Data Security Encroachment Lifts SEC’s Eyebrow
For the first time in its implementation, the Securities and Exchange Commission has charged three former executives of a brokerage firm for intruding into the data security of their customers.
An investigation carried out by Sue Curtin and Teresa Verges of the SEC’s Miami Regional Office found two former executives of GunnAllen Financial Inc. guilty of violating the ‘Regulation S-P’. Frederick Kraus, former president, and David Levine, former national sales manager, allegedly transferred customer information to another firm without the customers’ consent when the brokerage firm was winding down its business. Former chief compliance officer Mark Ellis was similarly tagged for failing to enforce data security policies and procedures.
InAudit noted that 3 out of 8 financial firms are prone to losing customers data due to poor data security measures, according to a study conducted by software company Informatica. Respondents to the research agreed their companies’ reputation have been at stake after instances of data losses.
“Brokerage customers should be able to trust that sufficient safeguards are in place to protect their private information from unauthorized access and misuse,” SEC’s Miami Regional Office Director Eric Bustillo said, adding that data security of customers is especially important when winding down operations.
When the business was wound down in April 2010, Kraus allegedly allowed Levine to transfer the information contained in more than 16,000 GunnAllen accounts to his new employer. The information included customer names and addresses, account numbers, and asset values, which Levine downloaded to portable drive.
According to Regulation S-P, customer data should only be transferred to a third party upon consent of the account holders, a provision violated by the three former executives when they informed the customers only after the incident.
From July 2005 to February 2009, GunnAllen has committed several data privacy breaches, from the loss of three laptop computers to the unlawful access of its e-mail system by a terminated employee using stolen password credentials.
In a suit filed by the SEC, Kraus, Levine, and Ellis agreed to ‘cease and desist’ from committing further violations against the provisions in Regulation S-P, which requires financial companies to practice high level of data security to avoid its leakage to unauthorized third parties.
The SEC also tagged Ellis in the suit because he failed to enforce data security and protection procedures and failed to revise them to answer the need for more secured handling of customer data.
Kraus and Levine agreed to pay $20,000 each in penalties while Ellis consented to a penalty of $15,000.