Previously, we discussed the Securities and Exchange Commission’s (“SEC”) order against Morgan Stanley Smith Barney LLC (“Morgan Stanley”) in connection with the company’s failure to safeguard customer information (see the SEC order here). As we reported earlier, there have been a number of high profile data breaches lately, resulting in big administrative penalties and consent orders against violators. The Federal Reserve Board’s (“FRB”) order on August 2, 2016 (the “order”), directing The Goldman Sachs Group, Inc. (“Goldman Sachs”) to pay a $36.3 million civil monetary penalty—significantly bigger the $1 million penalty that Morgan Stanley was ordered to pay in June—for its unauthorized use and disclosure of confidential supervisory information, is the latest such event.
Confidential supervisory information includes “reports of examination and other confidential reports prepared by banking regulators, and any information derived from, related to, or contained in such reports, and any documents prepared by, on behalf of, or for the use of the [Federal Reserve Board], a Federal Reserve Bank, or a federal or state financial institution’s supervisory agency.” Companies are not allowed to use or disclose confidential supervisory information without prior approval of the appropriate federal or state banking agency, which, in this case, is the FBR’s Board of Governors. The order says that Goldman Sachs’s employees, including senior managers, had such information in their possession without the necessary authorization and that one employee disseminated it to several other employees. The order also says that Goldman Sachs’s personnel improperly used such unauthorized confidential supervisory information in presentations to its clients and prospective clients in an effort to solicit business for the company.
According to the order, Goldman Sachs lacked adequate policies and procedures designed to detect or prevent the unauthorized dissemination and use of confidential supervisory information and it failed to monitor electronic mail for documents containing confidential supervisory information. To Goldman Sachs’s credit, it terminated the employee and his direct supervisor and reported the matter to the Federal Reserve Bank and other federal and state authorities. Goldman Sachs has also made improvements in its governance, compliance, and audit policies and procedures related to the use and dissemination of confidential supervisory information, including implementing policies, procedures, training, and monitoring. The order directs Goldman Sachs to: (i) certify deletion of all documents containing unauthorized confidential supervisory information; (ii) submit an acceptable written remedial plan and timeline for implementation; and (iii) appoint a board committee to monitor compliance with the order and submit progress reports detailing all actions taken, among other things. Last, but not least, the order imposed a civil money penalty in the amount of $36,300,000.00.
So what can small and mid-sized businesses learn from this?
First of all, it can happen to any company, large or small, and businesses would be well advised to review their internal policies, procedures, and system controls regarding sensitive information and cybersecurity risks. Second, although there are usually maximum penalties that can be imposed on individual and institutional violators, there have been movements to update and strengthen civil penalties statutes by increasing the statutory limits, directly linking the size of the penalties to the scope of harm, and substantially raising the financial stakes for repeat violations. The goal of monetary penalties being deterrence, authorities will impose whatever amount that is necessary to deter future violations and there is no exception for small businesses or first-time violators.
If you have any questions about the content of this blog or any other business law issues, please contact us.
This posting is intended to be a planning tool to familiarize readers with some of the high-level issues discussed herein. This is not meant to be a comprehensive discussion and additional details should be discussed with your transaction planners including attorneys, accountants, consultants, bankers and other business planners who can provide advice for your circumstances. This article should not be treated as legal advice to any person or entity.
Steps have been taken to verify the contents of this article prior to publication. However, readers should not, and may not, rely on this article. Please consult with counsel to verify all contents and do not rely solely on this article in planning your legal transactions.
 See generally In re The Goldman Sachs Group, Inc., Order To Cease and Desist and Order of Assessment of Civil Money Penalty Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as Amended, Docket No. 16-011-BH-C; 16-011-CMP-HC (Aug. 2, 2016). Unless otherwise noted, all references to the FBR allegations are to this citation.
 There is a separate order against Joseph Jiampietro, a former employee of Goldman Sachs. This post will focus only on the order against Goldman Sachs.