Federal Trade Commission provides guidance for safeguarding consumer information and reminder regarding privacy procedure requirements for unregistered funds and advisers
As a reminder to all of our clients who are managers of private investment funds and investment advisers that are not registered with the Securities and Exchange Commission, the Federal Trade Commission (“FTC”) has implemented rules to protect customers’ nonpublic personal information. The Federal Trade Commission established its privacy rules under the “Privacy of Consumer Financial Information” regulations (the “FTC Privacy
Rules”).1 These rules require private equity funds to adopt written privacy procedures and to provide investors with an annual notice of the fund’s privacy policies and procedures, as discussed in further detail in this Update.
The FTC Privacy Rules apply to financial institutions not otherwise regulated by a U.S. federal regulatory agency (e.g., the SEC, CFTC or the Banking Agencies), including private investment companies (such as hedge, buyout, private equity, venture capital and other private funds) that qualify for an exception from regulation under Section 3(c)(1) or 3(c)(7) of the Company Act2 as well as private investment advisers and state registered investment advisers.
The FTC Privacy Rules (specifically, the Safeguards Rule)3 require private investment funds to develop and implement a comprehensive written information security program (“ISP”) containing administrative, physical and technical safeguards deemed appropriate based on the firm’s size and complexity, and the nature and scope of its activities. In addition, the FTC has posted guidance for implementing an ISP on its web site as discussed in more detail below.
The Safeguards Rule also contains a requirement that covered financial institutions like private funds and private or state registered advisers contractually require their service providers to implement and maintain appropriate safeguards to protect customer information. The deadline for bringing service contracts entered into on or before June 24, 2002, into compliance with this requirement is May 24, 2004. All service contracts entered into after June 24, 2002, must contain the required safeguards provisions.
FTC Privacy Rules Generally
Generally speaking, the FTC Privacy Rules contain four requirements:
- A financial institution is required to notify its customers of its policies and practices regarding non-public personal information at the beginning of the relationship (i.e., from the time that the subscription agreement is accepted or the investment advisory contract is entered into) and thereafter on an annual basis.
- Customers are permitted to “opt out” of the disclosure by the financial institution of nonpublic personal information to certain nonaffiliated third parties.4
- The FTC Privacy Rules limit the ability of the financial institution to disclose an individual’s non-public personal information to third parties.
- The FTC Privacy Rules require the financial institution to establish safeguards to maintain the security of customer information.
In addition to the obligation to prepare and deliver a privacy notice, covered financial institutions must develop appropriate safeguards and procedures to protect the security of nonpublic personal information (“NPI”), (e.g., name, address, phone number, income, bank account information, credit history and Social Security number) of their customers. The FTC issued its Safeguards Rule to establish certain standards for developing appropriate safeguards and procedures.
Implementing an ISP
To assist financial institutions in complying with the Safeguards Rule, in September 2002, the FTC issued guidance with respect to the implementation and monitoring of an ISP and the oversight of a financial institution’s third-party service providers.5 To implement a sound plan, the FTC suggests that companies covered by the Safeguards Rule train employees regarding basic security measures such as: locking rooms and/or filing cabinets where records are kept, using password-activated screen savers and strong passwords (at least eight characters long), changing passwords frequently, and reporting any fraudulent attempt to obtain customer information to the appropriate law enforcement agencies. The FTC also suggests that companies may want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the company’s confidentiality and security standards for handling that information. The Safeguards Rule requires financial institutions to maintain security within their information systems.
The FTC’s publication notes that this includes network and software design as well as information processing, storage, transmission, retrieval and disposal. To accomplish this, the publication suggests that companies should consider, among other things: storing all records in a secure area, providing for secure data transmission, and disposing of customer information in a secure manner. Finally, with respect to managing system
failures, the publication suggests that companies should follow a contingency plan to address security breaches; regularly update firewalls and antivirus software; and regularly check with software vendors to obtain and install patches to repair software vulnerabilities.
Covered financial institutions like private equity funds and private and state registered investment advisers should send a privacy notice to all customers on an annual basis in order to comply with the FTC Privacy Rules. If the private fund or investment adviser does not disclose its investors’ or clients’ personal financial information for marketing purposes other than as permitted by the regulation, no opt-out right or opt-out notice is required. All new customers must receive the initial notice at the time that the relationship is established. Generally, private fund managers should consider placing their privacy notice and sharing practices in the fund’s subscription document, and investment advisers should consider (1) attaching their privacy notice to the advisory agreement and (2) placing a provision in their advisory contract whereby the advisory client acknowledges receipt of the adviser’s privacy notice. With respect to the annual notice requirement, it is a good practice to include the privacy notice with the customer’s year-end statement. For your reference, we provide as Exhibit A on the next page a sample privacy notice for private equity funds.
Financial institutions such as private fund sponsors and other investment advisers should have in place written privacy policies and procedures, tailored to their businesses, that address the elements identified by the FTC as critical to an ISP and should begin the process of identifying third-party service provider contracts that will require re-negotiation. Service contracts entered into after July 24, 2002, should contain detailed confidentiality provisions that, among other things, prohibit the provider’s disclosure or use of any consumer NPI that it receives other than in accordance with the contract to ensure compliance with the Safeguards Rule.
Exhibit A: Protecting Your Privacy
At XYZ Fund, LP (“XYZ”), maintaining the trust and confidence of our investors is of paramount importance. We are committed to safeguarding your personal information and providing you with facts about how this information may be shared. Please read this notice to learn more about our privacy policies.
Information That We Collect
In connection with our provision of services to you, we obtain non-public personal information about you, which may include the following:
- Information we receive from you on applications or other forms including your name, address, Social Security number, assets and income.
- Information about your transactions with us or with others.
Information That We Share
We use or share information in a limited and carefully controlled manner. We do not disclose any non-public information about our investors or former investors to anyone, except as permitted by law, unless authorized by you. Instances in which we may be required to share your information include:
- Disclosure to companies that provide services necessary to effect a transaction that you request or to service your account, such as prime brokers, accountants, banks, attorney or administrators.
- Disclosure to government agencies, courts, parties to lawsuits or regulators, in response to subpoenas. In such cases, we share only the information that we are required or authorized to share.
Confidentiality and Security
The security of your account information is important to us. Only those persons who need your information to perform their jobs have access to it. In addition, we maintain physical, electronic and procedural security measures that comply with U.S. regulations to protect your information. Our employees have limited access to your personal information, based upon their responsibilities. All employees are instructed to protect the confidentiality of your personal information as described in these policies, which XYZ strictly enforces.
1) Privacy of Consumer Financial Information; Final Rule (FTC), 16 C.F.R. §313 (May 24, 2000).
2) The Staff of the Division of Investment Management made this position clear in a FAQ published in June of 2001. See Staff Responses to Questions About Regulation S-P available at http://www.sec.gov/divisions/investment/guidance/regs2qa.htm.
3) Standards for Safeguarding Customer Information; Final Rule (FTC), 16 C.F.R. §314 (May 23, 2002 (the “Safeguards Rule”).
4) Under the FTC Privacy Rules a covered financial institution such as a private fund or investment adviser must provide its customers with the right to “opt out” if it proposes to disclose the individuals’ “non-public personal information” to a non-affiliated third party not excepted under the Rule. In such cases, a private fund or investment adviser must give individuals a reasonable means and opportunity to exercise this opt-out right. The Rule suggests that “reasonable means” include, among other things, a reply form sent together with the opt-out notice or a toll-free number that individuals may call to opt out, and that an opt-out period of 30 days is a reasonable period from the date of notice during which an individual may exercise his or her opt out. See 16 C.F.R. §317(a)(2) and §313(10)(a)(3). If a fund or adviser chooses not to share an individual shareholder’s non-public personal information with any non-affiliated third parties (except for permissible disclosure to service providers and joint marketers or pursuant to one of the other exceptions in the FTC Privacy Rules), individual shareholders are not required to be provided with an opt out.
5) See Financial Institutions and Customer Data: Complying With the Safeguards Rule