CFI, an independent broker/dealer based in Orange County, California, was also ordered to provide notifications to affected customers and their brokers and to offer these customers one year of credit monitoring at no cost, according to a news release from FINRA.
FINRA found that from April 2006 to July 2007, CFI failed to safeguard confidential customer information. A faulty firewall and an ineffective username and password on its server permitted unauthorized persons to access stored images of faxes that contained confidential customer information—including Social Security numbers, account numbers, and dates of birth.
The firm’s failures also permitted an unknown individual to conduct a “phishing” scam. When CFI became aware of the phishing scam, the firm conducted an inadequate investigation and sent a misleading notification letter to approximately 1,400 affected customers and their brokers, FINRA said.
CFI’s conduct violated federal Regulation S-P and FINRA rules, the agency said. The firm did not admit or deny the charges, but consented to FINRA’s findings.
Under the terms of the settlement, Centaurus will provide corrected notifications of the unauthorized accesses to all previously notified customers and brokers and will offer those customers one year of free credit monitoring. In addition, CFI will certify to FINRA that its procedures and systems are in compliance with privacy requirements, according to the release.
“It is critically important that firms protect confidential customer information and respond appropriately to unauthorized access to their system,” said Susan Merrill, FINRA executive vice president and chief of enforcement. “When a firm becomes aware of an unauthorized access, it must conduct an effective review and provide customers with accurate information about that unauthorized access.”