Redtail response to investor data leak may have broken state laws

Fintech firm waited two months to tell investors after finding and fixing the breach

May 24, 2019 @ 4:46 pm

By Ryan W. Neal

Redtail Technology may have broken state cybersecurity regulations with its response to leaked investor personal identifying information.

The fintech firm waited more than two months after first detecting an internal error that publicly exposed investor names, physical addresses, dates of birth and Social Security numbers to the internet. Redtail, which sells client relationship management software, said it discovered and repaired the breach on March 4, but it didn't start notifying impacted investors until May 17.

All 50 states now have regulations requiring companies to notify customers when their personal data is compromised, said Sara Jodka, a cybersecurity and data privacy attorney with Dickinson Wright.

(Disclosure: Ms. Jodka represents other CRM companies, but none in the financial sector that compete with Redtail.)

Ohio requires companies to notify users within 45 days of learning about the breach, Ms. Jodka said. Florida's limit is 30 days.

Most states, even those with the strictest regulations, require firms to publicly disclose a breach as soon as is reasonable, but Redtail might not meet that standard in some regulators' eyes.

(More: Cybersecurity concerns over messaging apps grow as more firms enable adviser texting)

"Normally, two months is not going to be unreasonable, but it is odd in this [case] because it's an internal issue," Ms. Jodka said. "You're not dealing with a nefarious outside force."

Redtail addressed the timing issue in its letter to advisers. The firm said the nature and format of the data required extra time to investigate and identify which individuals were affected. Redtail said it had to build new applications for the task.

"That sounds right," said Ms. Jodka, adding that determining which data were exposed is never an easy task. "Whenever you get into doing forensics, it takes you down the path of crumbs and what databases might have been affected."

But Redtail's reason might not be good enough for Massachusetts regulators. The state amended its data breach notification law in January to specifically state that companies cannot delay notification "on the grounds that the total number of residents affected is not yet ascertained."

Even just from a best-practices standpoint, two months is an unusually long time, said Bart McDonough, CEO and founder of Agio, a cybersecurity and managed IT provider.

"What I would say is this highlights the need for not only the systems to detect these issues, but the processes to be able to respond in a more timely manner," Mr. McDonough said.

He recommended that adviser and fintech firms engage in exercises to test and practice their data breach response plans.

It's also unusual for a business-to-business technology like Redtail to directly inform impacted investors. Clients typically don't interact directly with a CRM, and most probably don't know what Redtail is, Mr. McDonough said.

(More: 10 trends in cybersecurity you need to know)

In its letter to advisers, Redtail said it's emailing affected investors and offering free access to LifeLock Defender Preferred, a credit and identity theft monitoring and remediation product from Symantec.

"It's improper for them to contact the end investor," he added.

Redtail did not respond to a request for comment.


What do you think?

View comments

Most watched


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.

Latest news & opinion

New Jersey fiduciary rule: Pressure leads to public hearing, comment deadline extension

Industry push results in chance to air grievances on July 17 and another month to present objections.

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print