While this post should be of direct interest to Broker Dealers, it really applies to anyone who outsources information services.
You can delegate the task but not the responsibility.
In this case, the broker dealer used a cloud provider to store customer information. This is no different, for example, than a mortgage company using a cloud loan origination system or a doctor using a cloud based patient care (electronic health record) system.
Apparently, between 2011 and 2015 the customer records of this broker dealer were not adequately secured and information on over 5,000 clients was compromised by a foreign hacker.
5,000 clients represents a medium size multi office broker dealer. In this case, it was a broker of Lincoln Financial Network.
The key point is that while you can outsource the function, you cannot outsource the responsibility.
In fact, you may be able to hold the outsource vendor liable for damages, but in most cases you will either be fighting an uphill battle with the vendor’s insurance company or if the company doesn’t have insurance, trying to get money out of the company itself. Without regard to whether, after many years of legal battles, you prevail, it is your reputation and your client’s data that is at risk.
Let’s say the outsource vendor company is Google or Amazon or Microsoft. Do you think they are just going to write you a check for $650,000? I don’t think that is likely. If the outsource vendor company is a smaller company, they may not have the resources to reimburse you. In this case the fine was only $650,000. P.F. Chang was fined $1.9 million by Visa for costs associated with reissuing compromised cards. Target has spent hundreds of millions as a result of their breach a couple of years ago.
For many companies that store their customer data in the cloud – either using a cloud service that they run such as Amazon Web Services or a cloud service that someone else runs such as Salesforce.com – there is real risk. Did you do everything you were responsible to do? Did the vendor do everything they were responsible for doing? Did you actively manage that risk during the entire period of the contract?
For many industries such as financial services, they are required by regulation to maintain an effective third party risk management program. Even if you are not required to maintain such a program, if you store non-public personal information (or company proprietary data) in the cloud, you really need to run such a program because if anything happens in the cloud, the regulators, the Federal Trade Commission or plaintiff’s counsel will come knocking at your door. Or all of the above.
This is not the first time Lincoln was fined. In 2011 they paid $400k for similar problems.
So as businesses move more of their information to the cloud, they need to make sure that the third party service providers are effectively protecting their information.
Information for this post came from Stock Broker Fraud Blog.