Ameriprise Financial Services has agreed to pay the state of Massachusetts $25,000 for the loss of a laptop containing personal and financial data on thousands of residents.
The laptop was stolen in December 2005 from an Ameriprise employee who had left it unsecured and unattended in a locked vehicle in a parking lot. The laptop has since been recovered.
The computer contained information on 158,000 customers, including their names, account numbers or Social Security numbers and account values. It also held identifiable personal information about 68,000 current and former Ameriprise advisors, including their names and Social Security numbers.
The employee used the information, which was not encrypted, to create business reports. But according to Secretary of State William Galvin, the employee violated Ameriprise policies and procedures by leaving the company's premises with the laptop and by not encrypting the sensitive information.
In addition, saving the information to the laptop's hard drive was a violation of Ameriprise's policies and procedures at the time, according to a memorandum of understanding between the state and the company. After the laptop was recovered, a forensic analysis firm determined that none of the sensitive data had been accessed.
Ameriprise has also agreed to hire an independent consultant to review its policies and procedures concerning the use of laptops that contain personal and financial information of its customers, Galvin said. The consultant will be required to submit a written report to Galvin's office within six months, setting out recommendations and including written verification that Ameriprise has implemented them.
"The amount of personal data that was on this employee's laptop computer is shocking," Galvin said in a statement. "Most of this information should not have been there. Registered broker dealers who give employees access to sensitive personal information and then allow them to carry this information on laptop computers must be held responsible and must implement all reasonable steps to prevent this form of investor abuse."