The SEC advised employees to check their credit reports for signs of fraud after it learned that contractor Financial Tracking Technologies had been sharing employee trading data with unauthorized companies for the past two years.
The SEC does not know whether the shared data was misused, but Thomas Bayer, the SEC’s chief information officer, recently sent employees a letter recommending that they take precautions to protect themselves from fraud, according to Reuters. The Huffington Post reported that the SEC first learned of the breach when a former employee of Financial Tracking Technologies approached the SEC with concerns about how the government agency’s data was being handled.
The SEC has said that Financial Tracking Technologies was contractually obligated to obtain SEC approval before sharing data with subcontractors; the vendor issued a statement saying that it had notified the SEC of the third-party relationship in question.
The SEC began storing employee brokerage account data through its Ethics Program System two years ago. John Reed Stark, a managing director at the Washington, DC office of Stroz Friedberg, a global risk consulting firm, spent 11 years as chief of the SEC’s office of internet enforcement and was an SEC employee when the Ethics Program System was introduced. ‘Employees were concerned about the privacy of their data,’ he recalls.
With the rise of cloud computing and an environment in which subcontractors often store or manage data for vendors, breaches are increasingly common, says Stark. 'In these days,’ he continues, ‘it’s not a matter of if there will be a data breach, it’s a matter of when.’
David Navetta, a founding partner of InfoLawGroup, notes that given the increasingly complicated web of third parties handling data, ‘It can be difficult to know where data is at any time. Data can be more than one layer removed. There can be six degrees of separation.’
When to disclose
On October 13, less than a week after disclosing its own breach of employee trading data, the SEC issued guidelines pressing public companies for more disclosure on significant instances of cybertheft or attack.
‘It’s an irony that the SEC experienced the stress that public companies face every day when worrying about a data breach,’ says Stark. He emphasizes that it’s often difficult for organizations to decide precisely what to disclose – and when – given that it takes time for the facts to come to light.
SEC spokesman John Nester has said that no decision had been made on whether to sever the agency’s contract with Financial Tracking Technologies. Stark points out that deciding how to handle a vendor relationship after a data breach isn’t easy. ‘I don’t know if firing is warranted because data breaches happen to the best of companies,’ he concludes. ‘I really can’t be critical of a data breach happening to anyone because they’re just so prevalent
