Memo #
22305

SEC Proposes Amendments to Reg. S-P To Require Comprehensive Data Security Plans And Breach Notices; Call Scheduled 3/25
| Print

 

 

[22305]

 

March 7, 2008

TO: CLOSED-END INVESTMENT COMPANY COMMITTEE No. 4-08
COMPLIANCE ADVISORY COMMITTEE No. 4-08
INVESTMENT ADVISERS COMMITTEE No. 3-08
OPERATIONS COMMITTEE No. 5-08
PRIVACY ISSUES WORKING GROUP No. 1-08
SEC RULES COMMITTEE No. 18-08
SMALL FUNDS COMMITTEE No. 7-08
TECHNOLOGY COMMITTEE No. 5-08
TRANSFER AGENT ADVISORY COMMITTEE No. 13-08
UNIT INVESTMENT TRUST COMMITTEE No. 4-08     RE: SEC PROPOSES AMENDMENTS TO REG. S-P TO REQUIRE COMPREHENSIVE DATA SECURITY PLANS AND BREACH NOTICES; CALL SCHEDULED 3/25

 

The Securities and Exchange Commission has proposed for comment extensive amendments to Rule 248.30 in Regulation S-P, which governs the duty of registered investment companies, investment advisers, and broker-dealers to safeguard and properly dispose of customer records and information. [1]  Importantly, the amendments would also, for the first time, subject transfer agents to Rule 248.30 of Reg. S-P, rather than to the FTC’s safeguard rule.

 

Comments on the proposal are due to the SEC within 60 days of the proposal’s publication in the Federal Register.  The Institute will hold a conference call on Tuesday, March 25th at 3 p.m. Eastern Time to discuss the Commission’s proposal.  If you plan to participate on the call, please let Lynnette Smith know by email (lsmith@ici.org) as soon as possible, but no later than Friday, March 21st.  If you are unable to participate in the call but have comments on the proposal, please provide them to Tami Salmon prior to the call by phone (202-326-5825) or email (tamara@ici.org).

 

As discussed in more detail below, among other things, these amendments would require federally-registered investment companies, investment advisers, broker-dealers, and transfer agents (collectively referred to as “registrants”) to:

 

  • Develop, implement, and maintain a comprehensive information security program that satisfies certain objectives;
  • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the personal information maintained by the registrant and the registrant’s response to such risks;
  • Have written procedures addressing and responding to unauthorized access to or use of personal information, including filing proposed new Form SP-30 with the SEC and providing notice to affected individuals under certain circumstances; and
  • Ensure the proper destruction of information that includes personal information when destroying such information. 

 

The proposal would also add a new limited exception to Rule 248.15, which provides exceptions from Reg. S-P’s notice and opt-out requirements, to enable broker-dealer and investment adviser representatives who switch firms to transfer limited customer information from their old firm to their new firm. 

 

I.              Information Security Programs

 

As proposed, Rule 248.30 of Reg. S-P would require each registrant to develop, implement, and maintain a comprehensive information security program (the “program”) that includes written policies and procedures providing administrative, technical, and physical safeguards for protecting personal information.  Each registrant’s program must be appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of personal information at issue.  It must also meet the conditions discussed below.

 

              A.              Objectives

 

The program must be reasonably designed to: ensure the security and confidentiality of personal information; protect against any anticipated threats or hazards to the security or integrity of personal information; and protect against unauthorized access to or use of personal information “that could result in substantial harm or inconvenience to any consumer, employee, investor, or security holder who is a natural person.” [2] 

 


              B.              Safeguards

 

The rule would require the registrant to:

 

  • Designate in writing an employee or employees to coordinate its program;
  • Identify in writing reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information and systems that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information or systems;
  • Design and implement, and maintain a written record of, safeguards to control the risks identified;
  • Regularly test or otherwise monitor and document the effectiveness of the safeguards’ key controls, systems, and procedures including: access controls, incidents of unauthorized access, and employee training and supervision relating to the program;
  • Take reasonable steps to select, retain, and oversee service providers[3] that are capable of maintaining appropriate safeguards for the registrants’ personal information and document such efforts;
  • Require service providers by contract to implement and maintain appropriate safeguards; and
  • Evaluate and adjust the program in light of any tests conducted of it or any relevant changes in technology, operations, business arrangements, or other circumstances that may have a material impact on it.

 

C.              Responding to Unauthorized Access or Use; Use of Proposed Form SP-30

 

The revised rule would address responding to unauthorized access to or use of personal information, including notifying individuals and the SEC of such occurrences.  In particular, the rule would require the program to include written procedures to:

 

  • Assess and create a record of the nature and scope of any incident involving unauthorized access to or the use of personal information;
  • Take appropriate steps to contain and control the incidents to prevent further occurrences and maintain a written record or such steps;
  • In the event of an incident of unauthorized access to sensitive personal information,[4] promptly conduct a reasonable investigation, determine the likelihood that the information has been or will be misused and maintain a written record of such determination;
  • In the event the registrant determines that misuse has occurred or is reasonably possible, notify each individual as required by the revised rule, and maintain a written record of such notification;[5]
  • Provide notice on proposed Form SP-30 to the principal office of the SEC as soon as possible after an incident that presents a significant risk of substantial harm or inconvenience[6] to an individual or when an unauthorized person intentionally obtains access to or uses sensitive personal information.

 

D.              Notifying Individuals of Unauthorized Access or Use

 

In the event the registrant determines that an unauthorized person has obtained access to or used sensitive personal information and the misuse of such information has occurred or is reasonably possible, the rule requires the registrant to notify “each individual with whom the information is identified in a clear and conspicuous manner and by means designed to ensure that the individual can reasonably be expected to receive it.” [7]  Such notice must:

 

  • Describe in general terms the incident and the type of sensitive personal information that was subject to unauthorized access or use;
  • Describe the steps taken by the registrant to protect the information from further unauthorized access or use;
  • Include a toll-free telephone number to call or, if there is not a toll-free number, a telephone number to call and the address and name of a specific office to write to for further information and assistance;
  • Recommend that the individual review his or her account statements and immediately report any suspicious activity to the registrant; and
  • Include information about resources the FTC provides regarding how to protect against identify theft along with contact information for the FTC and a statement encouraging the individual to report any incidents of identity theft to the FTC.

 

II.              Disposal of Personal Information

 

As stated above, the proposed rule would require registrants to adopt written policies and procedures addressing the proper disposal of personal information and to document such disposal.  Under the rule, proper disposal would involve taking reasonable measures to protect against unauthorized access to or use of the information when disposing of it.  This portion of the rule clarifies that it does not require a registrant to maintain or destroy any records except as otherwise required by law.

 

III.              Recordkeeping

 

Many provisions of the proposed rule would require the registrant to maintain records documenting its compliance with the rule’s various requirements.  The rule would include a “recordkeeping” section specifying the period of time for which such records must be maintained.  Investment companies would be required to maintain their records as specified in Rule 31a-2(a)(4)-(6) under the Investment Company Act, which requires records to be maintained for not less than six years, the first two in an easily accessible place.  Transfer agents’ records would have to be maintained in accordance with Rule 17Ad-7(b) under the Securities Exchange Act of 1934, which imposes a two-year retention requirement.  And, an investment adviser must maintain its records for five years as required by Rule 204-2(e)(1) under the Investment Advisers Act.

 

IV.              Form SP-30

 

&As mentioned above, the rule would require proposed Form SP-30 be filed with the SEC whenever there is any incident of unauthorized access to our use of personal information in which there is either a significant risk that an individual might suffer substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.  Form SP-30 would require disclosure of specified information including: a detailed description of the security incident containing certain information; steps taken in response including whether affected individuals are being notified; customer account losses; and unauthorized changes to securities portfolios.

 

V.              Amendments to Rule 248.15

 

Rule 248.15 of Reg. S-P excepts from the Regulation’s notice and opt out requirements certain disclosures of nonpublic personal information.  The Commission has proposed to amend this rule to add a new exception for representatives of a broker-dealer or investment adviser who leave the employ of one registrant to become the representative of another.  This exception would permit the representative to disclose to its new firm limited information about the representative’s existing customers – i.e., the customer’s name, a general description of the type of account and products held by the customer, and the customer’s contact information.  A representative could not disclose any account number, social security number, or securities positions under this exception.  The sharing of this information would be conditioned on the representative providing a written record to its existing broker-dealer or investment adviser of the information that will be disclosed to its new employer pursuant to the exception.

 

VI.              The Release’s Cost/Benefit Estimates

 

&According to the Release, the staff estimates that the time “smaller institutions” would devote to initial compliance with the proposed amendments would range from 2 to 80 hours, with a midpoint of 41 hours.  Their implementation costs are estimated to be approximately $18,560. [8]  These estimates reflects the following time allocations:

 

  • 1 hour for the board of directors to designate an information security program coordinator;[9]
  • 1 hour for the program coordinator to review the amendments;
  • 4 hours to assess risks and review procedures;
  • 10 hours to review, revise, and implement new safeguards (including any data breach notification procedures);
  • 8 hours to test the effectiveness of the safeguards controls and procedures;
  • 7 hours to train staff; and
  • 10 hours to review service providers’ policies and procedures and revise contracts as necessary to require them to maintain appropriate safeguards.

 

The Commission estimates that “larger institutions” would devote 40-400 hours on compliance, with a midpoint of 220 hours.  This estimate includes, in part, 2 hours for the program coordinator to review the amendments, 42 hours to assess risks and review procedures, 60 hours to review, revise, and implement new safeguards, 60 hours to test the effectiveness of the safeguards controls and procedures, 34 hours to train staff, and 20 hours to review service providers’ procedures and revise contracts appropriately.  It is estimated that these efforts would cost registrants approximately $172,732 each.

 

As regards the breach notification provisions, the Release estimates that it would take a smaller institution approximately 10 hours to respond appropriately to potential incidents of data security breach, which includes investigating the breach and notifying affected individuals.  For a larger institution, the Commission estimates this process would take 20 hours, in part, “because larger institutions are likely to conduct more complicated investigations that require more detailed explanations on proposed Form SP-30” due to the fact that they “may experience more sophisticated security attacks.” [10]

 

Though not quantified, the Release notes that the benefits from the proposal include “boosting investor confidence and mitigating losses due to security breach incidents, helping to ensure that information security programs are actively managed and regularly updated, and reducing the compliance burden for institutions in the event of a data security breach incident.” [11]

 

In addition to soliciting members’ comments on the proposed amendments to Reg. S-P during the Institute’s March 25th call, we are also interested in obtaining members’ views concerning the costs that are likely to be associated with implementing them.

 

Tamara K. Salmon
Senior Associate Counsel

endnotes

 [1]  See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, SEC Release Nos. 34-57427, IC-28178, and IA-2712 (March 4, 2008) (the “Release”).  The Commission’s proposal is patterned after similar provisions adopted by other federal regulators of financial institutions in 2001 to implement the Gramm-Leach-Bliley Act .  See Release at n. 23.

 [2]  See proposed Rule 248.30(a)(2)(iii).  Note that, currently, Rule 248.30 only applies to customer records and information – not to consumers’ or employees’ information.

 [3]  “Service provider” is defined to mean “any person or entity that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a broker, dealer, investment company, or investment adviser or transfer agent registered with the Commission.”

 [4]  “Sensitive personal information” is defined in the rule to mean “personal information, or any combination of personal information, that would allow an unauthorized person to use, log into, or access an individual’s account, or to establish a new account using the individual’s identifying information including the individual’s: social security number; or name, telephone number, street address, e-mail address, or online user name, in combination with the individual’s account number, credit or debit card number, driver’s license number, credit card expiration date or security code, mother’s maiden name, password, personal identification number, biometric record, or other authenticating information.”  “Personal information” is defined as “any record containing consumer report information, or nonpublic personal information . . . that is identified with any consumer, or with any employee, investor, or security holder who is a natural person, whether in paper, electronic, or other form, and is handled by or maintained by [the registrant or on its behalf].”

 [5]  Such notice to individuals may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and requests, in writing, that it be delayed.

 [6]  “Substantial harm or inconvenience” is defined to mean “personal injury, or more than trivial financial loss, expenditure of effort or loss of time, including theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of information identified with an individual to obtain a financial product or service, or access, log into, effect a transaction in, or otherwise use the individual’s account.”  Expressly excluded is any unintentional access to personal information by an unauthorized person that results only in trivial financial loss, expenditure of effort or loss of time (e.g., the registrant deciding to change the individual’s account number or password).

 [7]  See proposed Rule 248.30(a)(5).

 [8]  Interestingly, the Release estimates that smaller institutions current spend between $5,000 and $1,000,000 per year to comply with the existing safeguard and disposal rules.

 [9]  Note, however, that unlike the Interagency Guidelines, which expressly require the institution’s board of directors to approve the institution’s program and oversee its implementation and maintenance, the proposed amendments do not require board approval of an information security program coordinator.

 [10]  Release at p. 54.

 [11]  Release at p. 59.