The SEC has charged three employees at Florida-based GunnAllen Financial Inc. for violations of Regulation S-P including: improperly transferring customer data to a third party, improperly responding to data breaches, and failing to have adequate policies and procedures in place to protect customer information. Each defendant entered into a consent order with the SEC pursuant to which each was censured and ordered to pay fines up to $20,000.
At issue were Rules 7(a), 10(a) and 30(a) of Regulation S-P. Rule 10(a), 17 C.F.R. § 248.10(a), provides that brokers and dealers may not disclose information to a non-affiliated third party, unless the consumer receives an initial notice, an opt out notice under Rule 7(a), a reasonable time to opt out, and does not, in fact, opt out. Additionally, Rule 30(a), 17 C.F.R. § 248.30(a), requires every broker, dealer, and investment company to “adopt policies and procedures that address … safeguards for the protection of customer records and information.” Those policies “must be reasonably designed to … [i]nsure the security and confidentiality of customer records and information.”
According to the SEC’s consent orders, GunnAllen was in the process of winding down its affairs and filing for bankruptcy immediately prior to the SEC’s investigation. During that winding down, the firm’s President allegedly authorized the transfer of 16,000 direct application accounts to the firm’s National Sales Manager. The SEC found that Sales Manager, after obtaining new employment, downloaded personal information related to the 16,000 accounts. The Sales Manager then sent a letter on GunnAllen letterhead informing customers that he was now servicing the accounts and that the customer had the right to opt out. The SEC found a violation of Rule 10(a), however, because the notice was provided after the fact, not before.
The SEC also found that GunnAllen experienced a number of security breaches prior to the SEC’s action, namely the loss of laptops containing customer information on more than one occasion and the misappropriation of an employee’s computer credentials by a former employee that resulted in three months of unauthorized access to the compromised employee’s email account. The SEC found fault with GunnAllen’s failure to report the laptop thefts, failure to notify customers of the possible breach of their personal information as a result of the thefts, and failure to respond to the misappropriation of credentials any more strongly than by directing employees to change their passwords regularly.
Though the breaches were most likely what prompted the SEC’s action, the Commission also came down hard on what it perceived to be GunnAllen’s lack of policies and practices, finding that “general and vague” principles in a “Written Supervisory Procedures Manual” were not specific enough, where they merely restated portions of Regulation S-P, failed to identify a “Designated Principal” charged with testing the firm’s safeguards, provided no specific instruction to GunnAllen employees as to how they should guard customer information or what to do in the case of a breach.
The SEC’s action puts brokers and others that fall within the purview of Regulation S-P on notice. The consent orders make clear that the Commission is looking to brokers and dealers to take real action in response to Regulation S-P by developing policies and procedures ahead of any breach, and expects brokers and dealers to take decisive action to notify customers of breaches and ensure that a similar breach does not happen again. Failure to take proactive steps to comply with Regulation S-P appears to be growing more and more pennywise and pound foolish.