Lincoln Financial Securities (based in Concord, NH) and affiliate Lincoln Financial Advisors (based in Fort Wayne, IN) agreed to pay a combined $600K to settle FINRA charges the failed to adequately protect non-public customer information.  In addition, LF Securities brokers working remotely had not been required by the firm to install security application software on personal computers used to conduct the firm's securities business.

    SEC Regulations, FINRA Rules.   Every broker-dealer is required to adopt WSP's that or address safeguards for the protection of customer records and information.  Yet, for 7 years at LF Securities, and about 2 years at LF Advisors, certain current and former employees were able to access customer account records through any Internet browser by using shared login credentials. 

From 2002 through 2009, between the 2 firms, more than 1 million customer account records were accessed through the use of shared user names and passwords.  There were no pols or procedures to monitor the distribution of the shared user names and passwords, and the firms were not able to track how many or which employees gained access to the site during this period of time.  

As a result, confidential customer records were at risk - this included names, addresses, SSN's, account numbers and balances, birth dates, email addresses and transaction details.

    Specific Alleged Deficiencies.   Both firms used a Web-based system that allowed employees to view both non-public customer account information (from various sources) and customer account information within a single site.  Specifically, ...

• Home office personnel from both firms could access the system either by clicking on a link on the firm's website or could gain access through any Internet browser by going directly to the system's website and logging in with one of the shared user names and passwords.
• Neither firm had procedures to disable or change the shared user names and passwords on a recurring basis, even after a home office employee had been terminated.
• Many individuals left the two firms during the relevant time period, yet the shared user names and passwords were never changed.
• The firms had no way of determining whether former employees continued to access confidential customer information using those same user names and passwords.

    FINRA Mitigates Sanctions.   FINRA took into consideration the firms' efforts to notify all customers whose account information was or had been potentially exposed on the firms' Web-based system, and offered those customers credit monitoring and restoration services for a period of one year.

    FINRA Staff Credits.   The action was brought by Kevin Kulling, Enforcement Senior Regional Counsel, under the supervision of Mark Koerner, Enforcement Regional Chief Counsel.   [FINRA News Release, 2/17]