Encrypt or die
Sterne Agee & Leach, a broker-dealer firm in Alabama, was fined $225,000 after it leaked all accounts created or closed between 1992 and 2013.
Last May, a technician left an unencrypted laptop in a public bathroom. It contained the names, addresses, account numbers and tax identification numbers for 352,551 clients and has never been recovered.
“There were,” Financial Industry Regulatory Authority examiners determined, “no written procedures to ensure that the firm’s most sensitive customer and proprietary information stored on laptops were being adequately safeguarded by appropriate technology, such as encryption.”
The firm had known for years it should protect information stored on laptops but procrastinated because it didn’t use many laptops and considered data loss a “moderate risk.”
Sterne Agee bought encryption software five years ago but nobody on staff knew how to install it. So it gathered dust on a shelf until 2012 when tech-savvy staff members were hired and realized the software wasn’t compatible with the laptops. One year later, in 2013, the firm proposed outsourcing its data protection services, but funding wasn’t approved until June 2014, a month after the laptop was lost in the washroom.