SEC Proposes To Expand Privacy Regulations
On March 4, 2008, the Securities and Exchange Commission (SEC) voted unanimously to propose amendments that would expand the privacy obligations for the institutions that the SEC regulates. The amendments would impose new obligations for safeguarding personal information, including how a regulated entity should respond to security breaches under Regulation S-P, which implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act.
The proposed changes to Regulation S-P include physical, technical and administrative safeguards, written policies and required responses to data security breach incidents. While the current rule requires a financial institution in the securities industry to adopt its own policies and procedures to comply with the GLBA, the proposed amendment would require the financial institution to create a more detailed “information security program” similar to programs required by other federal regulators. The information security program would designate an employee in charge of information security, identify anticipated threats and implement controls to address those threats. The amendment would also require staff training, regular testing and coordination with service providers to maintain the program’s effectiveness.
The SEC proposal would also broaden the type of information and persons covered by the SEC safeguards and disposal rules. The SEC proposes that both the safeguard and disposal rules protect “personal information,” which includes “nonpublic personal information” under the GLBA and “consumer report information” under the Fair and Accurate Credit Transactions Act. While “personal information” means personally identifiable financial information, “consumer report information” focuses on information generally contained in consumer reports. The SEC’s proposed amendments would also create new record-keeping and documentation requirements for policies and procedures to comply with the proposed regulation.
Another part of the proposal would create a new exception that would allow a broker who is changing firms to take limited personal contact information to the new firm in order to maintain relationships with clients. Currently, if a broker leaves firm A for firm B, A is required to contact the broker’s customers under the rules. Clients then have the option of declining to have their contact information transferred. While such notice would no longer be required, the proposal would limit the kinds of information that could be disclosed. The shared information would not include the customer’s account number, Social Security number, or securities held in the account.
The comment period for the proposal will end 60 days from the date of publication of the proposed rule in the Federal Register.