U.S. Securities and Exchange Commission Proposes to Expand Privacy Obligations for Regulated Entities
The United States Securities and Exchange Commission ("SEC") has recently proposed amendments that would toughen and expand the privacy obligations for entities subject to SEC regulations. These amendments would expand existing requirements and impose new obligations for safeguarding personal information, including how a regulated entity should respond to security breaches under Regulation S-P, 17 C.F.R. Part 248, which implements the privacy provisions of the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Also, these proposed amendments would expand the application of the Regulation S-P’s disposal obligations to natural persons associated with brokers, dealers, SEC registered investment advisors, and SEC registered transfer agents, in addition to extending the safeguarding provisions to SEC registered transfer agents.
Security Breach Notice Obligations
The proposed amendments include specific requirements on how to respond to security breaches of sensitive personal information. "Sensitive personal information" is defined broadly and includes any record containing consumer report information or nonpublic personal information identified with any consumer, employee, investor, or security holder who is a natural person, whether in paper, electronic, or other form, or any combination thereof.
The notification obligations would be triggered if such information would allow an unauthorized person to use, log into, or access an individual's account or establish a new account using the individual’s identifying information, including the individual's:
(i) Social Security number; or
(ii) Name, telephone number, street address, email address, or online user name, in combination with the individual's account number, credit or debit card number, driver's license number, credit card expiration date or security code, mother’s maiden name, password, personal identification number, biometric record, or other authenticating information.
Under the SEC's proposal, covered entities that become aware of an incident of unauthorized access of sensitive personal information must promptly conduct an investigation to determine the likelihood of misuse of that information and must maintain a written record of such determination. If it is determined that misuse of the sensitive personal information has occurred or is reasonably possible, the covered entity would be required to notify each individual with whom the information is identified and provide specific information about the incident as outlined in the proposed amendments.
The proposed amendments would further require covered entities to notify the SEC of a security breach if there is a significant risk that the individuals might suffer substantial harm or inconvenience, or if an unauthorized person has intentionally obtained access to or used sensitive personal information.
New Exception to Opt-Out Requirements Relating to Transfers of Information
The SEC's proposed amendments would also affect the current provisions regarding the transfer of personal information. Currently, customers must be provided with an opportunity to opt out of any sharing of their personal information with unaffiliated third parties. The proposed amendments would provide an exception to this opt-out requirement by allowing the disclosure of certain personal information when a broker, dealer, or investment advisor registered with the SEC leaves the employ of one covered entity and joins another covered entity. In such situation, the broker, dealer, or investment advisor may take to the new covered entity a customer's name, a general description of the type of account and products held by the customer, and the customer’s contact information—including address, telephone number, and email, but not his or her account number, Social Security number, or securities positions—in order to solicit business from that customer. Customers would not have to be notified of this type of transfer of their personal information.
The proposed rule to amend Regulation S-P, along with the text of the proposal as it appears in the Federal Register, is available at http://www.sec.gov/rules/proposed.shtml. Public comments on the proposal will be accepted until May 12, 2008.
The SEC's proposed amendments are part of a flurry of recent legislative initiatives and subsequent media reports concerning breaches—and compromises—of personal data. The amendments signify a willingness of the SEC to directly regulate data breach notification in the absence of a comprehensive federal law. Also, these amendments would impose obligations on regulated entities that are in addition to data breach notifications under state laws. To date, 39 states and the District of Columbia have enacted data breach notification statutes. Regulated entities will need to review the final rule resulting from the SEC proposed amendments, as the notification triggers and obligations may vary from certain state requirements.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.