The Securities and Exchange Commission (the “SEC”) settled administrative proceedings against the former president, the former chief compliance officer (the “CCO”) and the former national sales manager of a Tampa-based brokerage firm (the “Firm”) that was winding down its operations. The SEC found that the Firm’s former president authorized the former national sales manager to transfer private information regarding Firm customers to a broker-dealer where the national sales manager was subsequently employed without giving the customers reasonable notice and opportunity to opt out of the transfer of their personal information as required under Regulation S-P. The SEC also found that the means by which customer account information was transferred to a successor broker-dealer violated Regulation S‑P’s provisions that require a broker‑dealer to protect customer information against unauthorized access and use (the “Safeguard Rule”) and that the Firm’s overall policies and procedures for protecting the confidentiality of customer information were inadequate. This article provides highlights of the SEC’s findings with respect to violations of the Safeguard Rule.
Regulation S-P Safeguard Rule. Section 30(a) of Regulation S-P requires every broker‑dealer registered with the SEC to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. The policies and procedures should be designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Violations Involving Transfer of Customer Account Information. As the Firm was winding down its business operations, the Firm’s former president authorized the former national sales manager to transfer information from more than 16,000 Firm accounts to the sales manager’s new firm by downloading customer names, addresses, account numbers and asset values to a thumb drive that was physically removed from the Firm. The SEC found that these acts placed customer information at an impermissible risk of unauthorized access and misuse in violation of the Safeguard Rule. The SEC also found that the Firm violated the Safeguard Rule because, although it knew that there was a reasonably foreseeable risk that its departing registered representatives would disclose customer nonpublic personal information to successor brokerage firms, the Firm did not adopt any written policies or procedures addressing the transfer and protection of such information.
Inadequate Policies and Procedures for Protecting Customer Information . The SEC criticized the Firm’s policies and procedures for safeguarding customer information as too general and vague, observing that they merely recited the Safeguard Rule, only provided examples of safeguards that “may be adopted,” and failed to set forth specific policies and procedures to protect customer information. The SEC cited the fact that the Firm failed to instruct its registered representatives how to protect customer information or enumerate steps needed to ensure compliance with the Safeguard Rule, and did not set forth steps for following up on breaches or potential breaches of customer information security uncovered by the Firm and its registered representatives. The SEC also cited the fact that although the policies and procedures referenced a “Designated Principal” responsible for monitoring and testing the Firm’s safeguards on an annual basis to indentify the foreseeable risks warranting improvements or adjustments to the safeguards, no such person was ever named as the “Designated Principal.”
Inadequate Response to Compliance Failures. As a basis for its findings, the SEC noted the theft of laptop computers from three Firm employees and the unauthorized use of password credentials by a former employee to obtain confidential customer information, although no reports of misuse of customer information were subsequently received by the Firm. In 2006, a Firm laptop containing nonpublic personal information of 1,120 Firm customers, including in some cases dates of birth and social security numbers, was stolen from one of the Firm’s franchise offices. The Firm filed a police report regarding the theft and considered, but did not send, a letter to the affected customers notifying them of the theft. Nearly two years later, two other Firm laptop computers were misappropriated from registered representatives in separate incidents. The representatives stated that the laptops did not contain any customer information; the Firm took no further steps concerning the stolen laptops, which were not recovered. In 2007, a terminated registered representative misappropriated another employee’s computer password credentials and was able to monitor the employee’s e-mails for at least three months, and possibly, as much as a year after termination. In response to the breach, the Firm instructed the employees of the office where the incident occurred to change their computer password credentials, but failed to implement a firm-wide policy requiring employees to change their password credentials on a periodic basis. The Firm did not take any additional steps to address the matter and did not contact law enforcement authorities to report the breach, despite a recommendation to do so by the Firm’s IT department.
Oversight by the CCO. Between July 2005 and February 2009, the CCO was responsible for oversight of the Firm’s written policies and procedures designed to address the Safeguard Rule. His responsibilities included, in part, annual review of the policies and procedures to ensure their adequacy. The CCO was informed of the laptop computer thefts and the unauthorized use of an employee’s password credentials. However, despite supervising two annual reviews of the Firm’s policies and procedures, the CCO failed to direct the Firm to supplement the procedures for safeguarding customer information so as to ensure compliance with the Safeguard Rule.
Sanctions. In addition to being censured and ordered to cease and desist from violations of Regulation S‑P, each of the former executives agreed to pay penalties, $20,000 each in the case of the former president and former national sales manager and $15,000 in the case of the former chief compliance officer. The press release announcing the settlement orders commented that these proceedings marked the first time that the SEC had assessed financial penalties against individuals solely on the basis of Regulation S-P violations.