On the night of March 3, a day before Redtail said it discovered that client data was publicly displayed beyond its secured systems, Kathryn Duryea was searching online for a former classmate from elementary school. The results piqued her curiosity and she decided to do a Google search on herself.
She immediately realized something was wrong, she said. After typing in her name and where she lived, the lawyer and Equitable Trust Company trust officer found her name, date of birth, address and Social Security number returned in search results.
That information, along with “dozens” of other names and Social Security numbers, was publicly displayed in a large text file hosted by Redtail Technology, she said. “I realized, OK, yeah, I'm looking at a whole bunch of people's data,” she said. Her husband’s name and information were displayed, along with that of other individuals.
Duryea soon realized that she had access to not only the text file with her name in it but other text files as well, she said. The log files ended with what looked like a year-month-and-day format. By typing slight modifications of the numbers into her browser, representing different years, months or days, she could access additional text files with the same personal details of other individuals included in Redtail’s CRM database.
The following morning, March 4, the same date cited by Redtail CEO Brian McLaughlin in describing the data breach, Duryea said she called the Redtail office to inform the company of the text files exposed on the open internet. “The information was off the internet within hours,” she said.
Two days later, Duryea said she received a call from an individual at Redtail who promised to keep her apprised of the incident. She did not get that person’s name, but it was, she said, the last time she would hear from Redtail until receiving a mailed letter from the company notifying her that she had been affected by the data breach. The letter was dated May 23—80 days after Duryea’s first call to Redtail.
“It’s Not a Good Look”
In the meantime, Duryea had contacted her financial advisor, James David Miller Sr., an investment advisor and broker/dealer associated with Sagemark Consulting Private Wealth Services, a division of Lincoln Financial Advisors.
Based in Nashville, Miller has decades of investing experience, according to regulatory filings. Duryea, in an email exchange dated May 7 and shared with WealthManagement.com, noted that initially she was uncertain who might have provided her personal data to Redtail and didn’t immediately realize it was Miller who had uploaded the information to the customer relationship management (CRM) platform. She had also been waiting for Redtail’s promised follow-up, she said.
“It wasn't immediately obvious to me when I found the information on the internet that it had come from [Lincoln Financial Advisors], which is why I didn't call you or [Lincoln Financial Advisors] first,” she wrote Miller.
“I found [Lincoln Financial Advisors]’s client data through a simple Google search, and based on the date of the page I found, my data may have been accessible online for as much as 16 months,” she noted. “[T]he fact that I haven't heard anything from either Redtail or [Lincoln Financial Advisors] concerning this pretty big data breach indicates to me that either Redtail hasn't disclosed this mistake to [Lincoln Financial Advisors] … or it has and someone at [Lincoln Financial Advisors] made the decision not [to] disclose to its agents and affected clients.”
“Either way, it's not a good look,” she added. Her note to Miller continues, “I've been assuming that a forthcoming disclosure from either Redtail or [Lincoln Financial Advisors] would force a conversation, but it's been crickets from both.”
Less than three hours later, Miller responded, apologizing and implying that he had not received a notification from Redtail about the breach. “I have forwarded your email to Atlanta,” he wrote. Redtail opened its East Coast headquarters in Atlanta last year.
There is no reason to believe Miller or Lincoln Financial Advisors were culpable in Redtail’s data exposure, but on June 14, Duryea said she transferred the last of her investments with Miller, an account in the mid-five figures, out of his management. Her decision to take her business elsewhere was directly related to the Redtail security incident, she said. “I would not have been motivated to take the action to move my investments had the data breach not occurred.”
Miller did not respond to a request for comment.
Oversight and Reporting a Jumble
Aside from a recycled statement from Redtail, in which the company said it “immediately secured access to the information exposed and began a thorough forensic investigation to determine how the exposure occurred,” after it learned of the breach—apparently from Duryea—the wealthtech firm has remained tight-lipped.
It has not publicly addressed how long the data was exposed, whether it has a protocol to address data breaches and if that protocol was followed. It didn’t comment on the apparent delay in notifying affected individuals, like Duryea, although it stated it “proactively” alerted “impacted advisors.” The firm’s approach for affected individuals—the clients of advisors—has been to provide access to credit and identity theft monitoring and remediation services and products through LifeLock.
The timing of the firm’s response to the March 4 incident appears to violate at least one state’s data breach notification statute. The 80-day gap between the discovery of the data breach on March 4 and the notification letter sent to Duryea, a resident of Tennessee, stands in contrast with the state’s 45-day limit on notifications. The time limit can be extended in the event of a criminal investigation, but Redtail did not cite any such activity in its notification and Duryea said she hadn’t been contacted by law enforcement. Publicly displaying a Social Security number in Tennessee is a Class B misdemeanor, according to state law. The Tennessee attorney general’s office could not confirm or deny if it has opened an investigation into the incident, according to a spokesperson.
Companies that suffer self-inflicted data breaches, like Redtail, or are attacked by hackers, face a tangle of inconsistent state laws outlining their responsibilities to affected individuals. The New York Department of Financial Services has a 72-hour notification deadline in the event of an applicable cybersecurity event—but that’s just to the agency. Other states may have broader standards, such as requiring a notification for affected individuals as soon as is practical.
But delaying notification can have material consequences. In 2018, Uber agreed to pay $148 million to state enforcement officers over a 2016 data breach. The company delayed disclosure, resulting in the regulatory action, according to a cybersecurity memo compiled by law firm Cleary Gottlieb. Marriott International faced heat in November of the same year after the company it acquired in 2016, Starwood Hotels, had a compromised database that ended up affecting 383 million guests of the hotel chain. “Cyber diligence in mergers and acquisitions, including … any past breaches, has become standard practice,” noted the firm’s memo.
While states have their own laws, federal authorities are stretched thin. The Federal Trade Commission has only had 40 full-time employees dedicated to overseeing internet privacy and data security, according to an FTC request to lawmakers for more help made earlier this year and reported by The Hill. Its Republican-appointed leader, Chairman Joseph Simons, noted that “the U.K. Information Commissioners' office has about 500 employees, and the Irish Data Protection Commissioner has about 110 employees,” while acknowledging that those “entities have somewhat different mandates.”
Financial services regulators are still working to familiarize those in the wealth management industry with proper protocols and best practices in the event of a data breach. Data incidents may be subject to mandatory reporting based on state law, depending on the location of the advisor and the vendor, said FINRA.
A firm has to report a cyber breach to the regulator “only if the breach reaches Rule 4530’s reporting threshold,” according to a spokesperson. “FINRA member firms often voluntarily report breaches to FINRA, which can help us understand better the types of attacks and breaches to which member firms are subject.” The authority recommended reporting breaches and cyberattacks to the firm’s local FBI office.
The SEC, despite a stated focus on cybersecurity in its annual priorities letter, declined to comment on what responsibilities an advisor has in instances like that which involved Miller, Duryea and Redtail. It referred to its “Spotlight on Cybersecurity” webpage, which includes a link to the regulator’s Regulation S-P, referenced by both FINRA and the SEC. The rule “requires registered broker-dealers, investment companies, and investment advisers to ‘adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.’”
Responsibility and Liability Remain Murky
For advisors like Miller, responsibility to notify a client hinges on when and how much he knew about the breach. “As far as notification, it may depend on the mechanics of how data is acquired or shared with the vendor,” said Rahul Mukhi, a partner at law firm Cleary Gottlieb and a former assistant U.S. attorney in the Southern District of New York. “As a practical matter, if the advisor collected the information in the first instance, the advisor will want to take steps to make notifications once he or she has knowledge of a breach—to either notify the affected individuals, or have confirmation that the vendor is notifying the end users.”
If Redtail didn’t notify Miller, however, the onus falls on the vendor to address the issue. “If the advisor is in the dark, then they’re in the dark,” Mukhi said. “Still, they don’t want to create a situation where they are knowingly putting their head in the sand. And, in the event of a major breach, civil plaintiffs will likely allege that the advisor should have known of the breach, even if the incident was at the vendor level.” He cited Delta Air Lines’ responsibility in a situation where a third-party chat company had a data breach and the airline was held accountable for exposing customers’ payment information.
Lincoln Financial Group, Miller’s affiliate organization, outlines the steps it takes to ensure its clients’ security on its website. “Senior management, along with Lincoln’s Board of Directors, has deemed Cybersecurity a critical business priority,” according to the company’s cybersecurity overview. “Our cybersecurity approach comprises a set of comprehensive security policies and standards, a robust security awareness and education program, and the implementation of highly advanced, and layered preventative and detective controls.”
Lincoln provided a statement addressing the breach, saying it “takes its obligation to protect client information seriously—employing rigorous standards in data and information protection and requiring firms we work with to do so as well.” A company spokesperson declined to outline company protocol in the event of a vendor data breach and declined to address whether that protocol, if it exists, was followed.
Cybersecurity at the firm is ultimately the responsibility of Pat Lefemine, Lincoln Financial Group’s chief information security officer. Assisting him is “a dedicated cybersecurity team that is focused on protecting our clients’ personal data, and Lincoln continuously reviews cybersecurity measures that can be implemented to enhance protection of customer accounts,” according to the statement. Materials on the company’s website note the organization compels third-party contractors to undertake a “rigid security assessment process” and said it employs three teams of cybersecurity monitors.
When asked about when Lincoln Financial Group discovered that Redtail had exposed client information, the Group declined to provide an exact date. “There’s a lot of factors there, so we’re not going to give a specific date,” said a company spokesperson.
Lincoln’s statement noted the firm “worked closely with Redtail to identify and update the limited number of Lincoln advisors with clients impacted by this issue,” an indication of the scope of the data breach. The company didn’t provide details on the support it extends to its affiliate advisors in the event of a data breach, like the one that affected Redtail.
Months later, Duryea is still upset about the vendor’s handling of the incident which led her to pull her business from an advisor she previously relied upon. “It wouldn't have bothered me had [Redtail] not basically lied about what happened to all of these people and tried to make it look like, ‘Oh, we caught it and have like been proactive about it,’” she said. “My honest belief is that they intended to sit on it and not tell anyone.”