Regulation S-P – Privacy Notices and Safeguard Policies

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.

Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.

The most frequent deficiencies and weaknesses:

  • Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
  • Lack of policies and procedures as required by Regulation S-P.
  • Lack of safeguards of customer data on personal devices
  • Sending unencrypted email communication with personally identifiable information (PII)
  • Lack of data privacy training
  • Sending PII to networks outside of the registrant’s network
  • Failure to follow privacy policies regarding outside vendors
  • Failure to maintain a PII inventory
  • Insufficient incident response plans
  • Storage of PII in insecure physical locations
  • Making customer login information available to more employees than permitted under the firm’s policies and procedures
  • Failure to remove login rights from departed employees

Sources:

Phone Phishing

The old-fashioned telephone turns out to be a way to hack into other people’s accounts. Voya Financial was the victim of cybercriminals using their phones instead of their computers.

Voya ran the portal for its investment advisers and registered representatives to to manage the accounts of their customers. Voya also had a support line to help the advisers and representatives with problems on the portal. That included resetting passwords to the portal.

The hackers called the support line impersonating an adviser or representatives and got access to the portal. That gave the hackers access to Voya’s customers and account information.

The bad facts for Voya were that that some of those hacker calls came from phone numbers that Voya had previously flagged for fraudulent activity. I guess that means that the hacker called one person on the support line and failed to get past that support person. So the hacker tried again with a different support person who was more willing to believe the hacker.

At least on of the impersonated representatives called the support line saying he had received an email confirming the password change, but that he had not requested a password change. The red flag was up that Voya was under attack, but at least two other attacks were subsequently successful.

Voya had to pay a $1 million penalty and be subject to a third-party compliance review. The penalty was imposed even though there was known negative financial impact on the Voya customers. It looks like the hackers got in, but couldn’t get money out.

The case appears to be the first action under Rule 201 of Regulation S-ID (17 C.F.R. § 248.201), the “Identity Theft Red Flags Rule”.

Sources:

New SEC Rule to Protect Investors from Identity Theft

sec-seal

The Securities and Exchange Commission adopted new rules requiring investment advisers, broker-dealers, mutual funds, and certain other entities regulated by the agency to adopt programs to detect red flags and prevent identity theft.

In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the Fair Credit reporting Act to add the SEC to the list of federal agencies that must adopt and enforce identity theft red flags rules. In February 2012, the SEC proposed for public notice and comment identity theft red flags rules and guidelines and card issuer rules. Yesterday, the SEC issued the final rule.

Originally, it looked like investment advisers (and therefore private fund managers) might escape the rule. However, the final rule explicitly includes registered investment advisers as being subject to the rule.

Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions. If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor.

The SEC concluded that the red flag program of a qualified custodian that maintains custody of an investor’s assets would not adequately protect individuals holding transaction accounts with an adviser. The adviser could give an order to withdraw assets, but at the direction of an impostor. However, an adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account, because the adviser would not be making the payments to third parties.

Does this apply to private funds?

Private fund managers may directly or indirectly hold transaction accounts. According to the SEC rule, if an individual invests money in a private fund, and the adviser to the fund has the authority to direct the individual’s investment proceeds (such as distributions) to third parties, then that adviser would indirectly hold a transaction account. The SEC concludes that a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor.

I’m not sure that I agree with the SEC conclusion. However, I do agree that funds need to make sure that distributions are not re-directed improperly. Private fund managers will have to put some effort into this.

This rule is going to take some time to figure out how it applies in the context of fund operations. The subscription agreement and partnership agreement for a fund may not explicitly address if an investor can direct distributions to a third party account. I think that would be an unusual restriction.

The SEC-mandated program under rule should include policies and procedures designed to:

  • Identify relevant types of identity theft red flags.
  • Detect the occurrence of those red flags.
  • Respond appropriately to the detected red flags.
  • Periodically update the identity theft program.

The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms administer their programs.

The final rules will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.

Sources:

Data Breaches in Massachusetts

Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. On October 31, 2007, the Commonwealth’s Data
Security Breach Law, Mass. Gen. Law c. 93H, went into effect. On March 1, 2010, the Office of Consumer Affairs and Business Regulation’s Data Security Regulations, 201 CMR 17.00, went into effect.

The Office of Consumer Affairs and Business Regulation has been tracking the data breach notifications it has received under the law. As of Sept. 30, 2011, there had been 1,833 notifications of security breaches. The number of Massachusetts residents affected by the reported incidents since November 1, 2007 now totals 3,166,031. (I’m not sure if the report is double counting “resident” who may be involved in more than one data breach. After all, there are fewer than 7 million residents in Massachusetts.)

The biggest breach in 2011 was the Sony Playstation network incident which affected 560,990 residents. The second largest came from the state itself when 245,000 residents were affected by a large malware data breach in the Department of Unemployment Assistance. That puts entertainment and state government into the top two slots for breach types in 2011 and the third and fourth place for breaches since 2007. Health care and financial services are the leading industry for breaches.

Sources:

Proposed Identity Theft Red Flags Rules

Identity theft is a serious problem. Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act increased the scope of firms that would be subject to federal regulatory requirements on identity theft rules. The Securities Exchange Commission and the Commodities Futures Trading Commission just published a proposed rule addressing that new scope.

Section 10889(a)(8), (10) of Dodd-Frank amended the Fair Credit Reporting Act by adding the CFTC and SEC to the list of federal agencies required to create and enforce identity red flag theft rules. The new rule proposal would require SEC-regulated entities to adopt a written identity theft program that would include reasonable policies and procedures to:

  • Identify relevant red flags.
  • Detect the occurrence of red flags.
  • Respond appropriately to the detected red flags.
  • Periodically update the program.

The proposed rule would include guidelines and examples of red flags to help firms administer their programs.

As newly registered investment adviser, this looked like a daunting prospect. The rule does list specific entities in its definition of “financial institution.” That means investment advisers and private fund managers are not excluded.

However, the requirements are further limited to a “transaction account: a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third parties or others.” 12 U.S.C. 461(b)(1)(C).

Smartly, the SEC recognizes that most registered investment advisers (and private fund managers) are unlikely to hold transaction accounts and would not qualify as a “financial institution”. One of the questions soliciting comments in the proposed rule is whether the rule should “omit investment advisers or any other SEC-registered entity from the list of entities covered by the proposed rule?”

I think it makes sense to look at the account itself and not just the institution. Particularly in the case of private fund managers, there is usual limited windows when cash can come out of the accounts and be returned to investors.

Even if the limited partner interests are not a transaction account. It may make sense to look at the final rule as a model for some internal policies and procedures.

Sources:

Enforcement of the Massachusetts Data Privacy Law

It’s been almost 18 months since the Massachusetts Data Privacy Law went into effect. Belmont Savings Bank has become one of the first charged with violating the law.

Belmont Savings Bank maintained personal information on an unencrypted backup data tape and then lost the tape. According to surveillance footage the tape was likely discarded inadvertently by the overnight clearing crew and sent to the incinerator.

There were several rounds of changes between the first version of 201 CMR 17.00 and the final one. One central element was the requirement that there be written information security plan in place if your company has “personal information” on a Massachusetts resident. Obviously, you need to comply with the plan.

In this case, Belmont Savings Bank has the plan. But they failed to comply with it. The data tape should have been locked-up overnight and not left on a desk.

The Massachusetts’ Attorney General entered into an Assurance of Discontinuance with Belmont Savings Bank. As part of the settlement, the bank has to

  • encryp, to the extent technically feasible, all personal information stored on backup data tapes
  • store backup data tapes containing personal information in a secure location
  • effectively train its workforce on the policies and procedures with respect to maintaining the security of personal information

There is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose. The Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions to determine appropriate restitution.

Sources:

Is Your Copier in Compliance?

I remember the days of the mimeograph. In class people would inevitably sniff the newly printed pages. For a teacher, the danger was that the latent copy would fall into the wrong hands. Animal House highlighted that danger.

Current day copiers are much more advanced than the mimeograph, but the dangers of the latent copy still exist. Most modern copy machines are just special purpose computers. Like all computer they have a hard drive. On that hard drive, they store the images of the documents they copy and scan.

That’s not a problem until you give back the copier. Then you should be concerned that the next person who gets it could just pull up some of your documents from the hard drive. Last year, CBS highlighted this problem in an investigative piece by Armen Keteyian: Digital Photocopiers Loaded With Secrets.

Now the Federal Trade Commission has decided to take a stance. Not a definitive stance, but guidance. The FTC points out that companies must maintain reasonable procedures to protect sensitive information. That may include your copy machine.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

Sources:

Data Privacy Day

Data Privacy Day is January 28, 2011.

There have events throughout the week to inform and educate us all about our personal data rights and protections.

Here are some key reminders:

  1. Never Post or Share Personal Information such as a date of birth, personal address, or maiden name because identity thieves now friend as many people as possible and join networks solely for the purpose of harvesting information to use to commit identity fraud.
  2. Always Update Your Software
  3. Use Complex Passwords
  4. Don’t Download Just Any Application
  5. Avoid Peer-to-Peer File Sharing

Read more:

Feds Release Usable Model Consumer Privacy Notice

There was much cheering when federal regulators finally released their Final Model Privacy Notice Form back in November.

That was quickly followed by a gnashing of teeth when it turns out the regulators did not understand the concept of a form or how to use Adobe Acrobat. They merely created a static document that you would have to spend hours trying to recreate.

They finally released version of the model privacy notice that is a fillable form using adobe acrobat.

To obtain a legal “safe harbor” and so satisfy the Gramm-Leach-Bliley Act’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

Sources: