Brock also detailed to TheStreet the complaints of a customer who said that he had asked his son to mimic his voice to test Vanguard's "Voice Verification System." Vanguard's system allowed the son to gain access to the father's account, Brock said. Brock told TheStreet that the Voice Verification problem had subsequently been fixed.
Last year, at an in-house training session for Vanguard's new Personal Advisor Services money management product, Brock says she pointed out to an instructor that names, email addresses, phone numbers and account numbers of several current or prospective clients had evaded the redaction process in a 97-page manual that had not been marked "Internal Use Only." Brock provided a copy of the manual to TheStreet.
Vanguard manages $3 trillion for 20 million clients, 90% of whom access their accounts online. Brock has not been the only one complaining about Vanguard's account security. Several commenters on a popular online website called Bogleheads.org criticized Vanguard's security measures in 2012 after the firm landed on a list called the "Password Hall of Shame."
Brock said that she served 640 of Vanguard's "flagship" customers, who are high-net-worth clients with accounts of $1 million or more. In interviews this summer, Brock said that management had told her "You need to stop talking about these things because it really upsets people."
She filed whistleblower complaints with the Securities and Exchange Commission and FINRA in May 2014. FINRA told Vanguard in a May 29 letter that it had closed its examination of the case. The SEC would not comment when I asked about Brock's complaint earlier in the summer, but Brock said that several officials at the agency interviewed her for nearly two hours in January.
Gary Aguirre, a lawyer who represents whistleblowers, said that the laws concerning whistleblowers are evolving so quickly that it would be hard to guess whether Brock might have a solid retaliation case against Vanguard.
"Companies can call what a whistleblower does whatever they want to call it," he said. "The best example is when they say someone was fired because they breached a confidentiality contract." In Brock's case, Vanguard said she had violated its professional conduct rules.
If Brock was fired for talking to the media, she might have a valid retaliation case if the information she gave to TheStreet mirrored the information she gave to the SEC, Aquirre said. "Obviously, what she did is in the spirit of the whistleblower laws," he said. "Whether she comes within the letter of a particular statue or some case law is another thing."