Ben Giumarra

It’s been an issue at many companies, and across many industries: Who “owns” the client relationship? Is it the individual salesperson or the company? Without a doubt, various methods have been employed by both sides to shift the balance of power to one or the other: anti-solicitation contract clauses, cell phones that the company provides for “free” but allows the company to retain the contacts, and personal records kept by individuals of client contact information.   

In the financial services industry, which handles a high volume of highly sensitive personal information, increasingly strict cybersecurity requirements are adding a new element to this issue. Employee workarounds to company-established channels of communication and storage of sensitive information are shifting away from mere contractual bickering and becoming actual legal risks.  

Security Frustrations Can Lead to Bad Decisions 

Let’s analyze this with a specific example.  

Joseph Smith is an insurance salesman for ABC Insurance Co. He works primarily away from any physical office, instead traveling to meet customers and out of his home office. He is issued a company laptop with security features and remote access to ABC Insurance systems.  

This is sometimes inconvenient for Joseph, as he manages a lot of customer communications and the security measures require a lot of logins, passwords and extra steps.  

For that reason, he prefers to keep a list of active clients, with certain pieces of information, on his personal Google Drive account. This lets him easily access from any device (including his phone), and without going through any of the security layers. The information he keeps includes names, account numbers, and contact information of his clients.  

Of course, this scenario first raises the normal dispute over client ownership; ABC Insurance Co. will be angry and claim that Joe cannot use his knowledge of existing clients to his benefit at his new job.  

But this also arises serious issues of consumer privacy and cybersecurity. If Joe had written down the information he needed on a piece of notebook paper (or had a photographic memory), it would not only be harder to detect but it would also be impossible to hack and likely to include much less personal information. Instead, using this personal electronic storage site ups the ante – putting more information at greater risk and triggering cybersecurity standards.  

States Have Strict Security Rules 

This scenario raises three questions: 

• Does this violate any actual law?
• What if Joseph and his golf buddies use the same Google Drive account to keep records related to an upcoming golf trip, such that they also have access to Joseph’s client records?
• Does it change matters if Joseph leaves ABC Insurance to work for a competitor and continues to access these records?

Many states have strict security breach notification rules that require notification of clients, regulatory agencies, and even police. Most would define unauthorized access or use by an employee for a legitimate purpose to not constitute a “breach,” such as to trigger those rules.  

But, in the example above, Joe likely won’t have a legitimate use for this information after switching companies. The company is thus permitted – probably obligated – to demand proof that those records have been deleted. Afterwards, Joe’s continued solicitation of ABC’s clients could be used not just as evidence of some vague and debatable anti-solicitation issue, but rather of some privacy/cybersecurity requirements that will be hard for Joe to argue against.  

Moreover, if any breach does result in consumer harm, ABC Insurance is likely to be responsible for this. While more specific laws and legal doctrine are developing on this, ABC Insurance can expect that the general standard of negligence, at least, will apply. This will require ABC Insurance to show that this breach occurred despite their reasonable efforts to prevent it.  

Based on these facts, that will be tough. First, ABC Insurance can’t just argue that its policy was to allow employees to use personal storage solutions like employee-owned laptop or personal email account, Dropbox account, Google Drive or similar. There is no doubt a court will find such a policy unreasonable. This policy completely prevents the company from managing password, authentication and other access control points. That’s like hosting an event with fireworks but leaving it to the crowd to light them off.  

Consumers Harmed Have Strong Arguments 

In determining what is “reasonable,” state regulations will also be insightful. New York, for example, requires multi-factor authentication for sensitive information in most instances. In the scenario above, where all of Joe’s friends have access to his Google Drive account, this isn’t multi-factor authentication – it’s no-factor authentication.  

More likely, ABC Insurance would argue that Joe violated company policy by using a workaround to official channels for he communication and storage of sensitive information. But that also will be a difficult case to win. Consumers harmed by this have a strong argument that, even if Joe acted contrary to company policy, ABC Insurance still has a reasonable duty to monitor and enforce that policy.  

With the tools available to all financial services companies, detecting the activity described above is much easier than you might think, and it certainly surprised me. This would tell me that, either ABC Insurance wasn’t testing at all for this, or it was testing but wasn’t doing anything about violations that were discovered.  

Ben Giumarra is the director of legal and regulatory affairs at Embrace Home Loans. He may be reached at bgiumarra@embracehomeloans.com.