The SEC announced on September 11, 2008, that it sanctioned LPL Financial for violations of Regulation S-P. Regulation S-P requires that firms implement reasonably adequate policies and procedures to safeguard customer information. According to the SEC's press release announcing the action, LPL failed to safeguard customer information, leaving the personal information of 10,000 customers vulnerable to identity theft, "following a series of hacking incidents involving LPL's online trading platform." LPL settled the SEC's charges without admitting or denying anything, and agreed to pay a fine of $275,000.
The SEC noted that the firm conducted an internal audit in mid-2006. That audit identified inadequate controls relating to guarding customer information and noted, according to the SEC, that there was a risk of hacking. The hacking incidents began around July 2007, and, at that time, the SEC alleges that LPL had not implemented increased security measures despite actual awareness of the risks.
As we've noted before, Regulation S-P continues to be a regulatory hot topic. Be sure that your firm reviews and examines its own procedures and policies in this area. If weaknesses are discovered, take action and fix them.