensitive personal information. Investment News reported:

"LPL Financial yet again has fallen prey to a technology blunder that placed private client information at risk. An unencrypted portable hard drive was stolen from the car of an LPL representative Feb. 24... The adviser, Christian D'Urso of StoneRidge Wealth Management in Beaverton, Ore., had one client in New Hampshire... As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers “may have been breached,” Marc Loewenthal, LPL's senior vice president and chief security and privacy officer, wrote... This isn't the first time... In 2007, the firm reported that computer hackers had compromised the login passwords of 14 financial advisers and four assistants."

Reportedly, LPL has about 12,000 representatives and advisers, making it the nation's largest independent-contractor broker-dealer. What our government is (or is not) doing about data security at financial services companies:

"Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this. That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending."

In my opinion, FINRA and the SEC both should require advisors and firms to notify breach victims of data breaches. According to a company representative, the consequences to LPL advisers who lose client data start with a formal reprimand, increase to fines, and then to termination. A formal reprimand? That sounds too weak to me.

I want to know what the consequences are for senior company executives when their company experiences multiple data breaches; especially companies that handle other people's money.