Little recourse for reps hurt by regulator’s flub

Frustrated advisers registered in Massachusetts whose personally identifiable information was accidentally released by a state regulator have no legal remedy, according to experts.

The Massachusetts Securities Division sent out letters last week informing some 139,000 advisers registered in the Bay State that it mistakenly had sent a CD-ROM with their personal information to a trade publication. The information included advisers’ Social Security numbers and residential addresses, The Boston Globe reported.

“It’s certainly possible that there could be some sort of action against Massachusetts,” said Andrew Stoltmann, a plaintiff’s attorney. “But government agencies are given a lot of leeway for screwing stuff up.”

Advisers who are eager to sue the regulator would have to prove damages, which would be difficult to establish, Mr. Stoltmann said. That, in turn, would make for an uphill legal battle, he said.

“Lots of advisers and brokerage firms are beating their chests and arguing that this is a great crime to humanity,” Mr. Stoltmann said. “But mistakes happen, and it doesn’t look like there’s going to be any damage or long-term harm to advisers.”

Indeed, some advisers conceded that any legal action against the regulator would be an exercise in futility.

“I’m going to get into a pile of bureaucracy, and I don’t have the time for that — that’s the reality,” said Marc S. Freedman, president of Freedman Financial Inc. He threw away his letter from the state, calling the situation “overblown.”

“If I wanted to find out information about someone, it’s easy to get it,” Mr. Freedman said. “If I live my life worrying that someone’s going to steal my identity by grabbing a computer, I might as well not leave my house.”

Brian McNiff, a spokesman for the Massachusetts Securities Division, said that the regulator has been hearing from advisers but that there is little cause for alarm.

“The important thing is that there was no breach and that the material was returned intact,” he said. “It was a mistake that happened only one time; someone didn’t follow the procedures in place.”

But many advisers are less than thrilled about the mistake, especially considering that Massachusetts is one of just two states, along with Nevada, to require them to use encryption — or another layer of security — for the storage or transmission of clients’ personal data.

“They say that none of the information was stolen, but why should I believe it? If this were to happen in my office, would you buy that?” said Rita Robbins, president of Affiliated Advisors Inc. She and 28 representatives in her practice received letters from the division.

Deborah Maloy, principal of Maloy Financial Services and chairwoman of the Massachusetts chapter of the Financial Planning Association, said that she was shocked when she found out what had happened.

“This is a big mess,” she said. “[William F. Galvin] is the guy who’s regulating us, and he’s always on our case,” she said of Massachusetts’ secretary of state, who oversees the state’s securities department.

Advisers who received the letters were also told that they could contact the three major credit-reporting agencies — Equifax, Experian and TrueCredit — if they are concerned about their identities’ being stolen, but they will have to pay any fees themselves.

The Massachusetts Securities Division “gave us the heads-up, but if they make private companies institute policies and give people access to credit report services for free, then the government should do the same,” said Stuart J. Pastrich, managing director at Compass Financial Group of Long Island. “What’s good for the goose should be good for the gander,” he said.

Ms. Maloy said she may contact the three credit-reporting agencies and ask them to place a security freeze on her accounts, and she also may alert fellow members of her FPA chapter of the leak in an upcoming bulletin.

Another adviser also expressed frustration over the regulator’s handling of the security breach.

“It’s more of a systemic issue that you and I live by one standard, but those who regulate us don’t,” said a Bank of America Merrill Lynch representative who also received a letter. “No client information goes into my personal computer or a portable device — that’s the regulatory oversight that runs Wall Street, but the rules made for governing our security don’t apply to the agents that oversee our security.”

The rep, who asked not to be identified, said that he will notify his firm that his information has been leaked, but added that he is too busy to pick a fight with the Massachusetts regulator.

E-mail Darla Mercado at [email protected].