The Securities and Exchange Commission recently settled with Voya Financial Advisors, Inc. for alleged violation of Regulation S-ID (otherwise known as the Identity Theft Red Flags Rule) and Regulation S-P (otherwise known as the Safeguards Rule).  According to the SEC, Voya had failed to implement a written identity theft program as required of broker-dealers and investment advisors by the Identity Theft Red Flags Rule, and failed to have written policies and procedures to protect customer records and information as required by the Safeguards Rule. Specifically, in April 2016 intruders impersonated Voya independent contractors and contacted the company’s technical support line. They asked for a reset of the contractors’ passwords, which support staff did, giving them temporary passwords over the phone. The bad actors used these credentials to gain access to the company’s proprietary web portal. The portal contained personally identifiable information of Voya customers, and according to the SEC the bad actors were able to access personal information for at least 5,600 of Voya’s customers. This information included address, date of birth, last four digits of Social Security numbers, and email addresses. And, for at least 2,000, full Social Security number or other government-issued ID number. Voya was contacted by one of the targeted contractors, who said that he had gotten an email about a password change, but he had not requested the change. After receiving this alert of suspicious activity Voya took some steps, according to the SEC, but not sufficient ones, including not terminating the bad actors’ access to the compromised accounts.
Continue Reading SEC Issues $1 Million Identity Theft Rule Fine