While the Security and Exchange Commission’s (SEC) proposed amendments to Regulation S-P await final rule status, the Commonwealth of Massachusetts has enacted sweeping new data security and identity theft legislation. At present, approximately 45 states have enacted some form of data security laws, but before Massachusetts passed its new legislation, only California had a statute that required all businesses to adopt a written information security program. Unlike California’s rather vague rules, however, the Massachusetts information security mandate is quite detailed as to what is required and carries with it the promise of aggressive enforcement and attendant monetary penalties for violations.
Because the new Massachusetts rules are a good indication of the direction of privacy-related regulation on the federal level, its impact is not limited solely to those investment advisers with Massachusetts clients. The similarities between the new Massachusetts data security laws and the proposed amendments to Regulation S-P affords advisers an excellent preview of their future compliance obligations as well as useful guidance when constructing their current data security and protection programs. All investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the basis for updating their information security policies and procedures in advance of changes to Regulation S-P. This article provides an overview of both the proposed amendments to Regulation S-P and the new Massachusetts data storage and protection law and suggests ways that investment advisers can use the new Massachusetts rules to better prepare for the realities of a more exacting Regulation S-P.
Proposed Amendments to Regulation S-P
The SEC’s proposed amendments to Regulation S-P set forth more specific requirements for safeguarding personal information against unauthorized disclosure and for responding to information security breaches. These amendments would bring Regulation S-P more in-line with the Federal Trade Commission’s Final Rule: Standards for Safeguarding Customer Information, currently applicable to state-registered advisers (the “Safeguards Rule”) and, as will be detailed below, with the new Massachusetts regulations.
Information Security Program Requirements
Under the current rule, investment advisers are required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments take this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.
The information security program must be appropriate to the adviser’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue. The information security program should be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or security holder who is a natural person. “Substantial harm or inconvenience” would include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of the information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise use the individual’s account.
Elements of Information Security Plan
As part of their information security plan, advisers must:
o Designate in writing an employee or employees to coordinate the information security program;
o Identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information;
o Design and document in writing and implement information safeguards to control the identified risks;
o Regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;
o Train staff to implement the information security program;
o Oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing); and
o Evaluate and adjust their programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact on the program.
Data Security Breach Responses
An adviser’s information security program must also include procedures for responding to incidents of unauthorized access to or use of personal information. Such procedures should include notice to affected individuals if misuse of sensitive personal information has occurred or is reasonably possible. Procedures must also include notice to the SEC in circumstances in which an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.
The New Massachusetts Regulations
Effective January 1, 2010, Massachusetts will require businesses that store or use “personal information” about Massachusetts residents to implement comprehensive information security programs. Therefore, any investment adviser, whether state or federally registered and wherever located, that has just one client who is a Massachusetts resident must develop and implement information security measures. Similar to the requirements set forth in the proposed amendments to Regulation S-P, these measures must (i) be commensurate with the size and scope of their advisory business and (ii) contain administrative, technical and physical safeguards to ensure the security of such personal information.
As discussed further below, the Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or transmittal of personal information. These dual requirements recognize the challenge of conducting business in a digital world and reflect the manner in which most investment advisers presently conduct their advisory business.
Standards for Protecting Personal Information
The Massachusetts regulations are quite specific as to what measures are required when developing and implementing an information security plan. Such measures include, but are not limited to:
o Identifying and assessing internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information;
o Evaluating and improving, where necessary, current safeguards for minimizing risks;
o Developing security policies for employees who telecommute;
o Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such information;
o Obtaining from third-party service providers a written certification that such service provider has a written, comprehensive information security program;
o Inventorying paper, electronic and other records, computing systems and storage media, including laptops and portable devices used to store personal information to identify those records containing personal information;
o Regularly monitoring and auditing employee access to personal information in order to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information;
o Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; and
o Documenting responsive actions and mandatory post-incident review.
The requirement to first identify and assess risks should be, by now, a familiar one to all SEC-registered investment advisers. The SEC made it abundantly clear in the “Compliance Rule” release that they expect advisers to conduct a risk assessment prior to drafting their compliance manual and to implement policies and procedures to specifically address those risks. The Massachusetts regulations provide an excellent framework for both the risk assessment and risk mitigation process by alerting advisers to five key areas to be addressed: (i) ongoing employee training; (ii) monitoring employee compliance with policies and procedures; (iii) upgrading information systems; (iv) storing records and data; and (v) improving means for detecting, preventing and responding to security failures.
That section of the Massachusetts regulations requiring businesses to retain only those service providers capable of maintaining adequate data safeguards should also be familiar to SEC-registered advisers. However, the additional requirement that a business obtain written certification that the service provider has a written, comprehensive information security program would be a new and valuable addition to an adviser’s information security procedures. Since the lack of compliance documentation is a common deficiency cited during SEC examinations, obtaining written certification from the service provider is an effective method by which an adviser can at once satisfy its compliance obligations and memorialize the compliance process.
One unique aspect of the new Massachusetts regulations is the recognition that a significant number of employees now spend at least some part of their working life telecommuting. This recognition should, in turn, translate into an awareness by advisers that their information security plan may be deficient if it does not adequately address this issue. The amount of personal information that can be stored (and lost) on the many portable electronic devices available to employees – be they laptops, smart phones or the next new gadget – should be enough to keep chief compliance officers awake at night. As mandated in the Massachusetts regulations, any proper telecommuting policy must first begin with a determination of whether and how an employee that telecommutes should be allowed to keep, access and transport data comprising personal information. Once these initial determinations have been made, advisers can develop appropriate policies and implement procedures to protect client information from ending up on the family computer with an unsecure wireless connection or on the laptop computer left in the back seat of a rental car.
Computer System Security Requirements
128-bit encryption. Secure user authentication protocols. Biometrics. Unique identifications plus passwords. To some advisers these terms and concepts are as familiar as mutual funds, financial plans and assets under management. To a great many other advisers, however, they represent an unknown and unknowable universe – as alien to the conduct of their advisory business as is day-trading to the “buy and hold” practitioner. Unfortunately for the technologically challenged, it will be necessary to become somewhat conversant with these concepts once the amendments to Regulation S-P are enacted.
The new Massachusetts regulations require that an information security program include security procedures that cover a company’s computer systems. These requirements are far more detailed and restrictive than anything in Regulation S-P, either in its current iteration or as proposed to be amended. Pursuant to the new Massachusetts law, any business that uses computers to store personal information about Massachusetts residents must, at a minimum, have the following elements in its information security program:
o Secure user authentication protocols including (i) control of user IDs and other identifiers;( (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;( (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;( (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
o Secure access control measures that (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and((ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
o To the extent technically feasible, encrypt all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly;
o Reasonably monitor systems for unauthorized use of or access to personal information;
o Encrypt all personal information stored on laptops or other portable devices;
o For files containing personal information on a system that is connected to the Internet, install reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information;
o Install reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;
o Educate and train employees on the proper use of the computer security system and the importance of personal information security; and
o Restrict physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted.
As can be seen from the above list, what the Massachusetts regulations have generously provided to advisers is, in effect, a “shopping list” that they can take to their nearest computer consultant. Any investment adviser that read this litany of computer system security requirements and had an immediate adverse reaction would be well-advised to turn each of the above listed elements into a computer security checklist, find a reputable computer specialist and outsource the project to those people who have the expertise to equip your computer system with the requisite security capabilities.
The Massachusetts regulations may be viewed as setting forth “best practices” in the area of information storage, data protection and computer security. As most advisers already know, industry “best practices” have an unpleasant habit of quickly morphing into SEC expectations. Advisers should take advantage of the unique opportunity afforded by the Massachusetts regulations, as rarely do they receive such detailed guidance as to what “best practices” are in a given area of regulation. Nor are they often provided with such a clear picture of what the regulatory landscape will look like in their profession in the very near future. Therefore, it would be advantageous for advisers to compare their existing information security programs to the standards set forth in the new Massachusetts regulations and determine where their programs might benefit from incorporating one or more of these standards. While it may not be feasible for all advisers to invest in state-of-the-art computer security, all advisers could certainly benefit from understanding what updates can be made to improve their current information security policies and procedures.