Cybersecurity and Data Breaches

March 8, 2022

Comprehensive Health Services LLC (CHS), a Florida-based contractor that provides medical services at government facilities in Iraq and Afghanistan, has agreed to pay $930,000 to resolve claims under the False Claims Act.  According to two separate qui tam cases filed in the Eastern District of New York, CHS falsely certified to the State Department and Air Force that it had complied with contractual cybersecurity requirements when, in fact, it had failed to to properly store patient medical records on a secure electronic medical record system, and had falsely represented that it used approved medical supplies when, in fact, it had relied on unapproved controlled substances from foreign sources.  DOJ; USAO EDNY; USAO MDFL

August 30, 2021

KMS Financial Services Inc. will pay $200,000 to resolve SEC charges that the investment advisor and broker-dealer violated Regulation S-P regarding the safeguarding of customer records and information. The SEC alleged that between September 2018 and December 2019, email accounts of KMS personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of nearly 5,000 KMS customers and clients.  The SEC found that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.  SEC

August 30, 2021

Cambridge Investment Research Inc. and related entities will pay $250,000 to resolve SEC charges that the investment advisor and broker-dealer violated Regulation S-P regarding the safeguarding of customer records and information. The SEC alleged that between January 2018 and June 2021, email accounts of Cambridge personnel were taken over by unauthorized third parties, resulting in the exposure or potential exposure of personally identifying information of approximately 5,000 Cambridge customers and clients.  The SEC found that Cambridge discovered the first email account takeover in January 2018, but failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.  SEC

August 30, 2021

Cetera Advisor Networks LLC and related entities will pay $300,000 to resolve SEC charges that the investment advisor and broker-dealer violated Regulation S-P regarding the safeguarding of customer records and information and provision of breach notification to customers. The SEC alleged that between November 2017 and June 2020, email accounts of Cetera personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of more than 4,000 Cetera customers and clients.  The accounts were not protected with multi-factor authentication, even though Cetera’s policies required MFA.  SEC

August 16, 2021

Education publishing company Pearson plc agreed to pay $1 million to resolve an SEC investigation into its disclosures regarding a 2018 data breach that resulted in the exposure of millions of student and school administrator records, including birthdates, e-mail addresses, user names, and hashed passwords.  The SEC found that Pearson understated the nature and scope of the incident, overstated the company’s data protections, and had inadequate controls and procedures regarding the assessment and reporting of cybersecurity incidents.  Pearson, which is publicly traded in the UK, is a foreign private issuer with ADRs trading on the NYSE. SEC

June 15, 2021

Real estate settlement services company First American Financial Corporation will pay a penalty of $487,616 to resolve allegations that the publicly-traded company released incomplete information about a cybersecurity vulnerability in its document sharing platform that exposed over 800 million document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. The SEC charged that First American had deficient disclosure controls that left senior management unaware of the company's earlier discovery of the vulnerability and its attempts to remediate it.  SEC

May 12, 2021

Registered broker-dealer GWFS Equities Inc. will pay a penalty of $1.5 million to settle allegations that it failed to respond appropriately when it detected external bad actors gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced, including through the use of improperly obtained electronic login information, user names, email addresses, and passwords. There was no allegation that this personal identifying information was disclosed in a breach of GWFS systems. However, the bad actors used this information to request distributions from plan participant accounts. While GWFS detected and blocked many of these attempts, the SEC charged that GWFS failed to file suspicious activity reports, or filed incomplete SARs, with respect to the account takeovers. SEC