The time it took Redtail Technology to tell advisors using its client relationship management software about a data breach of their clients’ personal data could end up landing it in trouble with state regulators, according to news reports.
Earlier this month, Redtail told affected advisors that it learned on March 4 that its logging systems inadvertently captured the data of some investors, including names, physical addresses, dates of birth and Social Security numbers, and put it in a file accessible to anyone on the internet.
Redtail CEO Brian McLaughlin claimed that less than 1% of the firm’s clients were affected by the exposure.
Nonetheless, Redtail may have waited too long to announce the breach, Sara Jodka, a cybersecurity and data privacy attorney with Dickinson Wright, tells InvestmentNews.
"Normally, two months is not going to be unreasonable, but it is odd in this [case] because it’s an internal issue," Jodka tells the publication. "You’re not dealing with a nefarious outside force."
Jodka represents CRM firms, but none of these clients are in the financial services industry and therefore don’t compete directly with Redtail, InvestmentNews writes.
She tells the publication that Redtail’s reasoning for the delay — that it had to conduct forensics as well as build new applications to identify affected clients — “sounds right.”
Nonetheless, Ohio requires firms to notify users of data breaches within 45 days of learning about them, while in Florida it’s within 30 days, according to Jodka, InvestmentNews writes.
And Massachusetts has amended a data breach law recently to specify that firms can’t delay notifying users on the grounds that they’re trying to determine the number of the state’s residents affected, according to the publication.
Redtail has also notified affected investors about the breach and offered them free access to credit and identity theft monitoring and remediation products. That move too has drawn criticism.
"It’s improper for them to contact the end investor," Bart McDonough, CEO and founder of cybersecurity and managed IT provider Agio, tells InvestmentNews.
Meanwhile, an Aite Group analyst tells the publication vulnerabilities such as the one at Redtail plague many other firms. In a recent analysis of 30 mobile apps offered by financial services firms in the U.S. and Europe, Aite found that debug log files becoming publicly accessible was a common problem, InvestmentNews writes.
"Many of the apps I looked at were also mistakenly configured to log in debug mode, logging everything happening within the app, including sensitive data to log files," Alissa Knight, a senior analyst with Aite Group’s cybersecurity practice, tells the publication.
Knight didn’t disclose the firms in the study but said they included those in banking, financial technology and retail brokerage, according to InvestmentNews.
Twenty-nine of the 30 apps studied had vulnerabilities — and Knight was able to pinpoint them in less than nine minutes on several of them, according to the publication.
A particular problem is in how companies use application programming interfaces (APIs) to integrate with outside parties, Knight tells InvestmentNews. And that’s an area hackers have been increasingly focused on, she says, according to the publication.
"Hackers are beginning to shift their focus to attacking organizations and end users via their mobile apps by finding vulnerabilities in the code due to a lack of code obfuscation being employed to secure apps," Knight wrote in her report, according to InvestmentNews.