On September 20, 2022, the Securities and Exchange Commission (SEC) settled an enforcement action with a large, registered investment adviser (the Firm) for alleged violations of the Safeguards Rule and the Disposal Rule of Regulation S-P that arose in the context of a data disposal process, imposing a $35 million penalty. Specifically, the SEC order alleged a failure to (1) adopt written policies and procedures reasonably designed for the protection of customer information, and (2) take reasonable measures to protect the personally identifiable information (PII) of 15 million customers during the disposal of data and other data decommissioning projects.
Against the backdrop of generally declining costs of storing and maintaining data, which can incentivize companies to retain rather than dispose of data, and countervailing pressures from ransomware attacks to reduce attack surfaces, this is the first time the SEC has settled an administrative order for violations of Reg S-P stemming solely from facts surrounding the disposal of data and decommissioning of hardware.
The SEC’s order found that the Firm failed to protect the PII of approximately 15 million customers in connection with data disposal efforts that took place in 2016 and 2019. The retired devices included servers, hard drives, back up tapes, and other storage mediums used to retain customer records. In 2016, the Firm contracted with a moving company to retire, wipe/de-gauss, and then re-sell retired devices. The moving company later sold the decommissioned storage devices to third parties who then informed the Firm that the devices still contained client data. In 2019, while decommissioning several local branch servers, the Firm additionally discovered that 42 servers were missing, and that encryption software had not been properly activated on the missing servers.
Accordingly, SEC registrants may wish to focus on potential lessons learned from this action.
- Vendor Risk Management:
- Review data security policies and procedures regarding secure disposal to confirm that any agreements with third-party service providers conform to stated policies and procedures; and
- Periodically review vendor activities to confirm compliance with stated agreements and vendor security policies and procedures, including any sub-contracting provisions and related policies and procedures.
- Compliance Program:
- Develop, implement, and maintain reasonable policies and procedures to protect PII from the instance of collection through deletion; and
- Periodically conduct IT risk assessments to ensure encryption and other security measures are appropriate to identified risks and properly implemented.
- Secure Data Disposal/Hardware Decommissioning:
- Regularly evaluate electronic records according to stated retention schedules and retain only the PII necessary to perform business functions and comply with applicable law;
- Consider encrypting all devices to be retired prior to transfer to any service providers for destruction;
- Require a certificate of destruction from vendors for confirmation of secure disposal; and
- Exercise appropriate and regular oversight over all vendor-led decommissioning projects.