SEC SEEKS COMMENT BY OCTOBER 20TH ON PROPOSAL TO REQUIRE PROPER DISPOSAL OF CONSUMER RECORDS

[18031] September 22, 2004 TO: TECHNOLOGY ADVISORY COMMITTEE No. 25-04 RE: SEC SEEKS COMMENT BY OCTOBER 20TH ON PROPOSAL TO REQUIRE PROPER DISPOSAL OF CONSUMER RECORDS Pursuant to a Congressional mandate, the Securities and Exchange Commission has published for comment revisions to Regulation S-P that will require SEC registrants to adopt policies and procedures to safeguard the disposal of certain consumer information (the “safeguard rule”).1 These revisions, which are proposed to Section 248.30 of Regulation S-P, are intended to prevent the unauthorized disclosure of sensitive consumer information and reduce the risk of fraud or related crimes, including identity theft, by ensuring the proper disposal of information. Comments on the proposal are due no later than Wednesday, October 20th. The Institute anticipates filing a comment letter with the Commission supporting the proposal. If there are any issues – particularly issues relating to technological concerns with the disposal of records 2– that you would like to recommend be included in the Institute’s comment letter, please provide them to Tami Salmon no later than Friday, October 8th. Comments may be provided by phone (202-326-5825) or e-mail (tamara@ici.org). EXISTING SECTION 248.30 Section 248.30 of Regulation S-P currently requires every registered broker, dealer, investment company, and investment adviser to adopt policies and procedures that address the administrative, technical, and physical safeguards for the protection of customer records and information. Such policies and procedures must be reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect such records from any anticipated threats or hazard to their security or integrity; and (iii) protect against 1 See Disposal of Consumer Report Information, SEC Release No. 34-50361 (Sept. 14, 2004), 69 Fed. Reg. 56304 (Sept. 20, 2004) (the “Release”). The Release is available on the SEC’s website at: http://www.sec.gov/rules/proposed/34- 50361.htm. Promulgation of this rule was mandated by the December 2003 enactment of Section 628 of the Fair Credit Reporting Act (“FCRA”). Similar safeguard rules must be adopted by other federal regulators of financial institutions and the Federal Trade Commission. 2 See discussion under “The disposal of information” below on pp. 2-3. 2 unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer. THE PROPOSED SAFEGUARD RULE The proposed safeguard rule would make two changes to Section 248.30. First, it would require the policies and procedures that are currently mandated by the rule to be in writing. Second, it would add a new subsection (b) to the rule that would require persons covered by the rule that dispose of specified information to take reasonable measures to protect the discarded information from unauthorized access to or use of it. The particulars of the proposal are as follows: The persons covered by the safeguard rule – the safeguard rule would apply to any person that (1) is a registered broker or dealer,3 investment company, investment adviser, or transfer agent4 and (2) possesses consumer report information5 for a business purpose. According to the Release, this second condition “includes all business reasons for which a covered entity may possess or maintain consumer report information.”6 The information covered by the safeguard rule – unlike Reg. S-P, which broadly governs the treatment of all nonpublic personal information, the safeguard rule would only apply to the disposal of information obtained or derived from a “consumer report” as defined in FCRA. Information that is derived from a consumer report but that does not identify any particular individual would not, however, be covered under the safeguard rule. The disposal of information – As defined in the proposal, “disposal” would include the discarding or abandonment of any consumer report information and the sale, donation, or transfer of any medium (e.g., computers) on which consumer report information is stored.7 The safeguard rule would not require any person to maintain or destroy any information; instead, it would govern the treatment of information being discarded. The Release acknowledges that there “are few foolproof methods of record destruction.” Accordingly, rather than requiring entities to “ensure the perfect destruction of consumer report information in every instance,” the safeguard rule would require 3 A broker or dealer that is registered with the SEC by notice under Section 15(b)(11) of the Securities Exchange Act of 1934 would not be subject to the safeguard rule. 4 Unlike most of Reg. S-P, the safeguard rule would expressly apply to transfer agents. 5 “Consumer report” is defined in FCRA to mean any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under FCRA. See Release at fn. 9. 6 Entities that might possess or maintain consumer report information for a business purpose include lenders, employers, and other users of consumer reports such as a broker-dealer that provides margin accounts or sells variable annuity products. 7 By contrast, the sale, donation, or transfer of consumer report information would not be a “disposal” under the safeguard rule. 3 entities to take “reasonable measures” to protect against unauthorized access to discarded information. These steps might provide for: (1) the burning, pulverizing, or shredding or paper records; (2) the destruction or erasure of electronic records so that information cannot be read or reconstructed; or (3) contracting with another party in the business of record destruction to destroy the records in a way that would be consistent with the rule. The Institute is particularly interested in any concerns our members have regarding the appropriateness of these steps, particularly with respect to electronic records, and whether they raise any technological concerns that we should address in our comment letter. Reasonable measures – According to the Release, the rule is intended to provide entities flexibility in determining what constitutes reasonable measures based upon their particular circumstances. In making this determination, an entity should consider the sensitivity of its consumer report information, its size and the complexity of its operations, the costs and benefits of different disposal methods, and relevant technological changes. Also, reasonable measures may require elements such as the establishment of policies and procedures governing disposal and appropriate employee training. To the extent an entity already has policies and procedures governing the disposal of information under Reg. S-P, such policies and procedures might be used to satisfy the requirements of the safeguard rule. Peter Salmon Director - Operations/Technology