Data security and privacy continue to be the subject of new legislative and regulatory proposals and requirements. A number of initiatives recently have been proposed or enacted that are designed to protect consumers and their personal information. Many of these requirements likely will be satisfied by existing information security policies and procedures, but some may not be—particularly requirements relating to the encryption of certain electronic communications.
- Massachusetts Privacy Requirements. A new regulation effective March 1, 2010, requires businesses, wherever located, that possess personal information of Massachusetts residents to meet specified information security requirements including encryption of electronic communications containing such information.
- Privacy Notice Model Form. Federal regulatory agencies, including the Securities and Exchange Commission (“SEC”), have jointly issued a Final Model Privacy Form (the “Model Form”) for financial institutions to use to comply with their privacy notice obligations. Privacy notices based upon previously issued guidance remain adequate through Dec. 31, 2010, but the Model Form will be the only safe harbor for privacy notices issued after that date.
- Regulation S-AM. Regulation S-AM prohibits certain financial institutions from using information provided by affiliates to solicit consumers unless the consumers have been notified of the potential use of their personal information for marketing purposes and have been given an opportunity to opt out. Regulation S-AM will become effective June 1, 2010.
- Red Flags Rule. The Federal Trade Commission (“FTC”), federal bank regulatory agencies and the National Credit Union Administration have issued a rule seeking to prevent and combat identity fraud (the “Red Flags Rule”). The Red Flags Rule requires “financial institutions” and “creditors” that hold “covered accounts” to develop and implement identity theft prevention programs for new and existing accounts. Many private fund managers may not have the type of account that would subject them to the Red Flags Rule. The enforcement date of the Red Flags Rule is June 1, 2010.
Massachusetts Privacy Provisions
The Massachusetts Office of Consumer Affairs and Business Regulation has issued a new regulation, effective March 1, 2010, requiring businesses that possess personal information about Massachusetts residents to implement comprehensive information security programs to protect that information.1 The regulation applies to any business engaged in commerce that collects and retains personal information in connection with the provision of goods and services or in connection with employment. Personal information is defined as a Massachusetts resident’s first name (or initial) and last name in combination with such person’s social security number; driver’s license or state-issued identification card number; or financial account or credit/debit card number (with or without security access code).
The Massachusetts regulation requires businesses to have an information security program that is in writing and proscribes physical, administrative and technical safeguards, which can be found in Section 17.03 of the statute, available here. Two particular new procedures are noteworthy. First, the Massachusetts regulation requires encryption of personal information transmitted over public or wireless networks or stored on unsecured portable storage devices (such as notebook computers and portable USB or other drives).2 Second, the regulation requires that businesses that disclose personal information to service providers include privacy provisions to meet the regulation’s encryption and service provider contract requirements.3 Ultimately, the suitability of the safeguards for a particular firm will be judged based upon the size, scope and type of business, the resources available to them, and the amount and relative need for security of the type of information owned or licensed.4
To comply with these requirements, firms should: (1) identify all situations in which the firm comes into possession of personal information of Massachusetts residents; (2) identify any service providers that may receive such information in any electronic form including administrators, accountants, attorneys, custodians and placement agents; (3) provide for encryption of electronic communications containing personal information where applicable; and (4) confirm that all relevant service provider agreements contain privacy protection provisions as required.5
At the federal level, the SEC in 2008 proposed amendments to Regulation S-P that would, to some extent, overlap with the Massachusetts requirements.6 The proposed amendments would expand information security requirements for covered institutions, broaden the scope of information that requires safeguards and disposal, create more specific information safeguard requirements, require documented oversight of the sufficiency of service providers’ information security safeguards, establish requirements for security programs to respond to a security breach, and permit limited disclosure of investor information when an employee moves from one firm to another.
New Guidance for Fulfilling Privacy Notice Requirements
The 1999 Gramm-Leach-Bliley Act (“GLBA”) required financial institutions to provide “clear and conspicuous notice” to customers to disclose the institution’s privacy policies and their information sharing practices with affiliates with respect to customer information. The GLBA also required financial institutions that shared customer information with certain non-affiliated parties to provide those customers with “clear and conspicuous” notice of their right to opt out of that information being shared.7
The FTC and SEC adopted the “Privacy Rule” and Regulation S-P, respectively, which included “sample clauses” intended to function as guidance as to what constituted “clear and conspicuous” notice.8 Based on a concern that the notice under the “sample clauses” guidance was still insufficiently clear for consumers, Congress passed the Financial Services Regulatory Relief Act of 2006, amending the GLBA and requiring the agencies to issue a more comprehensive and succinct model notice.
The Model Form was issued on Nov. 17, 2009, by several federal regulatory agencies. The form will not be mandatory but will be the only safe harbor available for privacy notices issued after Dec. 31, 2010.9
The Model Form attempts to address concerns about consumer comprehension of privacy notices by using a table format with a standardized style. As a result of this standardization, the Model Form allows less flexibility in the content and format of the privacy notice document. In response to concerns over the inflexibility of the Model Form format, the joint agencies have stressed that the Model Form is not mandatory. Firms may elect to use other formats for privacy notices, including notices using the previously issued sample clauses or simplified notice, as long as the notice complies with the Privacy Rule and Regulation S-P.10 However, the previously issued sample clauses will be eliminated from the regulations and will no longer constitute a safe harbor.
Effective June 1, 2010, Regulation S-AM will prohibit “covered persons,” (including investment advisers) from using “eligibility information” provided by affiliates to solicit consumers using a “marketing solicitation” unless the consumer: (1) has previously received notice of the potential use of the information for marketing purposes; (2) was provided with a simple method and reasonable amount of time to opt out of allowing their information to be used for marketing purposes; and (3) did not opt out.11
“Eligibility information” includes credit or other information about the consumer that is used to determine eligibility for credit or insurance. A “marketing solicitation” means marketing of a product or service to a consumer based on eligibility information communicated by an affiliate of a “covered person” that is intended to encourage the consumer to obtain goods or services.
There are several exceptions that permit affiliates to use eligibility information to solicit consumers, including, among others, where a marketing solicitation is made to a consumer with whom the affiliate has a pre-existing business relationship. For situations not falling within an exception, the SEC has indicated that Regulation S-AM requirements for a “clear and conspicuous” notice and a “reasonable opportunity” for consumers to opt out from information sharing will be satisfied by using the privacy notice Model Form.
Red Flags Rule
The FTC’s Red Flags Rule requires certain entities to develop and implement policies and procedures to detect, prevent and mitigate identity theft.12 To determine whether the Red Flags Rule applies, a firm must first determine whether it is a “financial institution” or a “creditor.”13 Many private fund managers will not fall within the category of a financial institution as they do not maintain accounts for the purpose of making payments or transfers to third persons. However, an investment firm may be considered a creditor if it extends credit to its investors by, for example, billing retrospectively for advisory services.14
Even if a firm is a financial institution or a creditor, the Red Flags Rule does not apply unless the firm also maintains a “covered account.” There are two types of covered accounts. The first is a consumer account that is primarily for personal, family or household purposes to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan or bank account.15 Accounts used by private fund managers would not fall into this category.
The second type of covered account is any other account for which there is a reasonably foreseeable risk to the customer, or to the safety and soundness of the financial institution or creditor, of identity theft.16 The examples given by the FTC include small business accounts, sole proprietorship accounts or single transaction consumer accounts that may be vulnerable to identity theft. In determining whether any accounts would fall under this second type of covered account, firms should consider how accounts can be accessed (e.g., whether information can be obtained or funds transferred via the telephone or the Internet) and actual incidents of identity theft. Because there is often a low risk of identity theft at firms that only manage private investment funds, the Red Flags Rule may not typically apply to private fund managers.
Where the Red Flags Rule does apply, the FTC requires that the firm develop and implement a written Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with covered accounts.17 The program must be specifically tailored to the risks of the firm and approved by the firm’s board of directors or other governing body. The rule also requires financial institutions and creditors to periodically reassess their accounts to ensure that new accounts or new risks have not created new “covered accounts” subject to the Red Flags Rule.
* * *
The business of private investment fund management may present relatively low risk of identity theft or other misuse of personal information, but there are important federal and state requirements that may apply. In the past year the SEC has increased enforcement of Regulation S-P, bringing four cases charging violations of data security requirements.18 Compliance with these requirements should be part of every manager’s regularly updated policies and procedures.