Cybersecurity and Data Breaches

September 20, 2022

Morgan Stanley Smith Barney LLC (MSSB) has agreed to pay $35 million to the SEC to settle charges of failing to protect the personal identifying information (PII) of some 15 million customers.  Between 2015 to 2020, MSSB failed to properly encrypt PII or properly dispose of devices and servers containing PII.  As a result, decommissioned devices containing unencrypted PII were resold by a third party via an internet auction site, and 42 decommissioned servers containing unencrypted PII went missing entirely.  SEC

July 27, 2022

Three registered broker-dealers have been ordered to pay civil penalties based on SEC findings that each had deficiencies in its programs to prevent customer identity theft, in violation of the SEC’s Identity Theft Red Flags Rule, or Regulation S-ID.  J.P. Morgan Securities LLC will pay $1.2 million, UBS Financial Services Inc. will pay $925,000, and TradeStation Securities, Inc. will pay $425,000.  The SEC found that the broker-dealers’ cybersecurity policies failed to detect identity theft red flags in connection with customer accounts or to incorporate those red flags into their programs, and that the firms failed to adequately train staff, failed to review and update the policies as required, did not include appropriate board oversight, and failed to oversee service provider arrangements.  SEC

July 26, 2022

Wawa, Inc. agreed to an $8 million settlement for a 2019 data breach which occurred due to Wawa’s failure to deploy reasonable information security measures. Hackers accessed Wawa’s network and extracted sensitive customer information, impacting stores in 6 states and the District of Columbia. In addition to the payment, Wawa is required to implement new security practices to secure customers’ sensitive personal information, including providing resources necessary to implement their security program and providing security awareness and privacy training. FL AG, VA AG, NJ OAG

July 8, 2022

Aerojet Rocketdyne Inc., which provides propulsion and power systems for vehicles belonging to the Department of Defense and NASA, has agreed to pay $9 million to resolve a whistleblower lawsuit.  According to Brian Markus, a former employee, the company misrepresented its compliance with the cybersecurity requirements of contracts with those agencies, in violation of the False Claims Act.  For bringing a successful qui tam case, Markus will receive a relator’s share of $2.61 million.  USAO EDCA

June 23, 2022

Carnival Cruise Line has agreed to pay $1.25 million to 46 states following a data breach that revealed the personal information of approximately 180,000 employees and customers.  The company revealed in March 2020 that an unauthorized actor had gained access to the data, but it first became aware of suspicious activity nearly a full year before it reported the breach.  As part of the settlement, Carnival will be required to implement higher email security practices, implement and maintain a breach response and notification plan, and submit to an independent security assessment.  GA AG; NC AG; NY AG

May 25, 2022

Twitter will pay $150 million in civil penalties and implement new compliance measures to settle allegations of FTC Act violations by misrepresenting how it would deploy users’ nonpublic contact information, affecting more than 140 million Twitter users. From 2013 to 2019, Twitter collected users’ telephone numbers and email addresses under the guise of account security protocols, while concealing their secondary use of this information to help companies send targeted ads to consumers, which thereby increased Twitter’s primary source of revenue. In addition to the monetary penalty, Twitter is required to implement a new privacy and information security program and comply with numerous other reporting and record-keeping requirements. DOJ, USAO NDCA

March 8, 2022

Comprehensive Health Services LLC (CHS), a Florida-based contractor that provides medical services at government facilities in Iraq and Afghanistan, has agreed to pay $930,000 to resolve claims under the False Claims Act.  According to two separate qui tam cases filed in the Eastern District of New York, CHS falsely certified to the State Department and Air Force that it had complied with contractual cybersecurity requirements when, in fact, it had failed to to properly store patient medical records on a secure electronic medical record system, and had falsely represented that it used approved medical supplies when, in fact, it had relied on unapproved controlled substances from foreign sources.  DOJ; USAO EDNY; USAO MDFL

August 30, 2021

KMS Financial Services Inc. will pay $200,000 to resolve SEC charges that the investment advisor and broker-dealer violated Regulation S-P regarding the safeguarding of customer records and information. The SEC alleged that between September 2018 and December 2019, email accounts of KMS personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of nearly 5,000 KMS customers and clients.  The SEC found that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.  SEC

August 30, 2021

Cambridge Investment Research Inc. and related entities will pay $250,000 to resolve SEC charges that the investment advisor and broker-dealer violated Regulation S-P regarding the safeguarding of customer records and information. The SEC alleged that between January 2018 and June 2021, email accounts of Cambridge personnel were taken over by unauthorized third parties, resulting in the exposure or potential exposure of personally identifying information of approximately 5,000 Cambridge customers and clients.  The SEC found that Cambridge discovered the first email account takeover in January 2018, but failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.  SEC