While the Security and Exchange Commission’s (SEC) proposed amendments to Regulation S-P await final rule status, the Commonwealth of Massachusetts has enacted sweeping new data security and identity theft legislation. At present, approximately 45 states have enacted some form of data security laws, but before Massachusetts passed its new legislation, only https://www.westernjanitorial.com/ California had a statute that required all businesses to adopt a written information security program. Unlike California’s rather vague rules, however, the Massachusetts information security mandate is quite detailed as to what is required and carries with it the promise of aggressive enforcement and attendant monetary penalties for violations.
Because the new Massachusetts rules are a good indication of the direction of privacy-related regulation on the federal level, its impact is not limited solely to those investment advisers with Massachusetts clients. The similarities between the new Massachusetts data security laws and the proposed amendments to Regulation S-P affords advisers an excellent preview of their future compliance obligations as well as useful guidance when constructing their current data security and protection programs. All investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the basis for updating their information security policies and procedures in advance of changes to Regulation S-P. This article provides an overview of both the proposed amendments to Regulation S-P and the new Massachusetts data storage and protection law and suggests ways that investment advisers can use the new Massachusetts rules to better prepare for the realities of a more exacting Regulation S-P.
Proposed Amendments to Regulation S-P
The SEC’s proposed amendments to Regulation S-P set forth more specific requirements for safeguarding personal information against unauthorized disclosure and for responding to information security breaches. These amendments would bring Regulation S-P more in-line with the Federal Trade Commission’s Final Rule: Standards for Safeguarding Customer Information, currently applicable to state-registered advisers (the “Safeguards Rule”) and, as will be detailed below, with the new Massachusetts regulations.
Information Security Program Requirements
Under the current rule, investment advisers are required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments take this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.
The information security program must be appropriate to the adviser’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue. The information security program should be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or security holder who is a natural person. “Substantial harm or inconvenience” would include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of the information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise use the individual’s account.