Friday, March 25, 2011

Financial Services Companies Fear that Proposed SEC Whistleblower Rules Could Breach Customer Information Walls

In a letter to the SEC, banking and financial services associations cautioned that the Commission’s proposed whistleblower rules would create powerful financial incentives for unscrupulous persons to download, copy, and steal confidential corporate and customer information in order to substantiate their claims and receive monetary rewards. Financial services companies are particularly concerned about data breaches, said the letter, because so much of their corporate information consists of non-public customer information. Whistleblowers who download information to support their claims may, deliberately or inadvertently, come into possession of such customer information.

In the joint letter, the Financial Services Roundtable and the American Bankers Association said that the costs to the banking and financial services industry of preventing and detecting data breaches, and notifying customers when their information is at risk of misuse, is already huge. Moreover, once corporate and customer information leaves its corporate data environment, especially if it leaves in electronic form, further distribution is virtually guaranteed. The associations believe that there is no good reason to create new incentives for such breaches.

Proposed Rule 21F-4(b)(4)(vi) provides that the SEC will not consider information to be derived from the whistleblower’s independent knowledge if the knowledge upon which the analysis is based is obtained in violation of federal or state criminal law. The Proposing Release says that a whistleblower should not be rewarded for violating a federal or state criminal law, doubting whether Congress intended to encourage whistleblower assistance to a law enforcement authority where the assistance itself is undertaken in violation of law. The Proposing Release asks whether the exclusion is appropriate, whether it should extend to other types of criminal violations, and whether it should exclude persons who provide information in violation of judicial or administrative orders.

In the letter, the associations said that bounties should not be paid for reports based on information obtained in violation of any civil law prohibition, including any legal or regulatory privacy requirement, any foreign civil or criminal law or regulation, any other legal proscription, or any company policy designed to facilitate compliance with such. Quite simply, they said, violations of such laws, court orders, legal proscriptions or company policies should not be rewarded.

The industry urged the SEC to ensure that the whistleblower program includes provisions clarifying that whistleblowers responsible for obtaining information in violation of any of the above prohibitions will not be protected by the anti-retaliation provisions, and will be subject to criminal prosecution and/or civil actions under applicable state and federal law.

1 comment:

Anonymous said...

My question is more whether the company that suffers the breach will be liable for any civil suit or regulatory action. As in, if the SEC passes a rule that tempts-- inadvertently or not-- someone to steal protected data, does the company then get nailed under HIPAA or the Graham-Leach-Bliley Act? Somehow that strikes me as wrong.

Better yet, if the whistleblower is ever identified, could he or she be sued by someone whose data was compromised, in some sort of civil damages for identity theft? It's a stretch, I know, but it seems to me that some liability is there.