The Financial Industry Regulatory Authority has fined a Lincoln Financial brokerage firm and a Lincoln Financial advisory firm a total of $600,000 for failing to protect 1 million customer records from being accessed improperly through Internet browsers.
The independent regulator of brokers said it fined Lincoln Financial Securities of Concord, N.H., $450,000 and Lincoln Financial Advisors of Fort Wayne, Ind., $150,000 for failure to protect customer information from public access.
In addition, FINRA said LFS failed to require brokers working remotely to install security software on their personal computers when conducting business.
FINRA found that LFS failed for seven years and LFA for two to keep current and former employees from sharing log-in credentials that permitted them to access customer records from anywhere, using an Internet browers.
LFS and LFA neither admitted nor denied the charges, but consented to the entry of FINRA's findings.
From 2002 through 2009, more than 1 million customer account records belonging to the two firms were accessed through sharing of user names and passwords, FINRA said.
Since neither firm had policies or procedures to monitor the distribution of the shared user names and passwords, they were not able to track how many or which employees gained access to the site during this period of time, FINRA said in a statement.
As a result, names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk.
The Web-based system both firms used combined nonpublic customer account information from various sources and allowed employees to view the customer account information within a single site.
Home office personnel from both firms could access the system either by clicking on a link on the firm's website or could gain access through any Internet browser by going directly to the system's website and logging in with one of the shared user names and passwords.
FINRA also found that LFS and LFA did not have procedures to disable or change the shared user names and passwords on a recurring basis even after a home office employee had been terminated.
Many staff members left the two firms during this period, yet the shared user names and passwords were never changed. The firms also had no way of determining whether former employees continued to access confidential customer information using those same user names and passwords, FINRA said.
Securities and Exchange Commission (SEC) and FINRA rules require every broker-dealer to adopt written policies and procedures that address safeguards for the protection of customer records and information.
This story has been reprinted with permission from
