California’s Department of Business Oversight is notifying some investment advisers and dealer-brokers that due to a redaction error on the department’s part, their Social Security numbers were sent to public records requestors.
The breach, which occurred on January 5, was not discovered until March 11, and the department does not indicate how it first became aware of it.
In a notification letter dated March 23, the department explains:
The California Public Records Act (PRA) requires the Department of Business Oversight (DBO) to provide the public copies of the non-confidential portions of our electronic licensing records upon request. To process these requests, DBO utilizes the records contained in the Financial Industry Regulatory Authority’s (FINRA) Central Registration Depository (CRD). Fields clearly designated as containing personal identifying information within the FINRA CRD are then redacted by DBO prior to its release. However, despite our efforts, DBO recently learned that, pursuant to one or more PRA requests, the personal identifying information of a number of registered investment advisers and broker-dealers was inadvertently disclosed to persons not authorized to receive such information.
Our initial investigation revealed that your Social Security number was disclosed in a field entitled “Docket/Case #.” Since a docket or case number traditionally are not based on an individual’s Social Security number, we did not redact the contents of this field.
The department’s notification did not disclose how many investment advisers and broker-dealers were impacted by the breach, only that “one or more” PRA requestors were sent the information.
It’s not clear why this error occurred this time and was never addressed previously. Was this the first time DBO was using the FINRA CRD records or did FINRA change the types of information they include in each field?