Company Agrees to Pay $300,000 to Resolve SEC Charge Over Employee Data Breach

Proxy advisor, Institutional Shareholder Services Inc. (ISS), recently agreed to pay a $300,000 fine arising out of a data breach after an SEC investigation. According to the SEC Order, an ISS employee revealed material, non-public information about clients participating in proxy contests to a proxy solicitor. In exchange for the confidential information, the proxy solicitor gave the ISS employee meals and expensive tickets to concerts and sporting events. The employee gathered the confidential information by logging into the ISS website from home or work and used his personal email account to communicate the confidential information to the proxy solicitor. ISS did have a Code of Ethics that prohibited unauthorized disclosures of confidential client information and barred employees from using confidential client information for their personal benefit. However, the SEC found that ISS lacked sufficient controls over employee access to confidential client information and that ISS failed to establish or enforce written policies and procedures. ISS has not admitted or denied wrong doing, but has agreed to engage an independent compliance consultant in addition to paying the fine.

TIP: Employers should not rely on a general Code of Ethics policy as the sole method to control employee access to and use of confidential information. A well written policy will not serve as protection if it is not also disseminated and enforced.   

This tip has been created for information and planning purposes. It is not intended to be, nor should it be, substituted for legal advice, which turns on specific facts.