As we have reported previously on our blog, federal agencies, including the FTC, NLRB and EEOC have been very active in taking action against privacy and information security violations. This trend continues with the Securities and Exchange Commission’s (SEC’s) recent announcement of a settlement with three former executives a brokerage firm (GunnAllen Financial, Inc.). The SEC alleged that the former executives violated the Commission’s Privacy Rule and Safeguards Rule (Regulation S-P) and aided and abetted the firm in violating these rules. This enforcement action marks the first time the SEC assessed financial penalties against individuals charged solely with violating Regulation S-P.

Factual Background

The SEC alleged that in 2010, before leaving GunnAllen, the firm’s national sales manager David Levine downloaded onto his thumb drive the nonpublic customer information of approximately 16,000 individuals who were GunnAllen account holders. According to the SEC, Levine then mailed a letter on GunnAllen letterhead notifying the 16,000 individuals that their accounts were being transferred to Levine’s new brokerage firm. The letter also advised the individuals of their right to opt out of the transfer. Levine then disclosed the information to his new firm. The SEC alleged that the account holders were informed about the transfer of their data only after the transfer occurred.

The SEC alleged that GunnAllen’s former president Frederick Kraus approved Levine’s letter to GunnAllen’s account holders and permitted Levine to download the customer information onto his thumb drive. Finally, according to the SEC, GunnAllen’s former chief compliance officer Mark Ellis, who was responsible for ensuring that the firm had in place adequate policies and procedures to protect customer information, failed to supervise Kraus and Levine.

Alleged Information Security Violations by GunnAllen

The SEC alleged that GunnAllen violated the SEC’s Safeguards Rule. The Safeguards Rule requires brokers and dealers to maintain policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. The policies and procedures must be reasonably designed to (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Although GunnAllen had in place policies and procedures addressing the protection of customer information, the SEC alleged that they did not meet the Safeguards Rule’s requirements. Specifically, the SEC alleged that the policies and procedures failed to address the risk that the firm’s departing representatives would disclose customer nonpublic personal information to successor brokerage firms. The SEC also alleged that GunnAllen violated the Safeguards Rule by failing to revise its information security practices after a series of security breaches the firm experiences the between 2005 and 2009.

Alleged Privacy and Information Security Violations by GunnAllen Executives

The SEC alleged that Levine’s actions violated the SEC Privacy Rule because the letter Levine sent to GunnAllen’s account holders informed the individuals of the transfer only after the fact and did not give them a reasonable opportunity to opt out of the transfer. With some exceptions, the Privacy Rule prohibits brokers and dealers from disclosing nonpublic personal information about their customers to nonaffiliated third parties for those parties’ own purposes unless the broker or dealer:

(1) provided its customers with a privacy notice;

(2) notified the customers of their right to opt out of the disclosure; and

(3) afforded the customers a reasonable opportunity to opt out of the disclosure before it is made.

The SEC alleged that Levine’s letter was not timely, failed to explain how individuals could exercise their opt-out right, did not identify the new brokerage firm servicing their accounts, and failed to provide the new firm’s contact information.

The SEC further alleged that Kraus violated the Privacy and Safeguards Rule by approving Levine’s letter and permitting Levine to download the customer information to his thumb drive. The SEC alleged that Ellis violated the rules by failing to supervise Levine and Kraus, failing to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information, and failing to update the firm’s relevant policies and procedures following the information security breaches the firm experiences between 2005 and 2009.

Finally, the SEC alleged that, by their conduct, the three former executives aided and abetted GunnAllen in violating Regulation S-P.

Without admitting or denying the SEC’s allegations, Kraus, Levine and Ellis each consented to the entry of an administrative order requiring them to cease and desist from violating Regulation S-P now and in the future. The SEC imposed a fine of $20,000 on Kraus and Levine and $15,000 on Ellis.

SEC Privacy and Information Security Enforcement History

The SEC has previously taken numerous enforcement actions with respect privacy and information security violations of the Privacy Rule and the Safeguards Rule. For example, in October 2009, Commonwealth Equity Service LLP, a stock trading firm, settled the SEC’s charges that it violated the SEC’s Safeguards Rule. The firm experienced an information security breach when a perpetrator installed a virus on the firm’s computers and obtained login credentials of the firm’s registered representative. The perpetrator used the login details to access the firm’s customer accounts and place unauthorized securities orders in excess of $500,000. The SEC alleged that the firm violated the Safeguards Rule by (1) failing to require the firm’s registered representatives to maintain antivirus software on their computers; (2) failing to audit computers to determine whether antivirus software had been installed; (3) failing to implement policies and procedures to appropriately review the firm’s registered representatives’ computer security measures; and (4) failing to implement procedures to track and address information security issues. The SEC alleged that, as a result of these failures, the firm’s customer information was left vulnerable to unauthorized access. To settle the SEC’s charges, Commonwealth Equity Service paid a penalty of $100,000 and agreed to cease and desist from committing or causing future violations of the Safeguards Rule.

InfoLawGroup Says:  With a boom in federal and state agency privacy and information security enforcement, companies have to assess the adequacy of their privacy and data security practices. This assessment should include understanding the privacy and data security legal requirements that could impact the company’s business, and ensuring that the company’s practices are consistent with those requirements.

InfoLawGroup’s Nicole Friess and Boris Segalis collaborated on this blog post.