February 19, 2019

February 19, 2019

Subscribe to Latest Legal News and Analysis

February 18, 2019

Subscribe to Latest Legal News and Analysis

CFTC Settles Charges Against AMP Global Clearing for Failing to Supervise Implementation of its Security Program

The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records  in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP.  Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program.

Specifically, the order finds that AMP failed to supervise its IT service provider’s implementation of the critical provisions of the security program, including identifying and performing risk assessments of access routes into AMP’s network, performing regular network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. AMP’s failure left a significant amount of records and information vulnerable to cyber-criminals for nearly 10 months. The order requires AMP to pay a $100,000 civil monetary penalty, cease and desist from violating the CFTC regulation governing diligent supervision, and provide two written follow-up reports to the CFTC.

James McDonald, the CFTC’s Director of Enforcement, commented about the order: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”

The matter highlights the need for proper vendor management. Companies are obligated under a wide, and ever growing, array of data security laws and regulations to actively supervise vendors with responsibility for implementing the company’s information security program.

Copyright © by Ballard Spahr LLP


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

Zaven Sargsian, Ballard Spahr Law Firm, Salt Lake City, Real Estate, Commercial Litigation Attorney

Zaven A. Sargsian is an associate in the Commercial Litigation Group. Mr. Sargsian is a pro bono volunteer at the Street Law Clinic and Family Law Clinic.

Judicial Externships

Hon. David Nuffer, U.S. District Court for the District of Utah, 2012-2013

Hon. Stephen L. Roth, Utah Court of Appeals, 2012