SEC Charges LPL Financial for Failing to Protect Customer Privacy
FOR IMMEDIATE RELEASE
Washington, D.C., Sept. 11, 2008 — The Securities and Exchange Commission today took an enforcement action against LPL Financial Corporation for failing to adopt policies and procedures to safeguard their customers' personal information, leaving at least 10,000 customers vulnerable to identity theft following a series of hacking incidents involving LPL's online trading platform.
LPL is a financial services firm with headquarters in Boston, Charlotte, and San Diego. Under the Safeguards Rule of Regulation S-P of the federal securities laws, broker-dealers and SEC-registered investment advisers like LPL are required to adopt policies and procedures reasonably designed to safeguard customer information. The firm agreed to pay a $275,000 penalty to settle the SEC's enforcement action without admitting or denying the findings.
"With the increase in the number of incidents involving information security breaches, regulated firms must be vigilant about satisfying their obligation to protect customer information from anticipated threats and unauthorized access," said Linda Chatman Thomsen, Director of the SEC's Division of Enforcement. "Today's action demonstrates the Commission's commitment to holding those firms responsible for their deficient controls, policies, and procedures, particularly when personal customer information is at issue."
Rosalind Tyson, Regional Director of the SEC's Los Angeles Regional Office, added, "Regulated entities should make it a priority to protect their customers' private information. LPL disregarded this crucial responsibility even in the face of known security deficiencies, and information of at least 10,000 customers may have been exposed as a result."
The SEC's administrative order against LPL finds that the firm conducted an internal audit in mid-2006 that identified inadequate security controls to safeguard customer information at its branch offices. LPL's audit specifically identified the risk from hacking. The SEC's order finds that LPL failed to take timely corrective action because, by the time that hacking incidents began in July 2007, the firm had not implemented increased security measures in response to the identified weaknesses.
According to the SEC's order, LPL experienced multiple hacking incidents between July 2007 and early 2008, and unauthorized persons gained access to the online trading platform LPL provided for its registered representatives. Once logged onto LPL's trading platform, the perpetrators placed or attempted to place 209 unauthorized securities trades worth more than $700,000 combined in 68 customer accounts.
LPL is registered with the Commission as a broker-dealer, investment adviser, and transfer agent. LPL provides brokerage, custody and clearing services for more than one million customer accounts. It has about 8,100 independent contractor registered representatives operating from approximately 3,600 branch offices nationally.
The SEC ordered LPL to cease and desist from committing future violations of the Safeguards Rule, censured it for its conduct, and ordered it to pay the $275,000 penalty. LPL further agreed to undertake certain remedial actions including retaining an independent consultant to review LPL's policies and procedures required by the Safeguards Rule, and to devise and implement a policy and set of procedures for training its employees and all registered representatives regarding safeguarding customer records and information. LPL consented to the entry of the SEC's order without admitting or denying the SEC's findings.
To help prevent security breaches at the institutions that the SEC regulates, the Commission earlier this year proposed new regulations to address how customer information is safeguarded and disposed as well as how firms respond to information security breaches. The SEC staff expects to recommend action on the proposals this fall. The proposals in part grew out of the SEC's role as a member of the Identity Theft Task Force that was established by an Executive Order of the President on May 10, 2006.
The SEC has information available on its Web site to help online investors protect themselves against identity theft: Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information.
# # #
For more information, contact:
Michele Wein Layne
Associate Regional Director, Enforcement
SEC's Los Angeles Regional Office
Assistant Regional Director, Enforcement
SEC's Los Angeles Regional Office