BizTech Law Blog

The Red Flags Rule requires financial institutions and certain other companies to develop, implement, and administer a written identity theft prevention program if the company has “covered accounts.” Although the Rule has been in effect for over eight years, this was the first enforcement of the law by the SEC. The Rule was designed so that businesses would implement identity theft prevention programs to detect “red flags” in day-to-day operations, take steps to prevent potential breaches, and mitigate the damages of breaches that occur.

The enforcement action occurred after individuals were able to successfully impersonate contractor representatives, gain access to account login information, and reset passwords to access Voya’s proprietary web portal. The criminals’ success came despite the fact that the call was from a number that had been flagged previously for fraudulent activity. With this information, the individuals were able to access brokerage, customer, and client advisory information identification of over the 5,500 customer’s information.

In the SEC’s settlement agreement, the agency explained the expectations for every cyber security and anti-theft plan under the Red Flags Rule. In summary, every company should have written policies and procedures that are reasonably designed to:

1. Insure the security and confidentiality of customer records and information;
2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The SEC found that Voya did not have a plan reasonably designed to meet the objectives above and therefore, it violated the Red Flags Rule.

Companies that fail to create these procedures are at risk of compromising client information, the company’s financial stability and public confidence. The settlement with Voya is a good reminder that companies should not only develop and implement a security plan in compliance with the Red Flags Rule, but also review and update the plan regularly to respond to emerging risks. The plan should include training employees to be aware of data breach risks.

The SEC’s settlement with Voya may signal a more active SEC enforcement climate regarding cybersecurity issues. Please contact a Foster Swift business attorney with any questions relating to the Red Flags Rule and your company’s compliance strategy.