Privacy & Information Security Law Blog

On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.

In 2012, hackers with foreign IP addresses accessed LFS’s cloud server and stole confidential records of approximately 5,400 customers. The stolen records included account applications and other brokerage records containing customers’ nonpublic personal information, including Social Security numbers. LFS timely notified affected individuals and FINRA about the breach and, to date, there is no evidence of any misuse of customer information resulting from the theft. In the Settlement, however, FINRA alleged that LFS failed to implement and maintain adequate cybersecurity procedures, including written supervisory procedures, designed to protect confidential customer information stored on electronic systems in violation of FINRA Rules 3110 and 2010. FINRA alleged that when LFS began storing records on cloud-based servers in 2011, LFS failed to ensure that the third-party vendor retained to configure the cloud system properly installed antivirus software or data encryption for the confidential information, and that this failure led to the 2012 hack.

Under the terms of the Settlement, LFS will pay a $650,000 penalty to FINRA. In addition, LFS is required to review its written supervisory procedures and security systems and implement all necessary changes to enhance security. LFS previously was fined $450,000 by FINRA in 2011 for failing to establish adequate procedures to protect confidential customer information stored on its web-based electronic portfolio management system.