By Andrew Smith
On April 7, the U.S. Securities and Exchange Commission announced an administrative settlement in which it fined three individuals a total of $55,000 for violations of the Privacy Rule and Safeguards Rule of Regulation S-P. The SEC stated that this is the first case in which it has assessed civil penalties for violations of its Privacy Rule. The Privacy Rule requires that consumers be provided with notice and an opportunity to "opt out" of certain disclosures of personal financial information to non-affiliated third parties.
The three named individuals were associated with the now-defunct securities broker-dealer GunnAllen Financial Inc. As GunnAllen was winding down its operations last year, it sent a notice to the holders of its "direct application accounts" that the firm was liquidating and that the accountholders could permit their GunnAllen representative to make arrangements for their account, or they could take their accounts to a firm of their own choosing. (Direct application accounts are accounts maintained by investors directly with mutual funds or issuers of variable annuities, and for which GunnAllen served as "broker of record," primarily for the purpose of collecting sales commissions.) Less than a month after sending that letter, a GunnAllen registered representative downloaded the information for all of the direct application accounts to his personal thumb drive and took them to a new firm. He did this with the blessing of GunnAllen management.
The SEC alleged that, by this transfer, GunnAllen violated the Privacy Rule, because the individual accountholders were not provided adequate notice and an opportunity to opt out of the transfer. Furthermore, "GunnAllen’s disclosure of the information was not covered by any exception from Regulation S-P’s notice and opt-out requirements, including an exception in Rule 14 of Regulation S-P for disclosures that are required, or are a usual, appropriate or acceptable method, in connection with the transfer of accounts, because GunnAllen failed to obtain the customers’ affirmative consent to transfer the direct applications accounts."
The SEC alleged further that GunnAllen violated the Safeguards Rule, based on the downloading of accountholder data to a personal thumb drive, as well as a series of securities breaches that predated the data transfer.
The SEC charged the three named individuals with "aiding and abetting" GunnAllen's rule violations, and fined two of them $20,000 and fined the third $15,000.
Andrew Smith is a partner at Morrison Foerster’s Washington, DC, offices.