In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.
Specifically, the amendments would require covered entities, such as brokers, dealers and investment advisers and companies, to adopt more detailed policies for safeguarding and disposing clients’ confidential personal information. The proposed rules also would require regulated businesses to establish standards for responding to data breaches. However, the new regulations would ease existing restrictions on firms recruiting registered representatives by allowing representatives who switch firms to disclose certain client information without having to comply with the usual notice and opt-out rules under Regulation S-P.
Safeguards and Disposal Rule Expanded To Require Comprehensive Information Security Program
The SEC’s proposed amendments to Regulation S-P develop and broaden the existing safeguards rule. Under the current rule, broker-dealers, registered advisers and investment companies must adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments build upon the existing rule by requiring each business subject to the safeguards rule to develop, implement, and maintain a comprehensive “information security program.” Such a program must be designed to:
(i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or securityholder who is a natural person.
Companies also would need to preserve written records of the information security program, as well as written records that they have met the requirements of developing, maintaining and implementing the program.
Moreover, the amendments would broaden the type of information covered under the safeguards and disposal rules. According to the SEC, the current rules do not adequately define the scope of personal information subject to Regulation S-P, and thus, the new rules would define personal information broadly “to encompass any record containing either ‘nonpublic personal information’ or ‘consumer report information.’” Consumer report information is defined in the Fair Credit and Reporting Act as any information from a consumer reporting agency related to a consumer’s credit worthiness, credit standing, credit capacity, character, or general reputation.
Responding to Data Breaches
Firms also would be required under the proposed amendments to implement policies and procedures to respond to data breaches. The proposed regulations compel companies experiencing incidents of unauthorized access to personal information to promptly notify affected customers “if misuse of sensitive personal information has occurred or is reasonably possible.” Companies also would have to notify the SEC of a data breach if “an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.”
Recruiting Registered Representatives
According to the proposed amendments, registered representatives seeking to join a new firm could bring with them certain personal information related to their clients without violating Regulation S-P’s notice and opt-out requirements, which require that a consumer give consent, either express or implied, before a company may disclose the consumer’s personal information to a non-affiliated third party. In particular, a migratory representative may bring to his or her new firm “a customer’s name, a general description of the type of account and products held by the customer’s name, and the customer’s home address, telephone, and email information.”
Under the current standards, before a representative joins a new firm, the representative and the new firm must obtain consent from clients if they intend to use client information. This policy sparked considerable controversy in 2007 when the SEC initiated an administrative proceeding against NEXT Financial Group, Inc., a registered broker-dealer, claiming that NEXT allowed registered representatives to take nonpublic client information without client consent when they left NEXT for other firms. The SEC also alleged that NEXT aided and abetted violations of Regulation S-P by requiring its recruited representatives to provide NEXT with the client information from the representative’s previous firm. For more on the NEXT Financial, see our post of last year here.
Companies and commentators argued that the position the SEC took with NEXT interferes with the broker-client relationship, causes substantial delays in the account transfer process, and creates a “blackout period” in which clients cannot place trades because receipt of notice and consent are still pending. The proposed amendment to Regulation S-P would reduce the burdens on representatives by permitting them to use certain information to solicit clients for their new firm.
The proposed rule to amend Regulation S-P can be found here. The SEC is accepting comments on the proposed amendments until May 12, 2008.