Redtail response to investor data leak may have broken state laws

Redtail Technology may have broken state cybersecurity regulations with its response to leaked investor personal identifying information.

The fintech firm waited more than two months after first detecting an internal error that publicly exposed investor names, physical addresses, dates of birth and Social Security numbers to the internet. Redtail, which sells client relationship management software, said it discovered and repaired the breach on March 4, but it didn’t start notifying impacted investors until May 17.

All 50 states now have regulations requiring companies to notify customers when their personal data is compromised, said Sara Jodka, a cybersecurity and data privacy attorney with Dickinson Wright.

(Disclosure: Ms. Jodka represents other CRM companies, but none in the financial sector that compete with Redtail).

Ohio requires companies to notify users within 45 days of learning about the breach, Ms. Jodka said. Florida’s limit is 30 days.

Most states, even those with the strictest regulations, require firms to publicly disclose a breach as soon as is reasonable, but Redtail might not meet that standard in some regulators’ eyes.

(More: Cybersecurity concerns over messaging apps grow as more firms enable adviser texting)

“Normally, two months is not going to be unreasonable, but it is odd in this [case] because it’s an internal issue,” Ms. Jodka said. “You’re not dealing with a nefarious outside force.”

Redtail addressed the timing issue in its letter to advisers. The firm said the nature and format of the data required extra time to investigate and identify which individuals were affected. Redtail said it had to build new applications for the

Keep reading this article on Investment News - Newspaper.

Leave a Reply