SEC Proposes Changes to Regulation S-P
Introduction
In March 2008, the SEC published proposed amendments (“Amendments”) to Regulation S-P, which implements certain personal and financial privacy obligations for SEC-regulated institutions (“institutions”), such as broker- dealers and investment advisers. Regulation S-P is the implementing regulation for the Gramm Leach Bliley Act (“GLB”) and the Fair Credit Reporting Act (“FCRA”).
In the Amendments, the SEC would address security breaches in the securities industry by amending Regulation S-P in four principal ways:
- require more specific standards un- der the safeguards rule, including standards for data security breach incidences;
- broaden both the scope of the infor- mation covered and the types of institutions and persons covered under the safeguards and disposal rules;
- require covered entities to maintain written records of both their policies and procedures and their compliance with those policies and procedures; and
- create a new exception from the notice and opt-out requirements of Regulation S-P to control the flow of private investor information that commonly occurs when a representa- tive moves from one brokerage or ad- visory firm to another.
The period for comments to the SEC ends on May 12, 2008.
Discussion
Information Security and Security Breach Response Requirements
The Amendments would require institutions to adopt an “information and security program,” which entails the adoption of written policies and procedures to address administrative, technical, and physical safeguards for protec- tion of customer records and information as well as written procedures for responding to unauthorized access to or use of personal in- formation. The information and security pro- gram would have to be reasonably designed to: (1) ensure the security and confidentiality of personal information, (2) protect against any anticipated threats or hazards to the security or integrity of personal information, and (3) pro- tect against unauthorized access to or use of personal information that could result in “sub- stantial harm or inconvenience” to any con- sumer, employee, investor or security holder who is a natural person.
Also, the Amendments would define, for the first time, “substantial harm or inconvenience” as a “personal injury, or more than trivial financial loss, expenditure of effort or loss of time.” The SEC defined the term and provided several ex- amples in order to help clarify the scope of what would constitute “substantial harm or inconven- ience” to demonstrate the term’s breadth re- garding types of harms covered as well as the term’s aim to filter out lesser magnitudes of harm. For example, the SEC intended the defini- tion to be broad enough to include harms other than identity theft that may result from failure to safeguard an individual’s sensitive informa- tion, such as the harm that a hacker may use confidential information about an individual for extortion by threatening to make private d information public. Yet, the SEC does not intend for substantial harm or inconvenience to cover “uninten- tional access to personal information by an unauthor- ized person that results only in trivial financial loss, expenditure of effort or loss of time,” such as if the use of the information results in an institution decid- ing to change the individual’s account number or password.
The information security program would have to in- clude particular security elements, many of which are already industry standard, to meet the requirements of Regulation S-P . Governed institutions would be re- quired, among other things, to:
- designate in writing an employee or employees to coordinate the information security program;
- identify in writing reasonably foreseeable security risks that could result in the unau- thorized compromise of personal informa- tion or personal information systems;
- design and document in writing and imple- ment safeguards to protect identified risks;
- regularly test and monitor and document in writing the effectiveness of the implemented safeguards and procedures;
- oversee service providers and require service providers by contract to implement and maintain appropriate safeguards;
- train employees; and
- evaluate and adjust the information security program as necessary.
The Amendments would also require institutions to include written procedures for responding to incidents of unauthorized access to or use of personal informa- tion. The Amendments would include notice provi- sions, which would require notice to affected individu- als if the misuse or possibility of misuse of personal information has occurred and notice to the SEC (or a broker-dealer’s Self Regulatory Organization (“SRO”)) in circumstances where the person has suffered sub- stantial harm or inconvenience or intentional intrusion by someone without authorized access.
The information security program would be required to have written procedures to: assess any intrusion, including what systems were penetrated and what type of information was stolen; contain and prevent further unauthorized access; investigate and determine in writing the likelihood that the information has been or will be misused after the institution becomes aware of any unauthorized access to sensitive infor- mation; and notify individuals effected by the intru- sion. The Amendments define sensitive information to include an individual’s Social Security number, or the individual’s name, telephone number, street address, e-mail address, or online user name, in combination with any one of the individual’s account number, credit or debit card number, driver’s license number, credit card expiration date or security code, mother’s maiden name, password, personal identification num- ber, biometric authorization record, or other authenti- cating information.
The provision requiring notice to the SEC would not be as stringent as policies adopted by the banking agen- cies because the Amendments require notice to be given to the SEC only when there is a significant risk as opposed to any risk that an individual might suffer substantial harm or inconvenience. Moreover, notice to the SEC or relevant SRO would be provided on the proposed Form S-P which would include: the nature of the unauthorized access, the institution’s intended response, when the incident occurred, what offices or parts of the registrant’s business were affected, the disclosure of any third-party service providers in- volved, and the nature of the affiliation.
Scope of Information Covered and Expansion of Type of Persons and Entities Governed by the Safeguards and Disposal Rules
The Amendments would alter the scope of information covered as well as expand the type of persons and entities governed by the safeguards and disposal rules in an effort to create a more efficient and protective framework of privacy rules under Regulation S-P . Currently, the safeguards and disposal rules cover differ- ent information as a result of being adopted at different times under the GLB and FCRA, respectively.
The Amendments would broaden the scope of the per- sonal information under the current different provi- sions into the definition of “personal information.” In addition, “personal information” would include any April 2008 / Issue 7 2 information identified with any consumer, or with an employee, investor, or security holder who is a natural person, that is handled by the institution on the insti- tution’s behalf. The Amendments would also extend the safeguards and disposal rules to nonpublic per- sonal information of employees, which would curtail the risk that an identity thief could access investor information by impersonating an employee.
The Amendments would extend the safeguards rule to govern transfer agents while limiting the scope of bro- ker-dealers covered by the rule to those broker-dealers other than those registered by notice with the SEC under Section 15(b)(11) of the Securities Exchange Act of 1934. The SEC views extending the safeguards rule to apply to registered transfer agents as a way of streamlining the entities covered by the safeguards and disposal rules. Currently, both rules apply to bro- kers, dealers, registered investment advisers, and in- vestment companies, but only the disposal rule ap- plies to transfer agents. This proposal would amend that distinction and apply both rules across the same types of entities.
Moreover, the Amendments would limit the scope of the safeguard rules to those broker-dealers other than those registered by notice. Broker-dealers registered by notice must comply with rules for safeguarding of customer records and information adopted by the U.S. Commodity Futures Trading Commission (the “CFTC”). The purpose of the limitation is to clarify that the CFTC would maintain primary oversight and responsibility for privacy rules governing notice regis- tered broker-dealers.
The Amendments would also extend the disposal rule to apply to natural persons who are associated per- sons of a broker-dealer, supervised persons of a regis- tered investment adviser, and associated persons of a registered transfer agent.
Records of Compliance
The Amendments would require institutions governed by the safeguards and disposal rules to make and preserve written records of their safeguards and dis- posal policies and procedures, including documenta- tion of compliance with the implementation, develop- ment, and maintenance of these policies and proce- d dures. The record keeping rules would also extend to incidents of unauthorized access to or misuse of per- sonal information. To minimize compliance costs, the periods of time that an institution must preserve the records would be consistent with existing recordkeep- ing rules.
Exception for Notice and Opt Out Requirements
The Amendments would add a new exception to the notice and opt out requirements to permit limited dis- closures of investor information when a registered representative of a broker-dealer or a supervised per- son of a registered investment adviser moves from one brokerage or advisory firm to another. The pur- pose of this exception is to create an orderly frame- work for controlling the type of information that de- parting representatives share with their new firms. The proposed exception would permit one firm by way of the moving representative to disclose to another firm only the following information: the customer’s name, a general description of the type of account and products held by the customer, and contact informa- tion, including address, telephone number and e-mail information.
Departing representatives would have to provide to the firm they are leaving a written record of information that would be disclosed pursuant to the exception, and moving representatives would be barred from sharing any customer’s account number, Social Secu- rity number, or securities position.
Conclusion
The Amendments add significantly to the costs and burdens of privacy protection. It remains to be seen whether the SEC will adopt them in their present form after receiving industry and other comments.
This update was authored by Robert A. Robertson (+1 949 442 6037; robert.robertson@dechert.com), Alan Rosenblat (+1 202 261 3332; alan.rosenblat@dechert.com), and Mark Goldfarb (+1 202 261 3478; mark.goldfarb@dechert.com).
