Dante J. DiFrancesco entered the securities industry in 1994 and in October 2004 joined Banc of America Investment Services, Inc. ("BAIS") . In keeping with Wall Street's penchant for paperwork, DiFrancesco signed a BAIS Confidentiality Agreement, a BAIS Series 7 Agreement, and a BAIS Multiple Employment Agreement. If DiFrancesco has a wazoo, then he was up to it with BAIS agreements.
Among the issues addressed in the BAIS agreements was that DiFrancesco was bound for a period of twelve months after his termination, to not solicit any customers to whom he had provided services while employed by the firm. Also, DiFrancesco was subject to the BAIS Code of Conduct ("BAIS Code"). The BAIS agreements and Code contained language that essentially provided that confidential customer information was BAIS's sole and exclusive property. In accepting employment, DiFrancesco had agreed that he would not reproduce or appropriate for his or others' use any property of BAIS, of which the confidential customer information was one such item. DiFrancesco and other BAIS employees were admonished in written agreements and the BAIS Code that:
Access to personal customer information should be restricted to a business need-to-know basis;
Absent the customer's consent, associates should not disclose personal information to nonaffiliated third parties, except to the extent required by law or customer agreements;
A high-level of confidentiality was to be afforded to confidential customer information, such as: account numbers, customer account balances and transaction information, financial condition, anticipated changes in management, business plan or projections; and
Any information shared with third parties will be limited to that needed or legally required and may be subject to confidentiality agreements.
In March 2007, DiFrancesco began looking to leave BAIS and eventually met with Dan Kasht, manager of the Elmsford, New York branch office of National Securities Corp. ("NSC"). During his conversation with Kasht, DiFrancesco stated his intention to bring his 180 to 200 clients from BAIS - and he stated that he did not have any employment contracts with BAIS or other impediments to such client transfers.
DiFrancesco did not have a physical book of clients and decided that he would copy his clients' information, e.g., names, addresses, telephone numbers, account numbers, and net worth information, from BAIS's computer database. On May 24, 2007, while still employed at BAIS, DiFrancesco downloaded his clients' information and attempted to email it to his home email account. However, BAIS's email review system intercepted the email and prevented it from being transmitted. That same day, his manager came by his office and told him that the email with his client list had been quarantined.
Wow - AWKWARD!
A Matter of Interpretation ?
Having set off all sorts of internal bells and whistles, DiFrancesco and his manager agreed that he would leave BAIS immediately. According to DiFrancesco, he asked his manager if he could take his client list with him, and his manager answered, "Don't worry about that."
Don't worry about it. As in, sure, go ahead, no problem, take all the confidential customer information that you downloaded from BAIS's computers ? Or, as in, fuggedaboutit, wattya nuts?
Apparently there wasn't much vague about "don't worry about that," for DiFrancesco, who apparently interpreted his manager's comment as meaning "good luck and good-bye." Notwithstanding, DiFrancesco also seemed to have at least gotten the impression that despite his manager's best wishes, that boss wasn't about to voluntarily hand over the embargoed client list. Hey, sometimes we see what we want to see and hear what we want to hear.
So, comfortable with his interpretation of events surrounding his failed emailing of the customer information, DiFrancesco entered the BAIS computer system and, once again, downloaded his clients' information - this time, however, onto a portable flash drive. Afterwards, when questioned about the use of the flash drive, a refreshingly candid, DiFrancesco admitted that he didn't think that BAIS would have permitted him to send another email with the attached list and, in anticipation another intercept and quarantine, he felt the flash drive was an alternative. As such, the portable drive seemed a solution.
On May 25, 2007, having accomplished the download and save, DiFrancesco then said farewell, left BAIS premises, and had the flash drive in his pocket as he went home.
Not Excellent With Excel
Now an unexpected twist occurs. When DiFrancesco gets home, pops in the flash drive, and opens up an Excel spreadsheet, he sees that he inadvertently downloaded the names, addresses, telephone numbers, account numbers, and net worth information for approximately 36,000 additional BAIS customers. Now what? DiFrancesco only intended to download his 180 to 200 clients on his way to join NSC but he seemed to have hit the mother lode.
On June 6, 2007, DiFrancesco sent Kasht an email with the Excel spreadsheet as an attachment from his home email address. In the email, DiFrancesco advised that he was having troubles exporting his client files and noted that the attachment had some 31,000 BAIS customers account data. Apparently, DiFrancesco was not particularly savvy with Excel and he intended to "scratch out" the thousands of non-client names. Subsequently, he destroyed the flash drive.
Turn Off the Fan
On June 11, 2007, DiFrancesco started work at NSC and began using the downloaded information to send letters to his clients. There would be about one week of calm before the crap would hit the fan.
On June 18, 2007, BAIS' lawyers sent a fax to Kasht of a letter that they had sent to DiFrancesco threatening legal action the former employee for failing to adhere to his written BAIS agreements. The letter accused DiFrancesco of misappropriating confidential customer information and improperly soliciting BAIS's customers to transfer their accounts to NSC. The letter demanded that DiFrancesco immediately cease and desist using BAIS confidential and proprietary customer information."
Kasht stated that NSC would not have hired DiFrancesco had the firm known he was subject to a BAIS employment contract that impeded his ability to bring his clients with him - in applying to NSC, DiFrancesco affirmatively denied being subject to any contract or non-compete agreement. Ultimately, NSC wasn't happy with the entire situation and terminated DiFrancesco on June 21, 2007. Thereafter, the Financial Industry Regulatory Authority ("FINRA") investigated and filed charges.
On December 1, 2009, a FINRA Hearing Panel found that DiFrancesco had violated NASD Rule 2110 by misusing confidential customer information that
was the property of his firm; and
constituted "nonpublic personal information" under Regulation S-P (privacy rules promulgated pursuant to the Gramm-Leach-Bliley Act of 1999 ("GLBA")).
The FINRA Hearing Panel fined DiFrancesco $10,000; suspended him in all capacities for 10 business days; ordered him to pay $2,702.77 in hearing costs (which included includes an $750 administrative fee and the cost of the hearing transcript. READ the Hearing Panel Decision.
On December 17, 2010, FINRA's National Adjudicatory Council ("NAC") sustained on appeal the Hearing Panel's Decision with the exception that it reversed the finding that DiFrancesco was liable based on his misuse of customer information that BAIS had classified as confidential and proprietary under DiFrancesco's three agreements with BAIS.
In rejecting that second finding by the Hearing Panel, the NAC considered the central ethical violation in the case to be DiFrancesco's downloading and transmitting of the nonpublic personal information, which was particularly sensitive. The NAC sustained the Hearing Panel's sanctions and added an additional In $1,526.75 in appeal costs. READ the NAC Decision.
On review, the SEC reiterated the long-standing view that NASD Conduct Rule 2110 requires the observance of "high standards of commercial honor and just and equitable principles of trade." In that vein, the SEC characterized DiFrancesco as presenting " a breach of confidence case, which implicates quintessential ethical considerations not necessarily implicated in a breach of contract case."
DiFrancesco's primary argument against liability was that his conduct conformed to ethical standards and practice in the securities industry. In attempting to establish such standards, he cited to a 2004 agreement, " Protocol for Broker Recruiting," entered into by a number of large broker-dealers whereby the signatories agreed not to sue one another for recruiting one another's registered representatives if the representative took only limited customer information to another participating firm.
The SEC was dismissive of DiFrancesco's arguements and found that he had breached his duty of confidentiality when he "surreptitiously" downloaded BAIS's customers' confidential nonpublic information, including account numbers and net worth figures, and transmitted that information to his future branch manager at a competitor firm. Moreover, the SEC admonished that under GLBA and Regulation S-P customer names, addresses, and telephone numbers are "financial" information generally considered nonpublic financial information entitled to protection.
Further, the SEC found that DiFrancesco's conduct was "self-interested" because the purpose of downloading and transmitting BAIS's customers' confidential nonpublic information to Kasht and NSC was to favor his own interest in maintaining his client base over customers' interest in the confidentiality of their nonpublic information.
Bill Singer's Comment
A common enough dilemma for thousands of registered persons. These issues arise, almost daily, at Merrill Lynch, Morgan Stanley Smith Barney, JP Morgan, Goldman Sachs, UBS, Wells Fargo, Citigroup - frankly, name the firm and it's a problem.
Among the first things that departing brokers must understand is that the client ultimately controls the account. Okay, so much for that threshold issue - neither the broker nor the brokerage firm can claim to "own" the account to that extent. On the other hand, divorced from the ownership of the account, there is the very real aspect of the brokerage firm having legal claims to client data - and an even more formidable right to deny unauthorized access to its computer systems and, more pointedly, to prevent unauthorized downloading and copying.
Perhaps the single most frustrating disclosure by a client to a lawyer within the context of the early stages of a threatened lawsuit over the issue raised inDiFrancesco is the fact that the client failed to retain copies of the employment agreements that he or she had signed. So . . . lesson number one: Always save all copies of documents that you signed during your employment. Although there is a fairly monolithic nature to these agreements, there are variations and sometimes your version may have been improperly printed out or an important provision cut but not re-pasted.
Finally, as to today's featured case, it is somewhat reminiscent of the 1991 movie "Let Him Have It" involving the true-life crime involving the issue of whether the uttered phrase "Let him have it!" meant to give the copper the gun or to shoot him.
Let Him Have It
Don't Worry About It
You sure as hell better make certain that what you think the speaker meant is the same as what you do. Otherwise, be careful. Very careful.