Data theft puts LPL clients at risk

LPL Financial yet again has fallen prey to a technology blunder that placed private client information at risk.

An unencrypted portable hard drive was stolen from the car of an LPL representative Feb. 24, according to a letter sent last month by LPL to the attorney general of New Hampshire. The adviser, Christian D’Urso of StoneRidge Wealth Management in Beaverton, Ore., had one client in New Hampshire, the letter said.

As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers “may have been breached,” Marc Loewenthal, LPL’s senior vice president and chief security and privacy officer, wrote in the letter.

This isn’t the first time LPL has had to deal with a security lapse involving one of its reps. In 2007, the firm reported that computer hackers had compromised the login passwords of 14 financial advisers and four assistants.

In the wake of the latest incident, LPL has notified clients that may be affected “to remain vigilant by reviewing account statements” and to use a credit-monitoring service. In this case, LPL is using Kroll Inc. and its ID TheftSmart service, Mr. Loewenthal wrote.

While the letter did not elaborate on how many LPL clients were affected by the breach, John McDermott, LPL’s chief risk officer, said in an interview that only a “small number” of clients could potentially be affected.

He declined to comment about what actions were being taken regarding Mr. D’Urso.

In general, Mr. McDermott said, LPL advisers guilty of mishandling or losing client data face an escalating series of punitive measures — starting with a formal reprimand, then fines and ultimately termination.

The latest security breach, which was first reported on watchdog website DataBreaches.net, differs significantly from the widely reported phishing attacks against LPL that occurred in 2008, Mr. McDermott said.

He also refuted the suggestion that LPL has had more problems with data security than other firms.

“We don’t feel our instances of these are high, compared to the rest of the industry — we have a very large and widely distributed adviser force,” Mr. McDermott said.

For his part, Mr. D’Urso had little to say about the matter.

“Despite the fact that I was unaware of any client impact with the small number of relevant clients potentially affected, I reported this incident immediately to my broker-dealer, and I have taken additional steps to prevent a similar occurrence from happening again,” he wrote in an e-mail.

Under LPL’s branch security policy, encryption is required on all laptops and portable drives used by advisers to store client information. In other words, the contents of the hard drive must be accessible only through the use of a pass code or key.

LPL’s 60-person branch examination team performs annual compliance reviews of all branch offices. These reviews include a technology component, but this is part of a broader review that includes many additional factors, including sales practices.

The number of reviewers and length of time on-site are dependent on the size of an office and what reviewers find, according to Mr. McDermott.

With 12,000 representatives and advisers, LPL is the nation’s largest independent-contractor broker-dealer.

Forty-five states have laws that require the reporting of privacy breaches, mostly to their respective attorneys general.

Just two states, Massachusetts and Nevada, require that encryption be used for the storage or transmission of a client’s personal data.

Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC’s Regulation S-P would add this.

That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending. It is unclear when it will be finalized.

Both bodies recommend — but don’t mandate — the use of encryption to protect client personal data.

In the meantime, the monetary losses stemming from the sale of stolen data continue to mount.

The Internet Crime Complaint Center, a partnership between the National White Collar Crime Center and the Federal Bureau of Investigation, which tracks cybercrime, reported in its 2009 annual report that monetary losses linked to online fraud, which include the theft of personal data, totaled more than $559 million. That is an increase of 22.3% from $265 million in 2008.

Losses due to the broader issue of identity theft totaled $54 billion in 2009, up from $45 billion in 2008, according to estimates by Javelin Strategy and Research.

“Victims who said that they had received a data breach notification were four times as likely to become a victim of data fraud,” said Robert Vamosi, an analyst who specializes in risk, fraud and security for Javelin.

E-mail Bruce Kelly at [email protected] and Davis D. Janowski at [email protected].
Related stories:
Encryption is key to keeping client data safe from thieves
Encryption and protection of client data, SEC, Finra, Massachusetts and Nevada