It is not uncommon in the financial services industry, particularly in matters involving the departure of partners or brokers, for there to be accusations that the departing person has taken with them confidential information. Typically these disputes involve threats of or actual lawsuits and motions for injunctive relief, usually involving client lists and other proprietary data. A recent case in the Southern District of New York demonstrates, however, that when a broker accesses client information without permission, even within their own firm, they may also face criminal charges.
On September 21, 2015, a private wealth management advisor, Galen Marsh, entered a plea of guilty before U.S. District Judge Kevin Thomas Duffy in the Southern District of New York to a one-count information charging unauthorized access to a computer. In entering the plea, Marsh admitted that he gained access to confidential and private information of hundreds of thousands of his employer’s clients without authorization.
According to the government, Marsh was employed in the private wealth management division of a bank, initially as a customer service associate (CSA) and then as a financial advisor (FA), working as part of a group that provided financial and investment services to private wealth management clients of the bank. There were other similarly structured groups within the wealth management division who provided similar services to the bank’s other wealth management clients.
While Marsh, as an FA and a CSA, was authorized to access the client information of the clients in his group, he was not authorized to access information regarding clients in other groups providing services to other private wealth management clients of the bank. According to the plea entered by Marsh, from June 2011 through December 2014, Marsh used the bank’s computer systems to access confidential information about certain clients serviced by FAs and CSAs outside of his group. He obtained this information from outside of his group by using identification numbers of other bank branches, groups and FAs in the banks’ computer system. He conducted more than 6,000 unauthorized searches in the bank’s computer systems and obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed income investment information and account values of approximately 730,000 client accounts at the bank. He then uploaded the confidential client information from the bank to a personal server at his home in New Jersey.
According to the government, Marsh illegally accessed the confidential information in order to use it for his personal advantage as a private wealth management advisor at the bank. The government added that from October 2013 through December 2014, Marsh was engaged in discussions regarding potential employment with two other financial institutions that are competitors of Marsh’s then employer.
The maximum penalty for unauthorized access to a computer under 18 U.S.C. § 1030, in cases where the person accesses the computer of a financial institution for purposes of commercial advantage or private financial gain, is five years in prison and three years of supervised release. Marsh is scheduled to be sentenced by Judge Duffy on December 7, 2015.