Steven Robert Tomlinson entered the financial industry in 1981, and over a 20 year span worked for various firms before joining a Corning , NY credit union in 2001 as a financial advisor in its investment services group -by 2003, he became the group manager. During the relevant times in this matter, the credit union was affiliated with Financial Industry Regulatory Authority ("FINRA") member firm Raymond James Financial Services, Inc. ("RJFS"), and Tomlinson was an employee of both the credit union and registered with RJFS.
In 2008, Tomlinson learned from a magazine article that a registered representative with whom he had trained years earlier had built a business at another broker-dealer firm to pass along to his son. That success story seemed to have troubled Tomlinson, who also desired to leave a business for his son but was growing concerned about the inherent limitations in his credit union's salary-based compensation system versus the brokerage industry's commission structure. Consequently, the magazine article may have fanned the embers of Tomlinson's desire to move on and move up.
Toward the end of June 2008, Tomlinson began talking to a friend at Wachovia about an opening in a nearby branch office; and in October 2008, Tomlinson visited a St. Louis, MO, Wachovia office. Tomlinson must have liked the grass on the other side of the fence because he soon decided to leave the credit union and RJFS to join Wachovia, where his new position offered a small payment for managing the branch coupled with the potential for much greater commission-based compensation.
As a credit union manager, Tomlinson was familiar with the organization's compliance manual, which, in pertinent part stated:
Associates may not share customer information with third parties unless specifically authorized by the client. Customer and confidential information may not be removed from a Raymond James office without the branch manager's permission.
Further, the credit union's compliance manual prohibited financial associates (subject to client authorization) from transmitting non-public or personally identifiable information (e.g., social security number, financial account numbers, net worth, income, tax bracket) to a third party for non-business purposes. Also, Tomlinson had signed a financial advisor agreement with RJFS and the credit union in which he agreed, among other things, not to remove records from the premises of the investment group without prior authorization and not to disclose to any person any non-public customer information.
In contemplation of his joining Wachovia, that firm had instructed Tomlinson that the only information he could bring with him was in the nature of a "Christmas card list;" i.e., the names, phone numbers and addresses of his clients. Wachovia conveyed the instruction several times in several different ways, including during a discussion at the St. Louis recruiting meeting and also memorialized in a "Financial Advisor Integration Planner" given to Tomlinson by the senior vice president who had handled his recruitment. The Planner stated in bold-face type that financial advisors were not allowed to bring "client statements, account numbers, social security numbers, client files, confirmation, performance reports, copies of notes or any electronically stored client data;" however, exceptions were noted for certain allowable information, such as, customer name, client name, account title, their address, phone numbers, and their e-mail addresses.
During business hours and late at night on November 18th and November 20th, without authorization and prior notice to the credit union, RJFS, or Wachovia, Tomlinson downloaded confidential, non-public information of over 2000 credit union customers (e.g., social security numbers, birth dates, account numbers, and account balances) to his personal flash drive (unencrypted and lacking password protection) and his personal laptop. Wachovia provided Tomlinson with a firm-issued flash drive that he was supposed to use to download only the limited information that he was permitted to take with him, but he claimed to have had difficulty making the software work and downloaded information onto his personal flash drive. Although some of the clients involved on the downloaded files were Tomlinson's, about 60% were customers of other credit union financial advisors with whom he had previously had contact or were total strangers.
Tomlinson officially resigned from the credit union on November 24, 2008, Monday, and on that day he spoke with a number of people at the union and participated in an exit interview with an IT person. In keeping with the union's standard procedure, the IT person conducted an exit interview and received from a departing employee any physical keys and badges, including the Virtual Private Network ("VPN") token used to access the union's computer systems. Tomlinson returned a VPN token, his keys, and other things to union staff.
The credit union's protocol was that if a departing credit union employee had:
On the afternoon of November 24th, a credit union IT person "wiped clean" the telephone that the credit union had purchased for Tomlinson's use and returned the device with only his personal information. Notably, there was no discussion of Tomlinson's flash drive or personal laptop during the exit interview or wiping process.
Shortly before 6 p.m. on the day of his resignation, Tomlinson met with a Wachovia administrative assistant, who had been assigned to help Tomlinson prepare announcements about his move. The assistant, who had been waiting for Tomlinson all afternoon, asked him for the flash drive, but he had neglected to bring it and went home to retrieve the device. Upon his return later that evening, a snowstorm was underway, prompting Tomlinson and the assistant to defer to the next day the creation of a mailing announcing his relocation. The assistant put the flash drive in her purse and went to a hotel. Tomlinson went home.
The next day, November 25, 2008, Tuesday, the administrative assistant used the flash drive at a computer in the public reception area of the Wachovia office. Tomlinson did not supervise her work and was in a separate office that had been assigned to him. The assistant had difficulty using the flash drive and called Wachovia's IT department, which remotely accessed the disk to assist her. The disk remained in the reception area until after lunch, by which time Tomlinson and the assistant had examined and culled labels for the mailing. Finally, around 2-3 p.m., the assistant gave the flash drive back to Tomlinson.
On November 26, 2008, Wednesday, one day before Thanksgiving, the credit union CEO asked the credit union CIO to begin an investigation because the CEO had been informed that a customer had received a mailing from Tomlinson, in potential violation of the former employee's non-compete agreement. The CIO started by looking at Tomlinson's desktop computer, which disclosed that customer information had been downloaded onto a remote storage device (such as a flash drive) and put into a directory that Tomlinson had labeled in a way to denote a connection with Wachovia Securities.
On December 1, 2008, the credit union drafted and delivered a letter to Tomlinson at Wachovia demanding, among other things, the return of the flash drive with the "stolen" information on it. Tomlinson found the letter "scary," and, thereupon, he deleted downloaded flash drive files except for the one file containing his own clients' data. He also deleted credit union files from his personal laptop. Upon learning of these deletions, Wachovia's attorney instructed Tomlinson to stop.
Eventually, Tomlinson returned to the credit union his flash drive, mobile telephone, and personal laptop; and the union's CIO determined that customer information had been on all three of Tomlinson's devices and that most of those files had been deleted after Tomlinson was informed of the investigation. The CIO requested that Wachovia check its computers and was subsequently informed that Wachovia had identified at least one subject file on a secretary's computer at Wachovia.
In response to the filing of a disciplinary Complaint by FINRA's Department of Enforcement, Tomlinson sought to characterize his actions as thoughtless and not motivated by any desire to harm his former employer. Further, Tomlinson contended that notwithstanding his copying of customer files, the credit union was unharmed because only the names and addresses of his own clients were used to create address labels for "tombstone" announcements of his move to his new firm. FINRA Department of Enforcement, Complainant, v. Steven Robert Tomlinson, Respondent (OHO Hearing Panel Decision, March 21, 2013).
Following a hearing, a FINRA Hearing Panel essentially shredded what they viewed as excuses and somewhat self-serving explanations set forth by Tomlinson, which the panel characterized as constituting three points.
First, Tomlinson argued that he lacked intent to do wrong or to cause harm - he asserted that his conduct was something of a spur of the moment undertaking in which he "just didn't think at the time." Noting that the Rule 2110 violation with which he had been charged did not require proof of intent, the Panel further noted that the evidence suggested at least Tomlinson's consciousness of wrongdoing. In raising that prospect, the Panel pointed at Tomlinson's after hours and fairly surreptitious downloading; and his failure to even mention during the exit interview that he had customer information on a flash drive and personal laptop.
Second, Tomlinson argued that he had used only a limited portion of the downloaded information and only for a legitimate purpose; namely his client file to fabricate "tombstone" notices of his move to Wachovia." In contradistinction to Tomlinson's benign characterization, the Panel seemed perplexed by his inability to recognize the potential disaster that could have resulted from the misuse of the personal information on the files that were resident on an unencrypted, non-password-protected device, which was left unattended in a relatively public space.
Third, Tomlinson asserted that the credit union had known for a long time prior to his departure that he had used his personal devices for business purposes, downloading client information in order to work at home. This argument seems to have rankled the Panel, which rejected the attempt to "explain away his actions as an innocent or inadvertent mistake." In response to Tomlinson's suggestion that he had been somewhat victimized by the credit union's unfair and overly harsh response that included notifying customers that their confidentiality had been breached, the Panel interpreted this point, as an inappropriate attempt to focus "not on the customers' interest in keeping their highly sensitive information private, but rather on his view that the credit union has nothing to complain about."
The FINRA Hearing Panel saw the key issue presented by Tomlinson's conduct as one in which the investing public cannot be expected to have confidence in the financial industry if investors' confidential, non-public information is not protected from disclosure. Further, when deliberating on the sanctions to be imposed, the Panel found as aggravating factors, Tomlinson's
Accordingly, the Panel found that Tomlinson had violated NASD Rule 2110 and imposed the following sanctions:
A very succinct and compelling Decision. Not only offers the necessary background to make the case intelligible, but he Panel offers context in its rationale to allow us to understand the appropriateness of the imposed sanctions.