There have been a number of weird news stories this week, so the Bloomberg terminal data breach scandal may not be getting enough time in the limelight. Recently, it has come to light that employees at Bloomberg have access to at least some information regarding users' search habits. Bloomberg currently has more than 315,000 terminals at client offices, mostly financial institutions, but also law firms. (Our campus also has some.) From these terminals, users can do a vast array of things, from researching specific companies to chatting to sending emails to making financial trades. Think of it like Westlaw or Lexis -- you can do a thousand things on those websites, but you mainly read law review articles, cases and statutes. Bloomberg terminals are very expensive ($20k/year) and also not committed to being user-friendly. Though Westlaw and Lexis gave up dedicated terminals decades ago and went from dial-up access to a web-friendly interface, Bloomberg has remained pretty hard to learn how to use, which may be why users are so hesitant to give it up after mastering it.
This week, Bloomberg is trying allay its clients' fears that journalists could see some data, but not important data (chatting, emailing, trading, specific research), and Wall Street firms are trying to get more commitments from Bloomberg as to what was accessible and what will be accessible going forward. But what interests me is what I'm not seeing anywhere -- what does the SEC think is important here?
Back in the day, and I assume now, lots of people devoted a lot of time to try to collect information on companies that might be engaged in M&A activity. A common legend around my law firm was that individuals would pose as messengers to go to the conference room floor and peruse the sign-in book to see what sorts of people were in the same conference room. I'm sure that was an example of an amateurish effort. A famous insider trading case involved the guy who worked for the financial printer trading on information he gleaned from reading documents there. I don't think you have to be a mystery novelist to come up with a scenario whereby a journalist at Bloomberg sees which (M&A lawyer) users are logging on and what sorts of things they are looking at and cobbles together insider information. The EIC of Bloomberg, Matthew Winkler, says that no one could access specific securities information, but could see aggregate information "akin to being able to see how many times someone used Microsoft Word vs. Excel." What about aggregate information such as a steep increase in users accessing company information on Company X? (N.B.: Bloomberg offers a service called Bloomberg Law, which is separate from the terminals that are at the heart of the breach this week. However, many law firms have Bloomberg business terminals.)
And now that we realize that Bloomberg could see that individual users were logging on and off (or not) of their terminals, is anyone interested in what folks at Westlaw or Lexis see? I would think that a sudden unease now exists for any research service that gives us a user logon associated with an individual's name and employer, whether that's a law firm or an investment bank.
TrackBack URL for this entry:
Links to weblogs that reference Wading into the Bloomberg Data Breach: