As much as they fuss and then fine those they oversee when a data breach or similar misstep occurs, sometimes it helps to remember that even regulators are only human. Nothing demonstrates the concept better than a story out of Massachusetts.
InvestmentNews reported Tuesday that the Massachusetts Securities Division sent personally identifiable information for more than 130,000 securities advisers to a trade publication. In data included not just names, home addresses and Social Security numbers, but also dates and locations of birth, height, weight, hair color and eye color, according to The Boston Globe. The advisers found out about the breach in a letter from the securities division and Secretary of State William Gavin.
Apparently, IA Week had asked for a list of advisers registered in the state. The division delivered the list - and then some - on CD-ROM. IA Week returned the disk upon realizing the goof. A spokesperson for the securities division said:
...[T]he important thing is there was no breach and...the material was returned intact.
Advisers would beg to differ with that assessment, I imagine. In fact, Deborah Maloy, principal of Maloy Financial Services, told InvestmentNews:
Client confidentiality is so important, and now our confidentiality is breached. We didn't even think about it. ...This is a big mess. [Mr. Gavin] is the guy who's regulating us, and he's always on our case.
She said she'll probably ask credit-reporting agencies to freeze her accounts. Others who commented on the story don't want to let the regulator off so easily. They're calling for a self-imposed fine equal to what an adviser would pay if he or she accidentally leaked client information -- roughly $695 million.