SEC ADOPTS RULE TO REQUIRE PROPER DISPOSAL OF CONSUMER RECORDS

[18319] December 9, 2004 TO: CLOSED-END INVESTMENT COMPANY MEMBERS No. 79-04 COMPLIANCE ADVISORY COMMITTEE No. 117-04 INVESTMENT ADVISER MEMBERS No. 25-04 PRIVACY ISSUES WORKING GROUP No. 8-04 SEC RULES MEMBERS No. 170-04 SMALL FUNDS MEMBERS No. 126-04 TRANSFER AGENT ADVISORY COMMITTEE No. 83-04 UNIT INVESTMENT TRUST MEMBERS No. 43-04 TECHNOLOGY ADVISORY COMMITTEE No. 31-04 OPERATIONS MEMBERS No. 35-04 RE: SEC ADOPTS RULE TO REQUIRE PROPER DISPOSAL OF CONSUMER RECORDS Effective July 1, 2005, Reg. S-P has been revised to require SEC registrants to: (1) have written policies and procedures that provide for the protection of customer records and information; and (2) adopt policies and procedures to safeguard the disposal of certain consumer information.1 These revisions to Reg. S-P, which are referred to as the “safeguard rule” and the “disposal rule,” respectively, are summarized below. EXISTING SECTION 248.30 Section 248.30 of Regulation S-P currently requires every registered broker, dealer, investment company, and investment adviser to adopt policies and procedures that address the administrative, technical, and physical safeguards for the protection of customer records and information. Such policies and procedures must be reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect such records from any anticipated threats or hazard to their security or integrity; and (iii) protect against unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer. 1 See Disposal of Consumer Report Information, SEC Release Nos. 34-50781, IA-2332, and IC-26685 (Dec. 2, 2004), 69 Fed. Reg. 71322 (Dec. 8, 2004) (“Adopting Release”). The Adopting Release is available on the SEC’s website at: http://www.sec.gov/rules/final/34-50781.htm. The substance of the revisions to Rule 248.30 were required of the Commission, the Federal Trade Commission, and other federal regulators of financial institutions by the December 2003 enactment of Section 628 of the Fair Credit Reporting Act (“FCRA”). 2 REVISIONS TO RULE 248.30 – THE SAFEGUARD RULE AND THE DISPOSAL RULE Rule 248.30 has been amended in two ways. First, it has been revised to expressly require the policies and procedures that are currently mandated by the rule to be in writing. This portion of the rule is referred to as the “safeguard rule.” Second, it adds a new subsection (b) to the rule to require persons covered by the rule that dispose of specified information to take reasonable measures to protect the discarded information from unauthorized access to or use of it.2 The particulars of this new subsection (b), which is referred to as the “disposal rule,” are as follows: The persons covered by the disposal rule – The disposal rule applies to any person that (1) is a registered broker or dealer,3 investment company, investment adviser, or transfer agent4 and (2) possesses consumer report information5 for a business purpose. The information covered by the disposal rule – Unlike the remainder of Reg. S-P, which broadly governs the treatment of all nonpublic personal information, the disposal rule only applies to the disposal of information obtained or derived from a “consumer report” as defined in FCRA. The Adopting Release clarifies that information that is derived from a consumer report but “does not identify individuals, such as aggregate information or blind data is not covered by the [Rule’s] definition of ‘consumer report information.’”6 The disposal of information – As defined in the disposal rule, “disposal” means the discarding or abandonment of any consumer report information and the sale, donation, or transfer of any medium (e.g., computers) on which consumer report information is stored.7 The rule does not require any person to maintain or destroy any information. Instead, it governs the treatment of information being discarded. The Adopting Release acknowledges that there “are few foolproof methods of record destruction.” Accordingly, rather than requiring entities to “ensure the perfect destruction of consumer report information in every instance,” the disposal rule requires entities to take “reasonable measures” to protect against unauthorized access to discarded information. These steps might include: 2 An entity that is subject to the disposal rule should ensure that its written policies and procedures under the safeguard rule incorporate the requirements of the disposal rule. 3 A broker or dealer that is registered with the SEC by notice under Section 15(b)(11) of the Securities Exchange Act of 1934 would not be subject to the safeguard rule. 4 Unlike most of Reg. S-P, the safeguard rule would expressly apply to transfer agents. 5 “Consumer report” is defined in FCRA to mean any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under FCRA. See Release at fn. 9. 6 Adopting Release at p. 4. 7 By contrast, the sale, donation, or transfer of consumer report information would not be a “disposal” under the safeguard rule. 3 • The burning, pulverizing, or shredding of paper records; • The destruction or erasure of electronic records so that information cannot be read or reconstructed; • “After due diligence,”8 contracting with another party in the business of record destruction to destroy the records in a way that would be consistent with the rule; or • For an entity that maintains or otherwise possesses consumer report information through its provision of services to a person that is subject to subsection (b), implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer report information and disposing of the information in accordance with the revised rule.9 Reasonable measures – The disposal rule is intended to provide entities flexibility in determining what constitutes reasonable measures based upon their particular circumstances. As discussed in the Proposing Release, in making this determination, an entity should consider the sensitivity of its consumer report information, its size and the complexity of its operations, the costs and benefits of different disposal methods, and relevant technological changes. Also, reasonable measures may require elements such as the establishment of policies and procedures governing disposal and appropriate employee training. To the extent an entity already has policies and procedures governing the disposal of information under Reg. S-P, such policies and procedures might be used to satisfy the requirements of the safeguard rule. EFFECTIVE DATE As noted above, the compliance date for the revised rule is July 1, 2005. The SEC has, however, provided registrants until July 1, 2006 to revise their existing contracts with service providers for services involving the disposal or destruction of consumer report information. Tamara K. Salmon Senior Associate Counsel 8 According to the Adopting Release, . . . due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with the disposal rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.” Adopting Release at p. 6. 9 Unlike the other examples of reasonable disposal measures, this last example was not included in the Commission’s proposing release (i.e., SEC Release No. 34-50361 (Sept. 14, 2004), 69 Fed. Reg. 56304 (Sept. 20, 2004) (“Proposing Release”)). According to the Adopting Release, this example was added to “clarify the ‘reasonable measures’ standard requirements when information is transferred or otherwise provided to service providers.”