Industry and regulators need to safeguard broker data

The cybersecurity​ breach last year at Equifax Inc., which exposed the personal information of at least 145 million individuals worldwide to hackers, alerted businesses and governments to the need to constantly review and tighten their security practices. But cyberbreaches are not the only way consumer information can be exposed. Poor data management and sharing practices can also expose the personal information of thousands of individuals, and financial services industry regulators may have exposed information about brokers, financial industry workers or clients. The Facebook scandal is the current hot example of poor data management practices. The company made personal data on millions of subscribers available to an academic without keeping track of what happened to that information or who had access to it. Tremendous amounts of information about private individuals are being collected not only by companies such as Facebook and Google, but also by regulatory bodies at the federal and state levels. And it is possible that sloppy data management at all levels can expose the private information of individuals. As Bloomberg News reported last week, a whistleblower is accusing securities regulators and brokers of having left personal data of financial industry personnel exposed. According to a complaint lodged with the Securities and Exchange Commission, the personal data of people employed in the financial services industry, including brokerage account numbers, provided to an industry regulator, apparently the Financial Industry Regulatory Authority Inc., have long been easily accessible online. The complaint also alleges, according to Bloomberg, that at least until 2015, state regulators made Social Security numbers and other information publicly accessible. The problem arises, at least in part, from poor information management by brokers and the regulators. This includes brokers submitting unnecessary information on required filings, and industry and state regulators not scrubbing that information before it is posted on public sites. This is not good enough. All financial institutions submitting information to the regulators must make greater efforts to ensure that only the requested, pertinent information is filed. If it's not asked for, don't include it. Likewise, the regulators must ensure that only relevant information is posted on sites that are available to the public. They must thoroughly examine any filings by financial firms they regulate to make sure extraneous information, i.e., information not requested, has not been provided. If such information has been provided, it must be removed. For financial institutions, this means many eyes must review any information before it is submitted to the SEC, Finra or state regulatory officials to make sure nothing more than the requested information is included in the filings. For the regulators, this means several pairs of eyes must examine any filings before anything is posted to publicly accessible sites to make sure that only the information meant for public exposure is in fact posted. Any information not pertinent to the requested filing must be scrubbed. Regulators demand that brokers and other financial service providers protect the privacy and the vital information of clients, such as their names, phone numbers, addresses and Social Security numbers. So the regulators must provide that same protection for the information of those who work in the industry.