The SEC and Voya Financial Services recently reached a $1 million settlement, stemming from a 2016 security incident in which individuals impersonating Voya’s independent contractors were able to gain access to the PII (including full social security numbers, date of birth, and email address) of at least 5,600 Voya customers. The impersonators gained access by calling Voya’s technical support group pretending to be the contractors and requesting a reset of their password. According to the settlement, Voya’s technical support personnel reset the passwords and provided temporary passwords over the phone, and in two instances also provided the contractor’s username over the phone.
This action is notable in several regards. First, it was brought under the SEC’s Identity Theft Red Flags Rule, which requires entities to develop and implement a written Identity Theft Program, and its Safeguards Rule, which requires entities to adopt written policies and procedures reasonably designed to protect customer records and information—both of which the SEC has infrequently used to this point. Second, the action was brought notwithstanding the fact that the breach resulted in no unauthorized transfers of funds from Voya customer accounts. Third, the settlement required Voya to retain a compliance consultant to review the company’s policies and procedures and provide a report within three months of the settlement.
Finally, and perhaps most importantly, the settlement is instructive in that it identifies various conduct by Voya that the SEC found not to be “reasonable” as required by both the Identity Theft Red Flag Rule and the Safeguards Rule. Specifically, in addition to the fact that Voya personnel provided password and user name information over the phone as opposed to via secure email, the settlement identified additional shortcomings such as: Voya kept a monitoring list of phone numbers suspected of having been used in fraudulent activity, but there was no written policy requiring customer support to use the list; Voya often failed to conduct the vulnerability scans of contractor computers called for by its policies (or remediate issues when found); Voya’s incident response procedures failed to ensure that its support team and call center were notified about an ongoing intrusion; Voya failed to conduct training specific to its Identity Theft Program; and Voya had not updated its Identity Theft Program since its inception in 2009.
This settlement serves as another good reminder to review your relevant programs to determine if they need to be updated in light of changes to the risk landscape and for a fresh look at whether they include measures to prevent, detect and respond to security incidents that regulators such as the SEC would consider reasonable, as well as to make sure that you are following the programs that you have put in place.