INSTITUTE CIRCULATES SURVEY ON INFORMATION PRACTICES AND OTHER RECENT DEVELOPMENTS RELATING TO DATA PRIVACY

[10269] September 8, 1998 TO: INTERNATIONAL COMMITTEE No. 27-98 SEC RULES COMMITTEE No. 88-98 ELECTRONIC COMMERCE ISSUES WORKING GROUP RE: INSTITUTE CIRCULATES SURVEY ON INFORMATION PRACTICES AND OTHER RECENT DEVELOPMENTS RELATING TO DATA PRIVACY ______________________________________________________________________________ At recent Committee and Working Group meetings, we have discussed issues for mutual funds related to data privacy. Within the last few weeks, there have been several significant developments involving privacy issues. This memorandum is intended to update members concerning these recent developments, including the following:
A survey that the Institute is circulating to members regarding information practices in the fund industry;
Responses by the SEC and Federal Reserve Board to Congressional requests for information about the current state of privacy protection;
Two bills introduced in Congress that would have an impact on Institute members, if enacted; and
The settlement of a Federal Trade Commission enforcement action involving alleged violations of data privacy policies. INSTITUTE SURVEY The Institute is circulating a survey to members in an effort to better understand industry practices with respect to investment companies’ collection, compilation, use and protection of personally identifiable information. The survey will help the Institute respond to privacy initiatives in the US and abroad. The results of the survey also will be used to develop a "best practices" paper on privacy protection for Institute members. The survey is being circulated to the Institute’s senior contact at each member firm. We would appreciate your assistance in ensuring that the survey is completed and returned to the Institute in a timely manner. If you do not know who serves as the Institute’s senior contact at your firm, please call Laura Whitehead at (202) 326-5836. Thank you for your help. 2SEC AND FED LETTERS IN RESPONSE TO CONGRESSMAN MARKEY As we previously informed you, in June, Congressman Edward Markey (D-Mass) sent letters to SEC Chairman Arthur Levitt and Federal Reserve Board Chairman Alan Greenspan asking about the nature and adequacy of current legal protections for the privacy of personal information and stating Mr. Markey’s belief that additional legislation is needed in this area in order to protect consumers. Chairman Levitt and Chairman Greenspan recently responded to these letters. In the SEC response to Congressman Markey, Chairman Levitt stated "I share your concerns that investors’ privacy should not be compromised, and believe that the NASD should take the steps necessary to increase the security of personal financial information. I understand that the NASD is looking into these issues, and I hope they will act in the near future." Copies of the Markey letters, the SEC and Federal Reserve responses, and Mr. Markey’s subsequent press release are available at www.house.gov/markey/finance.htm. PROPOSED LEGISLATION HR 4479 -- The Securities Investors Privacy Enhancement Act of 1998. On August 6, 1998, Congressman Edward Markey (D-Mass) introduced a bill that would require brokers, dealers, and investment advisers to protect the confidentiality of financial information obtained concerning their customers. The bill would amend Section 15A(b) of the Securities Exchange Act of 1934, Section 38 of the Investment Company Act of 1940, and Section 211 of the Investment Advisers Act of 1940. If passed, the National Association of Securities Dealers (and any other association of brokers and dealers that registers as a national association) would be required to adopt rules requiring their members:
To protect the confidentiality of financial information of, and relating to, their customers;
To inform their customers whenever financial information is being collected that pertains to the customers;
To inform their customers whenever the member intends to offer financial information pertaining to the customer to any other person, including an affiliate or agent of the member; and
To refrain from using, disclosing, or permitting access to individually identifiable financial information pertaining to the customer except for the provision of the financial services from which such information is derived, pursuant to the affirmative written consent of the customer, or as required by law or by the SEC. 3The SEC would be given the discretionary authority to adopt similar rules relating to investment companies (under Section 38 of the 1940 Act) and investment advisers (under Section 211 of the Advisers Act). HR 4388 -- The Consumer Financial Privacy Protection Act of 1998. On August 4, 1998, Congressman John LaFalce (D-NY) introduced a bill that would amend the Consumer Credit Protection Act to ensure financial institution privacy protections. Brokers, dealers, investment companies and investment advisers are specifically included in the definition of "financial institution" for purposes of the proposed legislation. The bill would:
Require financial institutions to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of financial and personal records;
Limit the collection of personal and financial information about a customer to the information required to facilitate customer-initiated transactions and to administer an ongoing business relationship with the customer;
Prohibit the disclosure of customer financial or personal information to a third party for their independent use, except to the extent necessary to complete customer- initiated transactions, upon the customer’s request, as required by law or by a government agency, or after full disclosure to the customer. Full disclosure would require separate and explicit notice identifying the purpose for disclosing the information, the customer’s right to prevent disclosure of the information, and the procedures for doing so. The bill would also require all "financial regulatory agencies" to prescribe uniform regulations to carry out the foregoing, including regulations that specifically require financial institutions to adopt policies and procedures to:
Assure that customer records are current and accurate and provide for prompt correction of all records;
Limit employee access to financial records and personally identifiable information;
Maintain appropriate security standards to prevent unauthorized access to information;
Require that third parties that receive the information also agree to maintain its confidentiality;
Provide appropriate disclosure to customers regarding the institution’s privacy policies and the customer’s privacy rights. This would include clear and conspicuous disclosure of the types of information disclosed, the purposes for the disclosure, the customers’ option to prevent the disclosure and the procedures for 4doing so, and the procedures for filing a complaint over the use of the customer’s information. The Federal Trade Commission would have general enforcement authority, except that the SEC would have enforcement authority over violations by SEC regulated companies. Aggrieved consumers also would have a private right of action under this bill. FEDERAL TRADE COMMISSION’S SETTLEMENT WITH GEOCITIES In what is being hailed as a landmark case, the FTC settled an enforcement action against GeoCities, a company that provides personalized home pages on the Internet, in which it alleged that GeoCities misused its customers’ personal information. According to the FTC’s allegations, GeoCities sold personally identifying, demographic, and/or interest information collected from consumers who registered to use GeoCities’ web site, in direct contravention of the privacy statements disclosed on its web site and in account applications. The privacy statements included representations that GeoCities would not share certain personal information about its customers without their permission. In settling the case, GeoCities has implemented a "privacy safeguards program" that includes:
Registering with TRUSTe (an independent provider of privacy seals of approval);
Inserting the company’s comprehensive privacy guidelines into various locations on the Web site and highlighting it on GeoCities’ application forms;
Revising policies to prohibit inappropriate third-party collection and use of personal information;
Requiring that individuals under 13 years of age obtain their parents’ consent when applying for a free membership in GeoCities; and
Increasing the number of privacy warnings in, and removing inappropriate advertising and promotions from, the portion of the company’s web site that is directed at children. The GeoCities settlement highlights all companies’ need to comply with their policies or privacy statements. * * * * * Robert C. Grohowski Assistant Counsel