On April 7, 2011, the Securities and Exchange Commission, (“SEC”) formally charged three former brokerage executives with violations of Regulation S-P.1 Each of these individuals had a senior management position at GunnAllen Financial, Inc. (“GunnAllen” or the “firm”), which was in the process of winding-down its business operations. Specifically, the former president and national sales manager were charged with transferring customer records to another firm, while the chief compliance officer failed to ensure that GunnAllen’s policies and procedures were reasonably designed to protect customer’s non-public information.2
These charges mark the first time the SEC has assessed financial penalties against individuals for their violations of Regulation S-P, which collectively amounted to penalties of $65,000.3 Regulation S-P is designed to specifically safeguard and protect non-public consumer information.4 The issuance of such charges underscores the SEC’s focus on the need for financial firms to establish sufficient safeguards to protect confidential consumer information from unauthorized access and misuse.
Regulation S-P Violations Allegedly Committed by the GunnAllen Executives
Under Regulation S-P, financial firms must provide consumers with the opportunity to decide whether their non-public personal information will be shared with non-affiliated companies. The former executives for GunnAllen used portable thumb drives to transfer customer names, addresses, account numbers and asset values, and provided these records to their new employers. Account holders later learned of the elicit transfers, after their information had been shared with the unauthorized third-parties.5 The SEC found that the transfer of consumer non-public information without providing a reasonable notice to opt-out is contrary to Rule 10(a) of Regulation S-P,6 which led to the issuance of charges against these individuals.
In addition, the SEC found that GunnAllen, through the aiding and abetting by its former executives, violated Rule 30 of Regulation S-P, which is commonly referred to as the Safeguarding Rule.7 Though GunnAllen had policies and procedures in place, the SEC found that these procedures were inadequate to protect and safeguarded non-public consumer information. The SEC cited that GunnAllen’s policies merely restated portions of Regulation S-P and failed to specify safeguard protocols adopted by the firm. Moreover, GunnAllen’s polices and procedures failed to instruct the firm’s supervisors and registered representatives on how to comply with privacy laws.8 GunnAllen’s policies also referenced a “Designated Principal” who was responsible for monitoring and testing the firm’s safeguards and identifying foreseeable risks to those implemented safeguards. However, the “Designated Principal” was not identified by name or position and GunnAllen had in fact failed to appoint such a Principal.9
Notably, GunnAllen previously was aware that its policies and procedures for safeguarding nonpublic consumer information had gaps and were potentially insufficient. Between July 2005 and February 2009, GunnAllen had experienced security breaches when three of its laptop computers were stolen and passwords misappropriated by a former GunnAllen employee. Following these security breaches, GunnAllen’s former Chief Compliance Officer, Marc Ellis, failed to adequately enhance the Safeguarding Information provisions of the firm’s adopted policies and procedures.10 As a result, the SEC found that the former CCO willfully aided and abetted GunnAllen’s violations of Rule 30 of Regulation S-P.
Regulation S-P Rule Provisions Applicable to this Case
In its investigation and subsequent charges against GunnAllen and its former executives, SEC found violations of three key safeguarding provisions of Regulation S-P:
- Rule 30(a) – The Safeguarding Rule requires firms to maintain policies and procedures that adequately address administrative, technical and physical safeguards for the protection of customer records and information.
- Rule 7(a) – Under Rule 7(a) firms are required to provide their customers with opt-out notices that clearly explain the customer’s right to opt-out and provide a reasonable method for the customer to do so.11
- Rule 10(a) – Under Rule 10(a), firms are prohibited from disclosing non-public personal information to non-affiliated third parties unless a privacy notice has been provided to customers. This notice must describe the type of information the firm may disclose and afford the customers a reasonable opportunity to opt out of the disclosure before it is made.12
Guidelines for compliance with Regulation S-P
As seen in the proceedings against GunnAllen and its three former executives, both firms and individuals can be held liable for violating Regulation S-P, and ordered to pay monetary penalties for failure to comply with safeguarding nonpublic consumer information.13
Based on this recent administrative proceeding, financial firms subject to Regulation S-P should consider the following risk management tips related to privacy safeguards:
- Review written policies and procedures to ensure that they detail the firm’s privacy practices on how to protect consumer information against unwanted dissemination.
- Ensure that written polices and procedures include safeguarding protocols related to the misappropriation or sharing of passwords.
- Designate specific personnel responsible for testing and monitoring the firm’s privacy safeguarding procedures.
- Review your privacy notice to ensure it sufficiently describes the firm’s policies for protecting non-public information and affords an adequate method for client’s to opt-out of sharing with non-affiliated third-party companies.
- Administer firm-wide training sessions annually that educate employees about privacy regulations and how the firm maintains compliance with these safeguards.
For more information about state and federal privacy requirements, or how to test the adequacy of your privacy safeguards, please contact us at (619) 298-2880, info@jackolg.comor visit www.jackolg.com. Thank you.
Author: Michelle L. Jacko, Esq., Managing Partner, JLG. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds and banks on legal and regulatory compliance matters.
This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
1 See In the Matter of Marc A. Ellis, SEC Release No. 64220, Administrative Proceeding File No. 3-14328.
2 For specific information related to each of these individual’s charges, please refer to: http://www.sec.gov/litigation/admin/2011/3464220.pdf; http://www.sec.gov/litigation/admin/2011/34-64221.pdf; http://www.sec.gov/litigation/admin/2011/34-64222.pdf .
3 Frederick Kraus, former President, and David Levine, former National Sales Manager of GunnAllen, were each ordered to pay penalties of $20,000; Marc Ellis, GunnAllen’s former Chief Compliance Officer, was ordered to pay a $15,000 penalty.
4 Regulation S-P can be found at 17 CFR Part 248.
5 See In the Matter of Frederick O. Kraus SEC Release No. 64221, April 7, 2011, Administrative Proceeding File No. No. 3-14326.
6 17 C.F.R. §248.10 provides limits on disclosure of nonpublic personal information to nonaffiliated third parties.
7 17 C.F.F. §248.30 provides for procedures to safeguard customer records and information and disposal of consumer report information.
8 See In the Matter of Marc A. Ellis, SEC Release No. 64220, Administrative Proceeding File No. 3-14328, at 3.
9 Id.
10 Id at 5.
11 As stated in Rule 7(a)(2)(ii), it is unreasonable “if the only means of opting out is for consumer to write his/her own letter exercising the right to opt out.”
12 See In the Matter of Marc A. Ellis, SEC Release No. 64220, Administrative Proceeding File No. 3- 14328, at 5.
13 SEC Release 2011-86, available at http://sec.gov/news/press/2011/2011-86.htm.