There have been some recent developments in state and federal privacy regulation.
Massachusetts Privacy Regulations
The Massachusetts information security regulations, which were scheduled to become effective on May 1, 2009, have received a significant amount of attention because they impose more stringent, comprehensive and specific data security standards than currently required by other federal and state regulations. As discussed in our previous article on the topic (“Recent Developments in State Regulations Affecting Protection of Personal Information,” published in our December 2008 Investment Management Developments available at http://www.drinkerbiddle.com/dec08imgdevelopments/), these regulations require every “person” (including natural persons, corporations and other legal entities) that “owns, licenses, stores or maintains personal information” about a Massachusetts resident to develop and implement a comprehensive written information security program. The regulations would impact mutual funds and their service providers that collect information about Massachusetts residents.
The most recent amendments to these regulations address certain industry concerns with respect to the regulations. First, the Massachusetts Office of Consumer Affairs & Business Regulation recently extended the deadline for compliance with its new information security regulations from May 1, 2009, to January 1, 2010, thereby giving the industry more time to comply. The amendments also eliminated the requirement that persons subject to the regulations obtain a written certification of compliance from third-party service providers to which they grant access to “personal information” of a Massachusetts resident. Instead, the amendments require that persons subject to the regulations take “all reasonable steps” to ensure that third-party service providers are protecting personal information at least as stringently as the Massachusetts information security regulations require. Finally, the amendments clarified that the data encryption requirement relating to wirelessly transmitted data applies only to personal information. Prior to this clarification, information security regulations could have been read to apply the data encryption requirement to all wireless-transmitted data.
Federal Privacy Regulations
The SEC proposed amendments to Regulation S-P in 2008 that would require more specific standards for safeguarding of customer information, including specific requirements when data security breaches occur. The proposed amendments also broaden the scope of information covered by the regulation. Briefly, these amendments would require a covered institution to: 1) identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems; 2) design, document and implement information safeguards to control identified security risks; and 3) regularly test, monitor and document the effectiveness of the safeguards’ key controls, systems and procedures.
Although the SEC’s proposed Regulation S-P amendments have not yet been adopted, comments to the amendments recently submitted indicate various industry concerns including: provision for a sufficient compliance period, clarification of the proposed rule’s testing requirements, clarification of issues surrounding unauthorized access and breach notices, and costs associated with investment adviser compliance.