Risk
4/11/2011
01:06 PM
50%
50%

SEC Fines Former Executives For Client Privacy Breach

Private information on 16,000 customers was transferred to a departing manager's new employer in violation of government notification and opt-out regulations.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Securities and Exchange Commission (SEC) announced Thursday that it's levied its first-ever fine against people solely for failing to properly protect customer data.

According to the SEC, the charges involve former employees of GunnAllen Financial, a broker-dealer that was winding down its operations last year, prior to being liquidated in November 2010. The SEC said that "former president Frederick O. Kraus and former national sales manager David C. Levine violated customer privacy rules by improperly transferring customer records to another firm."

The third person charged was chief compliance officer Mark A. Ellis, for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information," said the SEC. The agency also labeled GunnAllen's data privacy rules and regulations as "vague" and little more than a rewording of SEC regulations.

Kraus and Levine were ordered to pay penalties of $20,000 each, and Ellis $15,000. None confirmed or denied the SEC's findings.

"Brokerage customers should be able to trust that sufficient safeguards are in place to protect their private information from unauthorized access and misuse," said Eric I. Bustillo, director of the SEC's Miami regional office, in a statement. "Protecting confidential customer information is particularly important when a broker-dealer is winding down operations."

As far as SEC privacy fines go, this case is a first, in that it's the first one in which people were charged only with violating Regulation S-P, which is known as the Safeguard Rule. According to a blog post from attorney Michael Epshteyn, an associate at Hogan Lovells, Regulation S-P "requires broker-dealers, investment advisers, and other financial institutions under the SEC's jurisdiction to protect their customers' nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties."

According to the SEC, "Kraus authorized Levine to take information from more than 16,000 GunnAllen accounts to his new employer as the firm wound down operations in April 2010. Levine downloaded customer names and addresses, account numbers, and asset values to a portable thumb drive, and provided the records to his new employer after resigning from GunnAllen."

Customers didn't receive sufficient or advance notice that their data was being shared, said the SEC, and weren't given the required option to opt out.

Interestingly, GunnAllen had been previously involved in at least four breaches involving customer data -- three involving stolen laptops, and one case of a former employee accessing corporate email using stolen credentials. "Despite the security breaches, Ellis failed to revise or supplement GunnAllen's policies and procedures for safeguarding customer information," said the SEC.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4632
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

CVE-2014-7287
Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

CVE-2014-7288
Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

CVE-2014-8266
Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

CVE-2014-8267
Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.