In a recent Securities and Exchange Commission (“SEC”) enforcement action, the SEC concluded that a registered broker-dealer and investment adviser (the “Firm”) violated Rule 30 of Regulation S-P by failing to adopt sufficient policies and procedures governing decommissioning of data-bearing devices. During a decommissioning project in 2016, the Firm sold unwiped hard drives containing unencrypted customer personal identifying information (“PII”) and consumer report information to a third party.
The SEC found that the Firm’s policies and procedures did not adequately ensure that a qualified vendor was responsible for destroying data on the decommissioned devices and were not “reasonably designed” to discover changes in sub-vendors.
