Privacy & Information Security Law Blog

On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.”  According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.”  Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.

The SEC alleged that the former president of Florida-based GunnAllen Financial, Inc. had allowed the firm’s national sales manager to take information from over 16,000 customer accounts as GunnAllen was closing up shop in 2010.  Without notifying the affected customers or providing them with an opportunity to opt-out, the departing employee transferred the downloaded customer data, including “names and addresses, account numbers, and asset values” to his new employer, in violation of Regulation S-P.  The SEC also found that GunnAllen’s information security procedures were inadequate, alleging that despite “several serious security breaches at GunnAllen from July 2005 to February 2009,” involving stolen company laptop computers and unlawful access to company emails, the former chief compliance officer failed to improve the firm’s policies to safeguard customer data.

As a result of the settlement, GunnAllen’s former president and national sales manager must each pay $20,000, and the former chief compliance officer has been ordered to pay $15,000.

View the SEC’s press release and orders.