Conclusion

Despite this Comment’s criticisms regarding the SEC’s data-secur-ity efforts, one point is worth remembering: the SEC has done a

com-327. PONEMON INST., 2016 COST OF DATA BREACH STUDY: GLOBAL ANALYSIS 2 (2016), https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN [https://perma.unl.edu/M9ZV-VN43].

328. Id. at 3.

329. Gramm–Leach–Bliley Act of 1999, Pub. L. No. 106-102 § 501(b), 113 Stat. 1338 (codified at 15 U.S.C. § 6801(b) (2012)) (“[E]ach agency or authority . . . shall establish appropriate standards . . . .” (emphasis added)).

330. See, e.g., R.T. Jones Capital Equities Mgmt., Inc., Investment Advisers Act Re-lease No. 4204, 2015 WL 5560846 (Sept. 22, 2015).

331. See P^ONEMON I^NST., supra note 327, at 2–3 (describing the costs incurred by busi-nesses and customers in the wake of data breaches).

332. Compare Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Release Act No. 4415, 2016 WL 3181325 (June 8, 2016) (the investment intermediary arguably did not deserve its fine because it had adopted Safeguards Rule policies and procedures and it was attempting to protect cus-tomer data in good faith, as evidenced by its compliance with authorities in the aftermath of the breach), with J.P. Turner & Co., LLC, 98 SEC Docket 1729, 2010 WL 2000509 (ALJ May 19, 2010) (the investment intermediary had no policies or procedures in place and thus clearly deserved a fine).

paratively good job handling the modern problem of consumer-data protection. Unlike the FTC, the SEC has made a conscientious effort to solicit public feedback and develop its authority through notice-and-comment rulemaking. Further, it has been mindful of the costs regu-lated investment intermediaries face. Rather than attempting to strong-arm them into adopting expensive and potentially unnecessary policies and procedures, the SEC has given them freedom to develop individualized solutions tailored to their own unique situations.

Work remains, but the SEC is in a perfect situation to build upon its successes while avoiding its past failures. By abandoning its cur-rent enforcement approach and adopting the rules and policies recom-mended in this Comment, the SEC can build the regulatory scheme for data security by which all others would be judged. These changes would not require much effort on the SEC’s part and they would actu-ally make its enforcement role easier. With the right mindset, the SEC can set the bar for public–private collaboration in the area of data security, developing a system that encourages innovation, re-sponsibility, and fairness.

APPENDIX: SAFEGUARDS RULE PROCEEDINGS

The SEC has issued eleven orders involving violations of the Safe-guards Rule. This appendix includes a table displaying an overview of the SEC’s decision. Because subsection IV.A.2. of the text already de-scribes the SEC’s decisions in chronological order, this chart organizes them by penalty size. The decisions (organized chronologically, most recent first) are:

1. Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Act Release No. 4415, 2016 WL 3181325 (June 8, 2016);

2. Craig Scott Capital, LLC, Exchange Act Release No. 77595, 2016 WL 1444441 (Apr. 12, 2016);

3. R.T. Jones Capital Equities Mgmt., Inc., Investment Advisers Act Release No. 4204, 2015 WL 5560846 (Sept. 22, 2015);

4. David C. Levine, Exchange Act Release No. 64222, 2011 WL 1325568 (Apr. 7, 2011);

5. Frederick O. Kraus, Exchange Act Release No. 64221, 2011 WL 1325567 (Apr. 7, 2011);

6. Marc A. Ellis, Exchange Act Release No. 64220, 2011 WL 1325566 (Apr. 7, 2011);³³³

7. J.P. Turner & Co., LLC, 98 SEC Docket 1729, 2010 WL 2000509 (ALJ May 19, 2010);

8. Commonwealth Equity Servs., LLP, Exchange Act Release No. 60733, Investment Advisers Act Release No. 2929, 2009 WL 3100577 (Sept. 29, 2009);

9. Stephen Cheryl Bauman, Exchange Act Release No. 60326, 2009 WL 2138437 (July 17, 2009);

10. LPL Fin. Corp., Exchange Act Release No. 58515, Investment Advisers Act Release No. 2775, 2008 WL 4179915 (Sept. 11, 2008);

11. NEXT Fin. Grp., Inc., 93 SEC Docket 1369, 2008 WL 2444775 (ALJ June 18, 2008).

333. David Levine, Frederick Kraus, and Marc Ellis were all part of GunnAllen Finan-cial, Inc. GunnAllen had discontinued operations by the time the SEC issued the orders in the three proceedings, so there is no separate GunnAllen decision.

Table 1: Administrative Orders Organized by Penalty Size (Largest First) ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation Morgan2016$1,000,000Yes, an employeeHad an exploit inNoneIntrusions Stanleystole data fromits online dataoccurred over the the firm.portals, enablingcourse of one employees toyear. Potentially access allcompromised customer files730,000 accounts. (not just those forMorgan Stanley their customers).quickly notified Did not catch thislaw enforcement, error duringthe SEC, and audits, and didaffected not carefullycustomers. analyze employee access. LPL2008$275,000Yes, an outsideLPL did haveNoneLPL had Financialattacker breachedwritten policiesapproximately the firm’sregarding client1,000,000 defenses.data. But:customer 1.No minimumaccounts. The passwordattacker might requirements;have had access 2.No automaticto 10,000 of them. passwordThe attacker expiration;placed 3.Users could notunauthorized 334.In this context, “Actual Breach?” refers to whether somebody accessed or took confidential information without authorization (at least based on the facts available in the SEC proceedings). Thus, most of the “No” proceedings for this column involve situations in which management permitted an employee or multiple employees to remove data.

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation set their owntrades, but LPL’s passwords;systems blocked 4.No automaticmost of them, and lockout forLPL reimbursed failed logincustomers for any attempts;losses. The SEC’s 5.Manymain concern employees hadseems to have access tobeen that LPL password lists;knew about the 6.User accountsrisk, but was took eightmoving too slowly hours to log outto fix it. automatically. NEXT2008$125,000No.The Safeguards17 C.F.R. §248.10The primary FinancialRule violation(sharing customerviolation was of appears to beinfo withoutRule 10 of mainly a tack-onauthorization).Regulation S-P, charge, with thedealing with SEC saying theobtaining firm did notcustomer consent secure its clientbefore sharing data because itdata.

allowed employees

to take it to new employers when they left. Craig Scott2016$100,000No.Did have writtenExch. Act. §17;The primary CapitalTwo of CSC’spolicies, but had17 C.F.R.violations appear employees alsofive weaknesses:§240.17a-4to have been for

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation faced fines, but1.Did not have a(failing tofailure to keep their fines werecompliancemaintain certaincertain records solely forsupervisor;records).(faxes it received violations of Exch.2.Policies did notand sent via an Act §17address eFaxes;eFax system). The (maintaining3.Policies hadSEC also certain records).blank spaces;censured two 4.Did not encryptemployees as part data;of its proceedings. 5.Employees regularly violated

the policies. C’wealth2009$100,000Yes, an outsideC’wealth EquityNoneCES had over Equityattacker breached(CES) did have165,000 accounts. the firm’spolicies in place,The intruder only defenses.and wasgot access to 368 attempting toof them. The comply with theintruder placed Safeguards Rule.unauthorized However, thetrades, which policies did notCES caught and mandatestopped antivirus(reimbursing software, and ITcustomers for services did notlosses caused by respond quickly tothe ones that an employee’swent through). calls saying heAdditionally, CES had a computerquickly reported virus.the incident to

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation law enforcement, the SEC, and its affected customers.

R.T. Jones2015$75,000Yes, an outsideDid not have anyNoneThe attacker attacker breachedwritten policiesgained access to the firm’swhatsoeverthe information of defenses.regarding datamore than security.

100,000 individuals. Although

it did not have written policies in place, R.T. Jones quickly

hired cybersecurity firms

to assess the damage. Additionally, it informed all

potentially affected individuals.

J.P.2010$65,000No.J.P. Turner wentNoneThe SEC Turneryears withoutdiscovered the having anyproblem after policies. When itseeing a news finally adoptedstory about a J.P. policies, theyTurner employee were deficient.who left boxes They merelycontaining

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation quoted thethousands of Safeguards Rulecustomer records and said the(including social Acting Chiefsecurity numbers Complianceand bank account Officer would benumbers) on the in charge ofcurb outside of adopting furtherhis house (for policies. Thepickup by a trash ACCO (Stephencompany). Bauman) neverAlthough it does adopted anynot appear further policies.anybody stole the files, they sat on the curb for two weeks. The SEC argued for a higher penalty, but the ALJ capped the amount at $65,000, finding J.P. Turner did not act recklessly. David2011$20,000No.Levine was the17 C.F.R.For Levine and LevineGunnAllen (GA)§§248.7, .10Krause, it seems employee who(sharing customeras though the downloadedinformationprimary charges 16,000 client fileswithoutwere for sharing to a flash drive toauthorization).customer take to a newinformation with

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation employer (witha new firm Frederick Kraus’swithout permission). Hepermission. The was a seniorSEC did point out officer, so thethat the thumb SEC attributeddrive was not some of GA’ssecure. failures to him. Frederick2011$20,000No.Kraus was17 C.F.R.For Kraus and Krauspresident of§§248.7, .10Levine, it seems GunnAllen while(sharing customeras though the it was winding upinformationprimary charges business. Aswithoutwere for sharing president, heauthorization).customer failed to adoptinformation with policies regardinga new firm protection ofwithout customerpermission. The informationSEC did point out during thethat the flash winding-up phase.drive was not Additionally, hesecure. permitted David Levine to download 16,000 customer files to a flash drive to take to another firm. Marc Ellis2011$15,000No.Ellis was theNoneAlthough three Chief Compliancelaptops containing

ActualSafeguardsOtherOther DefendantYearFine AmountBreach?334ViolationsViolationsInformation Officer fordata (including GunnAllen (GA).social security GA only hadnumbers) of 1,120 weak writtenclients (and policies (barelyemployee login one page long,information) went and without muchmissing, GA substance).never alerted the Additionally,clients. Because somebody stoleEllis was in three laptopscharge of containingcompliance, the customer data,SEC attributed but GA neverGA’s faults to followed uphim. beyond reporting the thefts to police. Stephen2009$0No.Bauman was J.P.NoneBauman’s only BaumanTurner’s Actingpenalty was that Chief Complianceshe had to cease Officer and thusand desist from was in charge ofviolating the making sure itSafeguards Rule complied with thein the future. She Safeguards Rule.was aware of the Safeguards Rule’s existence while she was at J.P. Turner.