issued April 16, 2019
On April 16, 2019 the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert related to Privacy Notice and safeguard policy compliance issues. This regulatory communication is applicable to investment advisers and broker-dealers (“registrants”) alike. OCIE cited issues identified in deficiency letters from broker-dealer and adviser exams completed by the Staff during the past two years. It should be noted by SEC registrants that the Commission has issued deficiency notices and pursued enforcement actions on the basis of registrant non-compliance with Risk Alerts, including on the basis of guidance in the absence of a rule.
Regulation S-P and the Safeguards Rule thereunder are the primary regulations underlying the focus of the SEC’s Risk Alert guidance.
Regulation S-P requires registrants to:
- Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices, no later than when it establishes a customer relationship (“Initial Privacy Notice”);
- Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship (“Annual Privacy Notice”); and
- Where applicable, deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).
Regulation S-P references the information which must be included in Privacy Notices and Opt-Out Notices. This information includes the categories of nonpublic personal information that the registrant collects and discloses.
The Safeguards Rule under Regulation S-P requires registrants to:
- Adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information; and
- Reasonably design policies and procedures to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to their security or integrity, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Notices and Opt-Out failures included:
- Failure to provide Initial and Annual Privacy Notices and when required, Opt-Out Notices
- Notice provisions that were not congruent with information sharing practices of the registrant
- Failure to provide to customers notice of their right to opt out of the registrant’s information sharing protocol with nonaffiliated third parties
Policy and procedure failures included:
- Absence of policy and procedures
- Incomplete policy and procedures
- Poorly designed policy and procedures
- Storage of customer information on personal devices without adequate procedures and internal controls
- Electronic communications sharing customer personally identifiable information (“PII”) without encryption or security controls
- Lack of employee training to convey proper use of personal devices and handling of customer information
- Lack of internal controls to prohibit sending of customer PII to unsecure locations outside of the registrants’ networks
- Deficient third-party vendor policies; e.g., failure to require vendors to contractually agree to keep customer PII confidential, even though such agreements were mandated by policy
- Lack of identification of all systems on which customer PII was stored … which impedes the implementation of strong protective controls
- Inadequate internal controls relative to incident documentation/resolution, e.g., failure to identify responsible parties, no instructions for handling cybersecurity incidents, and no requirements to assess system vulnerabilities
- Weak physical security controls over hard copy customer PII records
- Unnecessary distribution of customer logins
- Weak employee termination controls, which facilitated continued access to PII by terminated employees
To remain compliant with Regulation S-P and the Safeguards Rule:
- Examine your firm’s information handling and sharing practices and carefully design policies, notices, and opt-outs to match your practices
- Leverage the regulators’ jointly issued model privacy form which allows a registrant to use a common privacy notice to meet the content requirements of privacy and opt-out notices to enjoy safe harbor protections under privacy regulations
- Leverage the FAST Act to avoid Annual Privacy Notice obligations, available to registrants that: (a) do not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out; and (b) have not changed their policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent Privacy Notice
mindful of the body of rules and regulatory guidance that impact privacy and
information handling outside the framework of Regulation S-P, which include:
- Regulation S-AM which governs the sharing of customer information for marketing purposes
- Regulation S-ID: Identity Theft Red Flags which requires certain financial institutions to adopt identity theft prevention programs
- GDPR which sets legal guidelines for the collection and processing of personal information of individuals within the European Union
- State privacy regulations which vary by state and govern the handling of the personal information of state residents
- State data security regulations requiring businesses and governments to take specific measures to keep electronic data secure, which generally include security breach laws
- Cybersecurity guidance from the SEC and state authorities to protect personal information from cyber-attacks and related risks
- Document all compliance related activity pursuant to implementation of policy, procedure and internal controls
The Staff reiterated in its Risk Alert that the issues highlighted above should not be considered all-inclusive. Enforcement actions related to privacy rule violations are on the rise, not to mention the reputational risks of security incidents!
©1998-2019 Horrigan Resources, Ltd.
customized advice. Not legal advice.
 PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Any data that could potentially be used to identify a particular person. The definition of PII is not anchored to any single category of information or technology; rather it requires a case-by-case assessment of the specific risk that an individual can be identified.