There have been recent developments in federal and state privacy regulation. The following updates our ongoing coverage of the topic, first described in our article, “Recent Developments in State Regulations Affecting Protection of Personal Information,” published in the December 2008 Investment Management Developments (available at http://www.drinkerbiddle.com/dec08imgdevelopments/) and most recently described in our article, “Update on Massachusetts’ and Federal Information Security Regulations,” published in the May 2009 Investment Management Developments (available at http://www.drinkerbiddle.com/imgdev0509/).
Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act
The SEC reopened the public comment period on a proposal for a model privacy form that had been introduced in March 2007, so that it could solicit public comment on the results of recent consumer testing to evaluate the form. The proposed amendments would, if adopted, create a safe harbor for a model privacy notice form that financial institutions may use to provide disclosures required under the privacy rules adopted by agencies of the federal government that supervise financial services firms pursuant to Section 504 of the Gramm-Leach-Bliley Act (GLB).
In 2007, these agencies proposed amendments to their rules that implement the privacy provisions of GLB. These rules require financial institutions, including investment companies, to provide initial and annual privacy notices to their customers. The proposed amendments would accommodate the use of a specified, short-form model privacy notice. The SEC’s version of the form is Model Form S-P. Institutions that elect to use the proposed short-form notice would be given “safe harbor” status under the federal privacy rules, which is not currently provided for institutions that use the sample clauses in Appendix A of Regulation S-P. The “safe harbor” status would mean that they would be deemed to be in compliance with the rules. As proposed, the use of the law would be voluntary and funds could continue to use their more detailed privacy notices.
The Proposed Rule reopening the comment period can be found at http://www.sec.gov/rules/proposed/2009/34-59769.pdf.
The Proposed Rule describing the form in further detail can be found at http://www.sec.gov/rules/proposed/2007/34-55497.pdf.
The Model Form S-P would modify Regulation S-P, but should not be confused with the more comprehensive overhaul of Regulation S-P in the proposed rule issued by the SEC on March 4, 2008, discussed previously in the May 2009 Investment Management Developments (link provided above).
Massachusetts Proposes Revised Privacy Regulations
The Massachusetts Office of Consumer Affairs and Business Regulation recently published for comment a second set of proposed revisions to the Massachusetts Data Privacy Standards. The standards require every “person” (including natural persons, corporations and other legal entities such as investment companies and their service providers) that “owns, licenses, stores or maintains personal information” about a Massachusetts resident to develop and implement a comprehensive written information security program. Many in the mutual fund industry, including the ICI, have raised concerns that these privacy standards are much more onerous, comprehensive and specific than other federal and state regulations.
The proposed Massachusetts revisions address certain of these industry concerns. The proposed revisions largely track the SEC’s proposed revisions to Regulation S-P, which would require funds to have, maintain and monitor a comprehensive information security program to protect personal information. In contrast to the existing Massachusetts standards, however, the proposed revisions:
- Take a “risk-based” approach to maintaining data security under which a business, in developing a written security program, should take into account its size, the nature of its business, the kind of records it maintains, and the risk of identity theft posed by its operations;
- Increase the flexibility with which a service provider can comply with the privacy standards by treating as “guidance” a number of specific requirements that were previously required to be included in a business’s written information security;
- Are technology neutral and apply a technical feasibility test to all computer security requirements; and
- Require that any third-party service provider to a fund contractually agree to implement and maintain appropriate security measures for personal information.
This risk-based approach is consistent with the federal privacy rules. The new flexibility with respect to compliance with specific requirements is intended to strike a fair balance between consumer protections and business realities by recognizing that the size of a firm and the amount of personal information it handles play a role in the data security plan the firm creates. The easing of the technology requirements is an attempt to respond to industry concerns that firms would incur significant costs to modify their technology systems to comply with the rule. Instead, firms will incorporate a technology feasibility test to determine whether technology modifications would be required.
The compliance deadline for all provisions has been extended from January 1, 2010, to March 1, 2010, thereby giving the industry more time to comply. A hearing on the proposed revisions was held on September 22, 2009.
A copy of the proposed revisions, a notice of the public hearing, a press release announcing their publication, and a “Frequently Asked Questions” explaining the proposed revisions and their scope can be found at http://www.ici.org/pdf/23720.pdf (accessible with an ICI password).