Posted by Jessica Forbes, Fried, Frank, Harris, Shriver & Jacobson LLP, on
Saturday, October 10, 2015
Jessica Forbes is a corporate partner resident the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank publication authored by Ms. Forbes, Joanna D. Rosenberg, and Stacey Song.
On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-and-desist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933. [1]
Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.
READ MORE »