In a recent Securities and Exchange Commission (“SECâ€) enforcement action, the SEC concluded that a registered broker-dealer and investment adviser (the “Firmâ€) violated Rule 30 of Regulation S-P by failing to adopt sufficient policies and procedures governing decommissioning of data-bearing devices. During a decommissioning project in 2016, the Firm sold unwiped hard drives containing unencrypted customer personal identifying information (“PIIâ€) and consumer report information to a third party.
The SEC found that the Firm’s policies and procedures did not adequately ensure that a qualified vendor was responsible for destroying data on the decommissioned devices and were not “reasonably designed†to discover changes in sub-vendors.
