A Lincoln Financial Group subsidiary was fined $650,000 by the Financial Industry Regulatory Authority (FINRA) for a 2012 cybersecurity breach that allowed hackers to penetrate a cloud based server and access 5,400 customer files. In addition to the fine, the financial services company also agreed to implement tougher security measures.
Lincoln Financial is a huge company with many insurance and financial subsidiaries. The parent company reports $255 billion in assets. It’s brokerage unit, where the cyberhacking occurred, has 500+ branches nationwide.
We feel the fine was especially light in that company was fined $450,000 in 2011. According to public records, the earlier fine was for “failing to establish adequate procedures to protect confidential customer information that was stored on its web-based electronic portfolio management system, failing to establish procedures requiring its registered representatives to install antivirus,encryption, and other security software on their computers, and failing to audit representatives’ computers to gauge whether those computers may have been accessed without authority.”
Considering the cybersecurity breach in this case occurred just months after the prior violation, it is obvious that the company wasn’t doing its best to protect customer data.
The new findings say that from 2011 to 2015, the company “failed to establish, maintain, and enforce a supervisory system, including written supervisory procedures, reasonably designed to ensure the security of confidential customer information stored on electronic systems” within the branch offices.
Just months after the 2011 violation, the company decided to outsource its data storage. It elected to store records on a cloud-based computer server. The stored records included account applications and other brokerage records containing customers’ nonpublic personal information such as social security numbers. Lincoln Financial, however, failed to ensure that its third-party vendor properly installed antivirus software or data encryption for the stored documents.
The important takeaway here is that banks and other financial institutions can’t escape liability by simply outsourcing their data systems to third parties. The bank itself remains responsible in the event of a breach.
Lincoln Financial argued that in response to the earlier breach, it implemented a Data Security Policy that included, among other things, a requirement that all computers have adequate firewalls. Regulators countered that the policy required individual employees to comply, folks with little technical expertise.
Just as banks can’t use outsourcing to avoid cyber theft liability, they also can’t put the onus of compliance completely on workers.
On October 21st, 2016, Lincoln Financial submitted a corrective action plan that included more cybersecurity personnel and the engagement of a “renowned team of cybersecurity experts to perform an evaluation of [Lincoln’s] cybersecurity systems, policies, procedures, and control environment.”
Cybersecurity, Banks and Whistleblower Awards
The Lincoln Financial subsidiary rocked by the cyberhacking breaches was a brokerage firm and therefore under the jurisdiction of FINRA. Banks are regulated by the FDIC, Federal Reserve and the Office of the Comptroller of the Currency. Both brokerage firms and banks, however, are required to have robust cybersecurity measures. Banks have an additional responsibility to promptly report any violations to federal regulators.
Because cyberhacking and cyberthefts threaten customers and the financial stability of the banks themselves, violations of these rules may be actionable under FIRREA, a broad anti fraud statute passed in the wake of the 1980’s savings and loan crisis. Bankers or others with inside information of these violations are eligible for cash awards.
Awards are based on a percentage of whatever fines or penalties are collected by the federal government. Awards can quickly reach the maximum award of 41.6 million. To qualify for an award, a whistleblower must submit a sealed declaration to the U.S Department of Justice. Prosecutors can then investigate the claims and decide whether they wish to pursue.
Whistleblowers are the eyes and ears of regulators. There actions have saved taxpayers billions of dollars each year. In the case of cybersecurity violations, they may save countless customers the heartache and frustration associated with becoming the victim of identity theft and loss of their funds.
For more information about collecting an award under FIRREA, visit our cyberhacking page or contact us directly. In the last several years, our bank whistleblower clients have recovered over $100 million in awards. All inquiries are protected by the attorney-client privilege and kept confidential. For more information, contact attorney Brian Mahany at or by telephone at 414-704-6731 (direct).
MahanyLaw – America’s Whistleblower Lawyers