settled - Goodwin Procter LLP

Shared by: liwenting

Tags

Stats

views:: 4
posted:: 10/2/2011
language:: English
pages:: 24

Public Domain

Document Sample

UNITED STATES OF AMERICA

Before the

SECURITIES AND EXCHANGE COMMISSION

SECURTIES EXCHANGE ACT OF 1934
Release No. 64220 / April 7, 2011

ADMINISTRATIVE PROCEEDING
File No. 3-14328
______________________________
: ORDER INSTITUTING ADMINISTRATIVE
In the Matter of : AND CEASE-AND-DESIST PROCEEDINGS,
: PURSUANT TO SECTIONS 15(b) AND 21C
Marc A. Ellis, : OF THE SECURITIES EXCHANGE
: ACT OF 1934, MAKING FINDINGS, AND
Respondent. : IMPOSING REMEDIAL SANCTIONS AND
: A CEASE-AND-DESIST ORDER
______________________________:

The Securities and Exchange Commission (“Commission”) deems it appropriate and in
the public interest that public administrative and cease-and-desist proceedings be, and hereby
are, instituted pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934
(“Exchange Act”) against Marc A. Ellis (“Ellis” or “Respondent”).

II.

In anticipation of the institution of these proceedings, Respondent has submitted an Offer
of Settlement (the “Offer”) which the Commission has determined to accept. Solely for the
purpose of these proceedings and any other proceedings brought by or on behalf of the
Commission, or to which the Commission is a party, and without admitting or denying the
findings herein, except as to the Commission’s jurisdiction over him and the subject matter of
these proceedings, which are admitted, Respondent consents to the entry of this Order Instituting
Administrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C of the
Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a
Cease-and-Desist (“Order”), as set forth below.
III.

On the basis of this Order and Respondent’s Offer, the Commission finds that1:

Summary

These proceedings arise out of violations by GunnAllen Financial, Inc. (“GunnAllen”),
formerly a Tampa, Florida-based broker-dealer, of Rule 30(a) of Regulation S-P (17 C.F.R. §
248.30(a)) (the “Safeguard Rule”). The Safeguard Rule requires broker-dealers to, among other
things, adopt written policies and procedures reasonably designed to protect customer
information against unauthorized access and use. Although GunnAllen maintained written
supervisory procedures for safeguarding customer information, they were inadequate and failed
to instruct the firm’s supervisors and registered representatives how to comply with the
Safeguard Rule. As Chief Compliance Officer (“CCO”), Ellis was charged with the
responsibility of maintaining and reviewing the adequacy of GunnAllen’s procedures for
protecting customer information. However, after the theft of three laptop computers and a
registered representative’s computer password credentials put customer information collected by
GunnAllen at risk of unauthorized access and use, Ellis did not direct the firm to revise or
supplement its policies and procedures for safeguarding customer information. As a result, Ellis
aided and abetted and caused GunnAllen’s violations of the Safeguard Rule.

Respondent

1. Ellis, 44, resides in Dix Hills, New York. From July 2005 through February 2009,
Ellis served as CCO of GunnAllen.

GunnAllen Financial, Inc.

GunnAllen’s Safeguard Procedures

3. Rule 30(a) of Regulation S-P, or the Safeguard Rule, requires every broker and dealer
registered with the Commission to adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection of customer records and
information, and that are reasonably designed to: (1) insure the security and confidentiality of

1
The findings herein are made pursuant to Respondent’s Offer of Settlement and are not binding on any other
person or entity in this or any other proceeding.

customer records and information; (2) protect against any anticipated threats or hazards to the
security or integrity of customer records and information; and (3) protect against unauthorized
access to or use of customer records or information that could result in substantial harm or
inconvenience to any customer.

4. Between July 2005 and February 2009, GunnAllen’s policies and procedures addressing
the protection of customer information were contained in its Written Supervisory Procedures
Manual (the “Manual”). Specifically, the Manual included a provision, less than a page long,
entitled “Safeguarding Information.” This provision was general and vague and, for several
reasons, failed to set forth policies and procedures reasonably designed to protect customer
information, as required by the Safeguard Rule. First, the provision simply recited the Safeguard
Rule verbatim and provided examples of safeguards that “may be adopted” by GunnAllen, but
did not specify any safeguards actually adopted by the firm, or otherwise require any of the listed
safeguards be adopted. Second, the provision also failed to instruct GunnAllen’s registered
representatives how to protect customer information or enumerate the steps that they needed to
take to ensure compliance with the Safeguard Rule. Moreover, the provision lacked procedures
addressing the follow-up of breaches or potential breaches in customer information uncovered by
GunnAllen and its registered representatives. Finally, the provision repeatedly referred to a
“Designated Principal” charged with, among other things, monitoring and annually testing the
firm’s safeguards and identifying reasonably foreseeable risks warranting improvements or
adjustments to the safeguards. However, the Manual failed to identify the “Designated
Principal” by name or position and, in fact, GunnAllen did not appoint a “Designated Principal.”

Breaches in GunnAllen’s Customer Records

5. The inadequacy of GunnAllen’s procedures for protecting customer information and the
firm’s failure to comply with the Safeguard Rule became apparent between August 2006 and
February 2008. During that period, laptop computers belonging to three GunnAllen registered
representatives and the computer password credentials belonging to a fourth were
misappropriated from the firm. Although no reports of misuse of customer information as a
result of any of the incidents subsequently arose, the thefts jeopardized the confidentiality and
integrity of customer information maintained by the firm and placed some information at risk of
unauthorized use that could have resulted in substantial harm or inconvenience to customers.

6. The first laptop computer was stolen in August 2006 from a GunnAllen franchise office
in the Orlando, Florida area. The laptop contained contact records reflecting the names,
addresses, and telephone numbers and, in many instances, spouses, dates of birth and social
security numbers of approximately 1,120 of the firm’s customers. GunnAllen filed a report of
the theft with local police and considered, but did not send, a letter to the affected customers
notifying them of the theft. The firm did not take any further steps concerning the matter and the
laptop was never recovered.

7. In January 2007, a GunnAllen franchise office in the Scottsdale, Arizona area uncovered
evidence that a registered representative who the firm had terminated almost a year earlier had
misappropriated another employee’s computer password credentials and was monitoring the
employee’s e-mails, including those exchanged with customers, from a remote location.
GunnAllen’s IT Department was notified about the compromised password and subsequently
confirmed that the terminated representative had gained unauthorized access to the firm’s e-mail
system and had been accessing the employee’s e-mail for at least three months and, possibly, as
much as a year. GunnAllen directed its employees in the franchise office to change their
computer password credentials and planned to implement an automated program, already under
development, requiring employees on a firm-wide basis to periodically change their computer
password credentials. The firm did not take any additional steps concerning the matter and did
not contact criminal authorities although recommended by its IT Department.

8. Further, in February 2008, laptop computers were misappropriated from two GunnAllen
registered representatives in separate incidences. The representatives reported the thefts to
GunnAllen and informed the firm’s IT Department that the laptops did not hold any customer
information. GunnAllen did not take any further steps concerning the thefts and the laptop
computers were never recovered.

9. GunnAllen’s senior managers, including Ellis and the firm’s General Counsel, learned
of the aforementioned thefts, but no single person or department directed or coordinated the
firm’s responses to the thefts. As a consequence, GunnAllen failed to assess what, if any, risks
the thefts posed to its customers and failed to take follow-up and remedial steps recommended
by its employees. For example, after the theft of the first laptop computer, a dispute arose
between GunnAllen’s General Counsel and its IT Department, as to which department was
responsible for sending a letter to the affected customers notifying them of the theft. A senior
GunnAllen officer subsequently sent an e-mail to the General Counsel and Ellis, who was
serving as the firm’s CCO, stating that the letter should be sent to the affected customers, but it
was never mailed.

Ellis Failed to Address GunnAllen’s

Inadequate Procedures for Safeguarding Customer information

10. While serving as CCO of GunnAllen from July 2005 to February 2009, Ellis was
responsible for implementing and maintaining policies and procedures ensuring the firm’s
compliance with Regulation S-P, including the Safeguard Rule mandating broker-dealers to
adopt written policies and procedures reasonably designed to protect customer records and
information. Ellis was also responsible for reviewing the adequacy of GunnAllen’s written
supervisory procedures contained in the Manual, including those concerning the Safeguard Rule.
Ellis, with the assistance of the firm’s Assistant Chief Compliance Officer, directed and oversaw
GunnAllen’s annual reviews of its written supervisory procedures in 2007 and 2008.

11. Ellis was notified of the laptop computer theft which occurred in August 2006 and the
discovery of the misappropriated computer password credentials in January 2007 by e-mail after
the events occurred. He was also orally informed of at least one of the two laptop computer
thefts shortly after the event occurred in February 2008. These thefts and GunnAllen’s limited
response or follow-up repeatedly revealed the firm’s policies and procedures for safeguarding
customer information to be inadequate. Nevertheless, and despite supervising two annual
reviews of GunnAllen’s written supervisory procedures, Ellis failed to direct the firm to
supplement the Safeguarding Information provision in the Manual or to adopt additional written
policies and procedures to protect customer information and ensure GunnAllen’s compliance
with the Safeguard Rule.

12. As a result of the conduct described above, Ellis willfully2 aided and abetted and caused
GunnAllen’s violations of Rule 30(a) of Regulation S-P under the Exchange Act, which requires
written policies and procedures that address administrative, technical, and physical safeguards
for the protection of customer information that were reasonably designed to: (1) insure the
security and confidentiality of customer records and information; (2) protect against any
anticipated threats or hazards to the security or integrity of customer records and information;
and (3) protect against unauthorized access to or use of customer records and information that
could result in substantial harm or inconvenience to any customer.

IV.

In view of the foregoing, the Commission deems it appropriate and in the public interest
to impose the sanctions agreed to in Respondent’s Offer.

Accordingly, pursuant to Sections 15(b) and 21C of the Exchange Act, it is hereby
ORDERED that:

A. Respondent Ellis cease and desist from committing or causing any violations and any
future violations of Rule 30(a) of Regulation S-P under the Exchange Act.

B. Respondent Ellis is censured.

C. Respondent Ellis shall, within ten days of the entry of this Order, pay a civil money
penalty of $15,000 to the United States Treasury. If timely payment is not made, additional
interest shall accrue pursuant to 31 U.S.C. 3717. Such payment shall be: (A) made by wire
transfer, United States postal money order, certified check, bank cashier’s check, or bank money
order; (B) payable to the Securities and Exchange Commission; (C) hand-delivered or mailed to
the Office of Financial Management, Securities and Exchange Commission, Operations Center,
6432 General Green Way, Alexandria, VA 22312-0003; and (D) submitted under cover letter
that identifies Ellis as a Respondent in these proceedings, the file number of these

2
A willful violation of the securities laws means merely “that the person charged with the duty knows what he is
doing.” Wonsover v. SEC, 205 F.3d 408, 414 (D.C. Cir. 2000) (quoting Huges v. SEC, 174 F.2d 969, 977 (D.C. Cir.
1949).

proceedings, a copy of which cover letter and wire transfer, money order or check shall be sent
to Teresa J. Verges, Assistant Regional Director, Miami Regional Office, Securities and
Exchange Commission, 801 Brickell Avenue, Suite 1800, Miami, FL 33131.

By the Commission.

Elizabeth M. Murphy
Secretary

Service List

Rule 141 of the Commission's Rules of Practice provides that the Secretary, or another
duly authorized officer of the Commission, shall serve a copy of the Order Instituting
Administrative and Cease-and-Desist Proceedings, Pursuant to Sections 15(b) and 21C of the
Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-
and-Desist Order ("Order") on the Respondent and his legal agent.

The attached Order has been sent to the following parties and other persons entitled to
notice:

Honorable Brenda P. Murray
Chief Administrative Law Judge
Securities and Exchange Commission
100 F Street, N.E.
Washington, DC 20549-2557

Teresa J. Verges, Esq.
Miami Regional Office
Securities and Exchange Commission
801 Brickell Avenue, Suite 1800
Miami, FL 33131

Marc A. Ellis
c/o Debra A. Jenks, Esq.
Schwed McGinley & Kahle
11410 North Jog Road, Suite 100
Palm Beach Gardens, FL 33418

Debra A. Jenks, Esq.
Schwed McGinley & Kahle
11410 North Jog Road, Suite 100
Palm Beach Gardens, FL 33418

UNITED STATES OF AMERICA

Before the

SECURITIES AND EXCHANGE COMMISSION

SECURTIES EXCHANGE ACT OF 1934
Release No. 64221 / April 7, 2011

ADMINISTRATIVE PROCEEDING
File No. 3-14326
______________________________
: ORDER INSTITUTING ADMINISTRATIVE
In the Matter of : AND CEASE-AND-DESIST PROCEEDINGS,
: PURSUANT TO SECTIONS 15(b) AND 21C
: OF THE SECURITIES EXCHANGE
Frederick O. Kraus, : ACT OF 1934, MAKING FINDINGS, AND
: IMPOSING REMEDIAL SANCTIONS AND
Respondent. : A CEASE-AND-DESIST ORDER
______________________________:

II.

On the basis of this Order and Respondent’s Offer, the Commission finds that1:

Summary

These proceedings arise out of violations by GunnAllen Financial, Inc. (“GunnAllen”),
formerly a Tampa, Florida-based broker-dealer, of Regulation S-P which governs the privacy
and protection of consumer financial information. Between March and June 2010, as it was
winding down its business operations and planned to file for bankruptcy, GunnAllen’s president,
Kraus, authorized the transfer of approximately 16,000 direct application accounts to
GunnAllen’s National Sales Manager (the “Sales Manager”), and any broker-dealer with whom
the Sales Manager affiliated. Direct application accounts are those accounts held by the product
issuer, typically a mutual fund or insurance company.

On or before April 23, 2010, when the Sales Manager accepted employment with a new
broker-dealer and resigned from GunnAllen, he downloaded nonpublic customer information for
the 16,000 accounts on a portable thumb drive. Two weeks after joining the new broker-dealer,
the Sales Manager mailed a letter (its content was previously reviewed and approved by Kraus),
on GunnAllen letterhead notifying the account holders that GunnAllen could no longer service
the accounts, that he and his business partner were servicing the accounts, and advising them of
their right to “opt out” of the transfer. This after the fact notice failed to provide customers with
a reasonable opportunity to opt out of the transfer because, among other things, it did not provide
procedures on how to exercise that right, contact information or even the identity of the new
broker-dealer. Thereafter, the Sales Manager supplied the broker-dealer receiving the accounts
with nonpublic personal information for the 16,000 accounts, including the product custodian,
the account holder’s name and address, and the account number and value for each account.

GunnAllen’s transfer of this nonpublic information without providing its customers
reasonable notice to opt out violated Rule 10(a)(1) of Regulation S-P (17 C.F.R. §248.10(a)(1)),
which prohibits broker-dealers from disclosing nonpublic personal information they collect from
customers to nonaffiliated third parties unless they notify their customers of their right to opt out
of the disclosure in accordance with Rule 7(a) of Regulation S-P (17 C.F.R. §248.7(a)), and they
provide their customers with a reasonable opportunity to opt out of the disclosure. The customer
information was also transferred to the Sales Manager, and thereafter, the receiving broker, in a
manner that placed the information at substantial risk of unauthorized access and use in
contravention of GunnAllen’s obligation to ensure the security and confidentiality of the
information as required by Rule 30(a) of Regulation S-P (the “Safeguard Rule”) (17 C.F.R.
§248.30(a)). As a result, Kraus aided and abetted and caused GunnAllen’s violations of Rules
7(a), 10(a) and 30(a) of Regulation S-P.

Respondent

1
The findings herein are made pursuant to Respondent’s Offer of Settlement and are not binding on any other
persons or entities in this or any other proceeding.

1. Kraus, age 56, resides in St. Petersburg, Florida. From September 2009 to
September 2010, Kraus served as President of GunnAllen. Kraus also served as GunnAllen’s
Chief Financial Officer from October 2008 to September 2010, and the firm’s Director of
Supervision from January 2005 to August 2009.

GunnAllen Financial, Inc.

2. GunnAllen had a principal place of business in Tampa, Florida and was
registered with the Commission as a broker-dealer from March 1986 to April 2010. The firm
operated mostly under an independent contractor model and maintained franchise offices
nationwide. In March 2010, the Financial Industry Regulatory Authority (FINRA) determined
that GunnAllen did not have the requisite net capital to conduct business as a broker-dealer and
restricted its operations to liquidating securities transactions. Unable to raise the additional
capital it needed to continue to conduct business, in April 2010 GunnAllen discontinued its
operations, filed for bankruptcy, and submitted a Broker-Dealer Withdrawal, or “BDW”, Form
with the Commission withdrawing its registration. The withdrawal became effective on June 11,
2010.

The Account Transfers

3. As it was winding down its business operations in March and April 2010,
GunnAllen and its registered representatives transferred the firm’s customer accounts to other
broker-dealers. In addition to servicing the brokerage accounts held by its clearing firm,
GunnAllen serviced and was the broker of record on tens of thousands of direct application
accounts held by various mutual fund and variable annuity and insurance companies. As broker
of record on the direct application accounts, GunnAllen was entitled to the commissions, trailers
and other fees generated by the accounts.

4. On March 28, 2010, GunnAllen sent a letter, drafted by the Sales Manager but
reviewed and approved by Kraus, to all of the firm’s direct application account customers
notifying them that it expected to cease operations on March 31, 2010 (the “First Notice”). The
First Notice instructed customers that they had three options for arranging ongoing service of
their accounts: (i) they could contact their GunnAllen registered representative to make
arrangements to transfer their account to the new firm with which he or she associated, (ii) they
could contact a brokerage firm of their own choice and request their account be transferred to
that firm, or (iii) they could contact the mutual fund or variable annuity or insurance company
holding their investment directly to make arrangements for service.

5. However, on March 30, 2010, just two days after GunnAllen sent the First Notice,
Kraus authorized the transfer of approximately 16,000 direct application accounts serviced by
GunnAllen to the Sales Manager. Kraus executed “Block Broker-Dealer Change Authorization
for Directly Held Accounts” forms (the “Block Transfer Forms”) covering those accounts and
gave the signed Block Transfer Forms to the Sales Manager and another GunnAllen
representative with whom the Sales Manager planned to form a business partnership when
GunnAllen ceased doing business. By signing the Block Transfer Forms and turning them over
to the Sales Manager and his partner, Kraus authorized the transfer of the 16,000 accounts to any

broker-dealer that the Sales Manager and his partner chose to associate with after they left
GunnAllen.

6. In April 2010, while assisting Kraus in the wind down of GunnAllen’s business
operations, the Sales Manager and his partner sought employment with other brokerage firms by
offering, among other things, to transfer to them the direct application accounts for which they
held the Block Transfer Forms. On April 23, 2010, they were hired by another broker-dealer
registered with the Commission (the “Receiving Broker”). The Sales Manager and his partner
agreed to share 10% of the commissions, trailers and other fees generated by the accounts with
the Receiving Broker and to solicit the account holders to purchase additional products from the
Receiving Broker. On that same day, the Sales Manager resigned from GunnAllen.

7. On April 23, 2010, or shortly before then, the Sales Manager downloaded a
spreadsheet from a GunnAllen computer server or drive to a personal thumb drive and physically
removed it from the firm. The spreadsheet contained the custodian, account holder’s name and
address, account number and value of the approximately 16,000 direct application accounts
covered by the Block Transfer Forms authorized by Kraus. The spreadsheet indicated that the
direct application accounts included therein, in the aggregate, had a stated but not confirmed
estimated total value of $850 million as of March 23, 2010.

8. Two weeks after associating with the Receiving Broker, on May 14, 2010, the
Sales Manager sent the GunnAllen customers holding the direct application accounts a letter
notifying them that their accounts would be transferred to the brokerage firm he was newly
associated with unless they objected to the transfer within fifteen days of the date of the letter
(the “Second Notice”). Although the Sales Manager drafted and personally paid for the cost of
copying and mailing the letter, its content was reviewed and approved previously by Kraus, and
it was sent on GunnAllen letterhead. The Sales Manager engaged a third party vendor to copy
and mail the Second Notice on his behalf and supplied it with the customer names and addresses
he took from GunnAllen on his thumb drive.

9. After mailing the Second Notice, the Sales Manager contacted GunnAllen to see
if it had received notices from any customers seeking to opt out of the account transfer, but did
not take any other steps to verify customer objections to the transfer and, thereafter, e-mailed the
Receiving Broker the customer account information that he had taken from GunnAllen on his
thumb drive. His partner also supplied the Receiving Broker with the Block Transfer Forms
signed by Kraus.

10. Beginning on June 3, 2010, and continuing through at least June 7, 2010, the
Receiving Broker counter-signed the Block Transfer Forms accepting the direct application
accounts from GunnAllen. It also delivered the fully executed forms to the appropriate mutual
fund and variable annuity and insurance companies along with a letter instructing them to change
the broker of record on the direct application accounts from GunnAllen to the Receiving Broker.

Violations of the Privacy Rules

11. Rule 10(a) of Regulation S-P prohibits brokers and dealers, either directly or
through an affiliate, from disclosing nonpublic personal information about their customers to
nonaffiliated third parties unless they have provided their customers with a privacy notice
describing the nonpublic personal information they disclose, and notify their customers of their
right to opt out of any disclosure and afford them a reasonable opportunity to opt out of the
disclosure before it is made.

12. Rule 7(a) of Regulation S-P requires brokers and dealers to provide their
customers with opt out notices that are clear and conspicuous and that accurately explain
customers’ opt out rights. The notice must explicitly state that the broker or dealer discloses, or
reserves the right to disclose, nonpublic personal information about its customers and that they
have the right to opt out of any disclosure. Additionally, the notice must provide a reasonable
means by which customers can exercise their right to opt out.

13. GunnAllen violated Rules 7(a) and 10(a) of Regulation S-P by failing to provide
the direct application account customers whose accounts were transferred to the Receiving
Broker with proper notice and a reasonable opportunity to opt out of the transfer before
supplying their personal nonpublic information to the Sales Manager and the Receiving Broker.
Also, GunnAllen’s disclosure of the information was not covered by any exception from
Regulation S-P’s notice and opt out requirements, including an exception in Rule 14 of
Regulation S-P for disclosures that are required, or are a usual, appropriate, or acceptable
method, in connection with the transfer of accounts, because GunnAllen failed to obtain the
customers’ affirmative consent to transfer the direct applications accounts. The First and Second
Notices failed to inform account holders that GunnAllen would physically transfer or, in the case
of the Second Notice, had physically transferred, their account information. The Second Notice
also failed to provide account holders with a reasonable means to exercise their right to opt out
of the transfer, or sufficient time within which to do so. Further, the direct application account
customers were not provided with a paper or electronic form to object to the transfer although
Rule 7(a)(2)(iii) of Regulation S-P expressly states it is unreasonable “if the only means of
opting out is for the consumer to write his or her own letter to exercise the opt out right.”
Finally, the Second Notice provided only fifteen days to opt out of the transfer although the
circumstances did not warrant such a short response period.

14. As a result of the conduct described above, Kraus willfully aided and abetted and
caused GunnAllen’s violations of Rules 7(a) and 10(a) of Regulation S-P under the Exchange
Act.

Violations of the Safeguard Rule

15. Rule 30(a) of Regulation S-P, or the Safeguard Rule, requires every broker and
dealer to maintain policies and procedures that address administrative, technical, and physical
safeguards for the protection of customer records and information. The policies and procedures
must be reasonably designed to (1) insure the security and confidentiality of customer records

and information; (2) protect against any anticipated threats or hazards to the security or integrity
of customer records and information; and (3) protect against unauthorized access to or use of
customer records or information that could result in substantial harm or inconvenience to any
customer.

16. GunnAllen violated Rule 30(a) of Regulation S-P because it knew that there was a
reasonably foreseeable risk that its departing registered representatives would disclose customer
nonpublic personal information to successor brokerage firms but nonetheless failed to adopt, and
did not have in place while winding down its operations, any written policies or procedures
addressing the transfer and protection of such information.

17. As president of GunnAllen, Kraus was familiar with Regulation S-P and
GunnAllen’s responsibilities under the rule for maintaining the confidentiality and physical
security of the information that the firm collected from its customers. Nonetheless, he
knowingly placed customer information at substantial risk of unauthorized access and misuse
when he executed the Block Transfer Forms and authorized the Sales Manager to download
customer information for approximately 16,000 GunnAllen direct application accounts to a
personal thumb drive that he physically took from the firm.

18. As a result of the conduct described above, Kraus willfully aided and abetted and
caused GunnAllen’s violations of Rule 30(a) of Regulation S-P.

IV.

In view of the foregoing, the Commission deems it appropriate and in the public interest
to impose the sanctions agreed to in Respondent’s Offer.

Accordingly, pursuant to Sections 15(b) and 21C of the Exchange Act, it is hereby
ORDERED that:

A. Respondent Kraus cease and desist from committing or causing any violations and
any future violations of Rules 7(a), 10(a) and 30(a) of Regulation S-P under the Exchange Act.

B. R
espondent Kraus is censured.

C. Respondent Kraus shall pay a civil money penalty of $20,000 to the United States
Treasury. Payment shall be made in the following installments: $5,000 within 10 days of the
entry of this Order; $5,000 within 90 days of the entry of this Order; $5,000 within 180 days of
the entry of this Order; and $5,000 within 270 days of the entry of this Order. If any payment is
not made by the date the payment is required by this Order, the entire outstanding balance of the
civil penalty, plus any interest accrued pursuant to 31 U.S.C. 3717, shall be due and payable
immediately, without further application. Payments shall be: (A) made by wire transfer, United
States postal money order, certified check, bank cashier’s check, or bank money order; (B)
payable to the Securities and Exchange Commission; (C) hand-delivered or mailed to the Office
of Financial Management, Securities and Exchange Commission, Operations Center, 6432

General Green Way, Alexandria, VA 22312-0003; and (D) submitted under cover letter that
identifies Respondent’s name as a Respondent in these proceedings, the file number of these
proceedings, a copy of which cover letter and wire transfer, money order or check shall be sent
to Teresa J. Verges, Assistant Regional Director, Miami Regional Office, Securities and
Exchange Commission, 801 Brickell Avenue, Suite 1800, Miami, FL 33131.

By the Commission.

Elizabeth M. Murphy
Secretary

Service List

The attached Order has been sent to the following parties and other persons entitled to
notice:

Honorable Brenda P. Murray
Chief Administrative Law Judge
Securities and Exchange Commission
100 F Street, N.E.
Washington, DC 20549-2557

Teresa J. Verges, Esq.
Miami Regional Office
Securities and Exchange Commission
801 Brickell Avenue, Suite 1800
Miami, FL 33131

Frederick O. Kraus
c/o Burton W. Wiand, Esq.
Wiand Guerra King
3000 Bayport Drive
Tampa, FL 33607

Burton W. Wiand, Esq.
Wiand Guerra King
3000 Bayport Drive
Tampa, FL 33607

UNITED STATES OF AMERICA

Before the

SECURITIES AND EXCHANGE COMMISSION

SECURTIES EXCHANGE ACT OF 1934
Release No. 64222 / April 7, 2011

ADMINISTRATIVE PROCEEDING
File No. 3-14327
______________________________
: ORDER INSTITUTING ADMINISTRATIVE
In the Matter of : AND CEASE-AND-DESIST PROCEEDINGS,
: PURSUANT TO SECTIONS 15(b) AND 21C
: OF THE SECURITIES EXCHANGE
David C. Levine, : ACT OF 1934, MAKING FINDINGS, AND
: IMPOSING REMEDIAL SANCTIONS AND
Respondent. : A CEASE-AND-DESIST ORDER
______________________________:

II.

On the basis of this Order and Respondent’s Offer, the Commission finds that1:

Summary

These proceedings arise out of violations by GunnAllen Financial, Inc. (“GunnAllen”),
formerly a Tampa, Florida-based broker-dealer, of Regulation S-P which governs the privacy
and protection of consumer financial information. Between March and June 2010, as it was
winding down its business operations and planned to file for bankruptcy, GunnAllen’s president
authorized the transfer of approximately 16,000 direct application accounts with an estimated
total net asset value of $850 million to Levine, who then served as GunnAllen’s National Sales
Manager, and any broker-dealer with whom he became affiliated. Direct application accounts
are those accounts held by the product issuer, typically a mutual fund or insurance company.

In connection with this transfer, and prior to resigning from GunnAllen, Levine
downloaded nonpublic customer information for the 16,000 accounts on a portable thumb drive.
Levine resigned from GunnAllen on April 23, 2010, and then affiliated with a new broker-dealer.
Two weeks after joining the new broker-dealer, Levine mailed a letter, reviewed and approved
by GunnAllen’s president and on GunnAllen letterhead, notifying the 16,000 customers that
GunnAllen could no longer service the accounts, that Levine and his business partner were
servicing the accounts, and advising them of their right to “opt out” of the transfer. This letter
failed to provide customers with a reasonable opportunity to opt out of the transfer because,
among other things, it was sent after the customers’ information was transferred to Levine and it
did not provide procedures on how to exercise that right, contact information or even the identity
of the new broker-dealer. Thereafter, Levine supplied the broker-dealer receiving the accounts
with nonpublic personal information for the 16,000 accounts, including the product custodian,
the account holder’s name and address, and the account number and value for each account.

GunnAllen’s transfer of this nonpublic information without providing its customers
reasonable notice to opt out violated Rule 10(a)(1) of Regulation S-P (17 C.F.R. §248.10(a)(1)),
which prohibits broker-dealers from disclosing nonpublic personal information they collect from
customers to nonaffiliated third parties unless they notify their customers of their right to opt out
of the disclosure in accordance with Rule 7(a) of Regulation S-P (17 C.F.R. §248.7(a)), and they
provide their customers with a reasonable opportunity to opt out of the disclosure. Levine also
took possession of the information in a manner that placed the information at risk of
unauthorized access and use in contravention of GunnAllen’s obligation to ensure the security
and confidentiality of the information as required by Rule 30(a) of Regulation S-P (the
“Safeguard Rule”) (17 C.F.R. §248.30(a)). As a result, Levine aided and abetted and caused
GunnAllen’s violations of Rules 7(a), 10(a) and 30(a) of Regulation S-P.

1
The findings herein are made pursuant to Respondent’s Offer of Settlement and are not binding on any other
persons or entities in this or any other proceeding.

Respondent

1. Levine, age 44, resides in Delray Beach, Florida. From May 2005 to April 2010,
Levine served as GunnAllen’s National Sales Manager. Although he was employed with
GunnAllen through the end of April 2010, on March 30, 2010, GunnAllen filed Forms U5
terminating the registrations of all its representatives, including Levine’s.

GunnAllen Financial, Inc.

The Account Transfers

4. On March 28, 2010, GunnAllen sent a letter, drafted by Levine and reviewed and
approved by GunnAllen’s president, to all of the firm’s direct application account customers
notifying them that it expected to cease operations on March 31, 2010 (the “First Notice”). The
First Notice instructed customers that they had three options for arranging ongoing service of
their accounts: (i) they could contact their GunnAllen registered representative to make
arrangements to transfer their account to the new firm with which he or she associated, (ii) they
could contact a brokerage firm of their own choice and request their account be transferred to
that firm, or (iii) they could contact the mutual fund or variable annuity or insurance company
holding their investment directly to make arrangements for service.

5. However, on March 30, 2010, just two days after GunnAllen sent the First Notice,
at the request of Levine, GunnAllen’s president authorized the transfer of approximately 16,000
direct application accounts serviced by GunnAllen, which had an estimated total net asset value
of $850 million. GunnAllen’s president executed “Block Broker-Dealer Change Authorization
for Directly Held Accounts” forms (the “Block Transfer Forms”) covering those accounts and

gave the signed Block Transfer Forms to Levine and another GunnAllen representative with
whom Levine planned to form a business partnership when GunnAllen ceased doing business.
The executed Block Transfer Forms authorized the transfer of the 16,000 accounts to any broker-
dealer that Levine and his partner chose to associate with after they left GunnAllen.

6. In April 2010, while assisting in the wind down of GunnAllen’s business
operations, Levine and his partner sought employment with other brokerage firms by offering,
among other things, to transfer to them the direct application accounts for which they held the
Block Transfer Forms. On April 23, 2010, they were hired by another broker-dealer registered
with the Commission (the “Receiving Broker”). Levine and his partner agreed to share 10% of
the commissions, trailers and other fees generated by the accounts with the Receiving Broker and
to solicit the account holders to purchase additional products from the Receiving Broker.

7. The same day that Levine was hired by the Receiving Broker, he resigned from
GunnAllen. On April 23, 2010, or shortly before then, Levine, with the approval of GunnAllen’s
president, downloaded a spreadsheet from a GunnAllen computer server or drive to a personal
thumb drive and physically removed it from the firm. The spreadsheet contained the custodian,
account holder’s name and address (but not his or her social security number), and account
number and value for each of the approximately 16,000 direct application accounts covered by
the Block Transfer Forms.

8. Two weeks after associating with the Receiving Broker, on May 14, 2010,
Levine, with the approval of GunnAllen’s president, sent the GunnAllen customers holding the
direct application accounts a letter notifying them that their accounts would be transferred to the
brokerage firm he was newly associated with unless they objected to the transfer within fifteen
days of the date of the letter (the “Second Notice”). Levine drafted and personally paid for the
cost of copying and mailing the Second Notice, which was on GunnAllen letterhead. Levine
engaged a third party vendor to copy and mail the Second Notice on his behalf and supplied it
with the customer names and addresses he took from GunnAllen on his thumb drive.

9. After mailing the Second Notice, Levine contacted GunnAllen to see if it had
received notices from any customers seeking to opt out of the account transfer, but did not take
any other steps to verify customer objections to the transfer and, thereafter, e-mailed the
Receiving Broker the customer account information that had been released to him by GunnAllen
on his thumb drive. Levine’s partner supplied the Receiving Broker with the Block Transfer
Forms.

Violations of the Privacy Rules

13. GunnAllen violated Rules 7(a) and 10(a) of Regulation S-P by failing to provide
the direct application account customers whose accounts were transferred to the Receiving
Broker with proper notice and a reasonable opportunity to opt out of the transfer before
supplying their personal nonpublic information to Levine and the Receiving Broker. Also,
GunnAllen’s disclosure of the information was not covered by any exception from Regulation S-
P’s notice and opt out requirements, including an exception in Rule 14 of Regulation S-P for
disclosures that are required, or are a usual, appropriate, or acceptable method, in connection
with the transfer of accounts, because GunnAllen failed to obtain the customers’ affirmative
consent to transfer the direct applications accounts. The First and Second Notices failed to
inform account holders that GunnAllen would physically transfer or, in the case of the Second
Notice, had physically transferred, their account information. The Second Notice also failed to
provide account holders with a reasonable means to exercise their right to opt out of the transfer,
or sufficient time within which to do so. Further, the direct application account customers were
not provided with a paper or electronic form to object to the transfer although Rule 7(a)(2)(iii) of
Regulation S-P expressly states it is unreasonable “if the only means of opting out is for the
consumer to write his or her own letter to exercise the opt out right.” Finally, the Second Notice
provided only fifteen days to opt out of the transfer although the circumstances did not warrant
such a short response period.

14. As a result of the conduct described above, Levine willfully2 aided and abetted
and caused GunnAllen’s violations of Rules 7(a) and 10(a) of Regulation S-P.

Violations of the Safeguard Rule

15. Rule 30(a) of Regulation S-P, or the Safeguard Rule, requires every broker and
dealer to maintain policies and procedures that address administrative, technical, and physical

safeguards for the protection of customer records and information. The policies and procedures
must be reasonably designed to (1) insure the security and confidentiality of customer records
and information; (2) protect against any anticipated threats or hazards to the security or integrity
of customer records and information; and (3) protect against unauthorized access to or use of
customer records or information that could result in substantial harm or inconvenience to any
customer.

17. As a senior officer of GunnAllen, Levine was familiar with Regulation S-P and
GunnAllen’s responsibilities under the rule for maintaining the confidentiality and physical
security of the information that the firm collected from its customers. Nonetheless, he placed
customer information at risk of unauthorized access and misuse when he knowingly downloaded
customer information for approximately 16,000 GunnAllen direct application accounts to a
personal thumb drive that he physically took from the firm.

18. As a result of the conduct described above, Levine willfully aided and abetted and
caused GunnAllen’s violations of Rule 30(a) of Regulation S-P.

IV.

In view of the foregoing, the Commission deems it appropriate and in the public interest
to impose the sanctions agreed to in Respondent’s Offer.

Accordingly, pursuant to Sections 15(b) and 21C of the Exchange Act, it is hereby
ORDERED that:

A. Respondent Levine cease and desist from committing or causing any violations and
any future violations of Rules 7(a), 10(a) and 30(a) of Regulation S-P.

B. R
espondent Levine is censured.

C. Respondent Levine shall, within ten days of the entry of this Order, pay a civil money
penalty of $20,000 to the United States Treasury. If timely payment is not made additional
interest shall accrue pursuant to 31 U.S.C. 3717. Such payment shall be: (A) made by wire
transfer, United States postal money order, certified check, bank cashier’s check, or bank money
order; (B) payable to the Securities and Exchange Commission; (C) hand-delivered or mailed to
the Office of Financial Management, Securities and Exchange Commission, Operations Center,
6432 General Green Way, Alexandria, VA 22312-0003; and (D) submitted under cover letter
that identifies Levine as a Respondent in these proceedings, the file number of these

proceedings, a copy of which cover letter and wire transfer, money order or check shall be sent
to Teresa J.

Verges, Assistant Regional Director, Miami Regional Office, Securities and Exchange
Commission, 801 Brickell Avenue, Suite 1800, Miami, FL 33131.

By the Commission.

Elizabeth M. Murphy
Secretary

Service List

The attached Order has been sent to the following parties and other persons entitled to
notice:

Honorable Brenda P. Murray
Chief Administrative Law Judge
Securities and Exchange Commission
100 F Street, N.E.
Washington, DC 20549-2557

Teresa J. Verges, Esq.
Miami Regional Office
Securities and Exchange Commission
801 Brickell Avenue, Suite 1800
Miami, FL 33131

David C. Levine
c/o Gregg J. Breitbart, Esq.
Gusrae, Kaplan, Bruno & Nusbaum PLLC
2101 NW Corporate Boulevard, Suite 218
Boca Raton, FL 33431

Gregg J. Breitbart, Esq.
Gusrae, Kaplan, Bruno & Nusbaum PLLC
2101 NW Corporate Boulevard, Suite 218
Boca Raton, FL 33431

Related docs

Other docs by liwenting

Notes ABE Math Vocabulary Student Glossary

Views: 6 | Downloads: 0

sell-buy seminar.APR 07.ppt - Lake Tahoe Real Estate Blog

Views: 10 | Downloads: 0

Hi Alex

Views: 8 | Downloads: 0

PPI

Views: 48 | Downloads: 0

Folie 1

Views: 12 | Downloads: 0

Business Requirement Statement

Views: 27 | Downloads: 1

wb_english

Views: 41 | Downloads: 0

ADI D2A Validation Rules

Views: 65 | Downloads: 0

wegbeschrieb_e

Views: 5 | Downloads: 0

11 1124 CHECKLIST AND SAMPLE FORMS PDO PDO SoMin

Views: 570 | Downloads: 0