Advisers in Massachusetts whose personally indentifiable information was accidentally released by a state regulator likely have little recourse, experts say.
Advisers registered to do business in Massachusetts who had personally indentifiable information accidentally released by a state regulator likely have little recourse, experts say.
The Massachusetts Securities Division sent out letters last week informing some 139,000 advisers registered in the Bay State that it had mistakenly sent a CD-ROM with advisers' personal information to a trade publication. The information included advisers' social security numbers and residential addresses, according to a report in the Boston Globe.
“It's certainly possible that there could be some sort of action against Massachusetts," said Andrew Stoltmann, a plaintiff's attorney. "But government agencies are given a lot of leeway for screwing stuff up.”
Mr. Stoltmann pointed out that advisers eager to sue the regulator would have to prove damages, which would be difficult to establish. That, in turn, would make for an uphill legal battle, he added.
“Lots of advisers and brokerage firms are beating their chests and arguing that this is a great crime to humanity," Mr. Stoltmann said. "But mistakes happen, and it doesn't look like there's going to be any damage or long-term harm to advisers.”
Indeed, some advisers conceded that any kind of legal action against the regulator would be an exercise in futility. “I'm going to get into a pile of bureaucracy, and I don't have the time for that — that's the reality,” said Marc S. Freedman, president of Freedman Financial Inc. In fact, he threw away his letter from the state, calling the situation “overblown.”
“If I wanted to find out information about someone, it's easy to get it,” he said. “If I live my life worrying that someone's going to steal my identity by grabbing a computer, I might as well not leave my house.”
Brian McNiff, spokesman for the Massachusetts Securities Division, said that the regulator has been hearing from advisers but that there is little cause for alarm. “We've heard from advisers, but the important thing is that there was no breach and that the material was returned intact,” he said.
He added that "it was a mistake that happened only one time; someone didn't follow the procedures in place."
But some advisers were less than thrilled by that one mistake.
Deborah Maloy, principal of Maloy Financial Services and chairwoman of the Massachusetts chapter of the Financial Planning Association, said she was shocked when she found out what had happened.
“Client confidentiality is so important, and now our confidentiality is breached,” she said. “We didn't even think about it.”
Ms. Maloy said she may contact the three credit-reporting agencies and ask them to place a security freeze on her accounts, and she also may send out a heads-up to her FPA chapter's membership in an upcoming bulletin.
“This is a big mess,” she added. “[Mr. Galvin] is the guy who's regulating us, and he's always on our case.”
Indeed, Massachusetts is one of the two states that require that encryption be used for the storage or transmission of a client's personal data.
Another adviser also expressed frustration over the foul-up.
“It's more of a systemic issue that you and I live by one standard, but those who regulate us don't,” said an Arizona-based Merrill Lynch rep who also received a letter. “No client information goes into my personal computer or a portable device — that's the regulatory oversight that runs Wall Street. But the rules made for governing our security don't apply to the agents that oversee our security.”
The rep added that as a matter of precedent he would notify his firm that his information had been leaked, but added that he was too busy to pick a fight with the Massachusetts regulator.
