SEC says the broker dealer's inaction left customers open to identity theft. Independent broker-dealer LPL Financial has agreed to pay a $275,000 penalty to settle an SEC enforcement action against it for failing to adopt policies and procedures to safeguard their customers' personal information.

The SEC says LPL's inaction following a series of hacking incidents involving LPL's online trading platform left at least 10,000 customers vulnerable to identity theft.

Vigilance lacking

In settling the matter, LPL neither admits or denies the SEC's findings, though it has agreed to "undertake certain remedial actions including retaining an independent consultant to review LPL's policies and procedures required by [SEC regulations], and to devise and implement a policy and set of procedures for training its employees and all registered representatives regarding safeguarding customer records and information," according to the SEC.

"With the increase in the number of incidents involving information security breaches, regulated firms must be vigilant about satisfying their obligation to protect customer information from anticipated threats and unauthorized access," Linda Chatman Thomsen, director of the SEC's Division of Enforcement says in a 11 September 2008 press release. "Today's action demonstrates the Commission's commitment to holding those firms responsible for their deficient controls, policies, and procedures, particularly when personal customer information is at issue."

The SEC says that "unauthorized persons" hacked into the online trading platform LPL provided its brokers on several occasions between July 2007 and early 2008, and "placed or attempted to place 209 unauthorized securities trades worth more than $700,000 combined in 68 customer accounts."

LPL conducted an audit in 2006 that that identified inadequate security controls to safeguard customer information and pointed, in particular, to its vulnerability to hacking but "failed to take timely corrective action," according to the SEC.

Boston-, Charlotte, N.C.- and San Diego-based LPL says in a statement that none of its clients lost money as a result of the breaches, which were the result of "the theft of legitimate usernames and passwords" rather than penetration of its firewalls. It adds that it is "putting in place new technology initiatives and industry best practice standards designed to ensure -- to the extent we reasonably can -- that this will never happen again."

LPL supports about 8,100 brokers in approximately 3,600 offices in the U.S., according to the SEC. -FWR

Purchase reproduction rights to this article.