On July 31, 2012, the Office of Inspector General released a report evaluating whether the staff of the Board of Governors of the Federal Reserve System (the “Board”) or the Federal Reserve Bank of New York “had knowledge of, or played a role in, the unauthorized disclosure of a confidential staff draft of the Volcker Rule notice of proposed rulemaking,” and assessing “the Board’s information-sharing practices.” In its conclusion, the report identified three recommendations for “improving information-sharing controls and procedures.”

Although these recommendations were made in the context of the Federal Reserve’s rulemaking activities, they provide a potentially useful guide to any organization for the control of sensitive information (e.g., preliminary earnings estimates or a potential acquisition).

The first recommendation was that the Board create information-sharing guidelines for distribution to participating agencies. The report noted that while federal banking agencies had developed “informal and customary practices for sharing and controlling sensitive information,” there were “no formal written agreements or controlling standards concerning the treatment of nonpublic information.” The report encouraged the development of such written guidelines as a way to “establish a common understanding for key terminology and expectations for the treatment of nonpublic information.”

The second recommendation was that the Board’s general counsel enhance use access controls on the Legal Division’s shared drive and to ensure that materials were appropriately restricted on a need-to-know basis and limited to as few employees as possible. The report noted that non-public rule making (“NPRM”) drafts had been labeled as restricted but were stored on a shared network drive accessible to all employees in the Legal Division’s Banking Regulation and Policy Group, even though many of these employees did not need access to NPRM drafts (approximately 26 out of the 30 that had access). The report recommended that restricted materials be shared only with authorized staff who need to know the information for official business.

The third recommendation was that the Information Technology director remind all Board employees of the Board’s encryption capabilities for transmitting e-mail communications and that the Board’s general counsel reiterate the need to use encryption methods when e-mailing restricted documents.

To summarize, the main recommendations of the report were: a) create written guidelines covering distribution and confidentiality; b) limit access via controls to ensure distribution of restricted information is on a “need-to-know” basis; and c) always use encryption for restricted information. All three recommendations would be good practice for any organization that transmits or stores sensitive information.

A copy of the report can be found here.