Last week, the Financial Industry Regulatory Authority (“FINRA”) announced that it has imposed fines of $450,000 against Lincoln Financial Securities, Inc. (“LFS”) and $150,000 against an affiliated firm, Lincoln Financial Advisors Corporation (“LFA”), for failure to adequately protect non-public customer information. In addition, LFS failed to require brokers working remotely to install security application software on their own personal computers used to conduct the firm’s securities business.
The U.S. Securities and Exchange Commission (“SEC”) and FINRA rules require every broker-dealer to adopt written policies and procedures that address safeguards for the protection of customer records and information. FINRA found that for extended periods of time – seven years for LFS and approximately two years for LFA – certain current and former employees were able to access customer account records through any Internet browser by using shared login credentials. From 2002 through 2009, between the two firms, more than 1 million customer account records were accessed through the use of shared user names and passwords. Since neither firm had policies or procedures to monitor the distribution of the shared user names and passwords, they were not able to track how many or which employees gained access to the site during this period of time. As a result of the weaknesses in access controls to the firms’ system, confidential customer records including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk.
The Web-based system both firms used combined non-public customer account information from various sources and allowed employees to view the customer account information within a single site. Home office personnel from both firms could access the system either by clicking on a link on the firm’s website or could gain access through any Internet browser by going directly to the system’s website and logging in with one of the shared user names and passwords.
FINRA also found that LFS and LFA did not have procedures to disable or change the shared user names and passwords on a recurring basis even after a home office employee had been terminated. Many individuals left the two firms during the relevant time period, yet the shared user names and passwords were never changed, and the firms had no way of determining whether former employees continued to access confidential customer information using those same user names and passwords.
In assessing sanctions, FINRA took into consideration the firms’ efforts to notify all customers whose account information was or had been potentially exposed on the firms’ Web-based system, and offered those customers credit monitoring and restoration services for a period of one year.
In settling these matters, LFS, based in Concord, New Hampshire, and LFA, based in Fort Wayne, Indiana, neither admitted nor denied the charges, but consented to the entry of FINRA’s findings.