While the Security and Exchange Commission (SEC) has proposed changes to the S-P regulations pending the final status of the rule, the Commonwealth of Massachusetts has introduced sweeping new data security and identity theft laws. So far, about 45 states have passed a data security law, but before Massachusetts passed the new law, california alone had a law requiring all businesses to have a written security program. Unlike California’s rather vague rules, Massachusetts’ mandate for information security describes in detail what is needed and promises strict enforcement and associated penalties for violations.
Because the new Massachusetts rules are a good indicator of the direction of privacy regulation at the federal level, their impact is not limited to client investment advisers in Massachusetts. Agreements between Massachusetts’ new data security laws and proposed changes to the SP regulations provide consultants with an excellent overview of their future compliance obligations, as well as useful advice on developing ongoing security and data protection programs. All investment advisers will benefit from understanding the new Massachusetts rules and should consider using them as a basis for updating their information security policies and procedures before amending the S-P rules. This article provides an overview of proposed changes to the SP regulation and the new Massachusetts Data Storage and Protection Act, as well as ways for investment advisers to use the new Massachusetts rules to better prepare for the reality of greater regulation.
Proposed changes to the S-P regulations
The SEC’s proposed changes to the S-P Regulations include more specific requirements to protect personal information from unauthorized disclosure and response to information security breaches. These changes will bring the SP Regulation closer to the Federal Trade Commission’s Final Rule: Customer Information Protection Standards, which currently applies to government-registered consultants (the ‘Protective Measures Rule’), and as described below. Below, with the new Massachusetts Rules.
Information security program requirements
Under the current rule, investment advisers must develop written rules and procedures regarding administrative, technical and physical security measures to protect clients’ records and information. The proposed changes expand this requirement by requiring consultants to develop, implement and maintain a comprehensive ‘information security program’, including written policies and procedures that provide safeguards. Administrative, technical and physical to protect personal information and ensure a response to unauthorized access. to or use personal information.
The information security programme must be adapted to the size and complexity of the consultant, the nature and scope of his activities, as well as the confidentiality of any personal information in question. The information security program should be reasonably designed to: (i) ensure the security and privacy of personal information; (ii) Protect against expected threats or threats to the security or integrity of personal information; and (iii) protection against unauthorized access or the use of personal information that may cause material damage or inconvenience to the consumer, employee, investor or holder of securities who is an individual. ‘Material damage or inconvenience’ includes theft, fraud, harassment, identity theft, harassment, reputational damage, reduced creditworthiness, or the unauthorized use of identified information about an individual to obtain a financial product or service or access to a newspaper. to complete a transaction or other use of a person’s account.
Elements of the information security plan
As part of their information security plan, consultants must:
Appoint one or more staff members in writing to coordinate the information security programme;
Identify reasonably predictable security risks in writing that may lead to unauthorized disclosure, misuse, alteration, destruction or otherwise compromising personal information;
o Evaluate and adjust their programs to reflect test and monitoring results, relevant technological changes, significant changes in operations or trading agreements, and any other circumstances that the organization knows or reasonably believes they can have a significant impact on the program displaying.
Responding to data security breaches
The consultant’s information security program should also include procedures for responding to incidents of unauthorized access or the use of personal information. These procedures should include notifying the subjects of the data whether or not confidential personal information has been misused. The procedure should also include notifying the SEC in cases where the person identified with this information has suffered significant harm or inconvenience, or the unauthorized person has knowingly gained access or used confidential personal information.
New Massachusetts rules
Beginning January 1, 2010, Massachusetts requires companies that store or use “personal information” about Massachusetts residents to implement comprehensive information security programs. Therefore, any investment consultant registered at the national or federal level and anywhere who has only one Resident Client in Massachusetts must develop and implement security measures in this area. Similar to the requirements set out in the proposed changes to the SP Regulation, these measures should (i) be compatible with the size and scope of their advisory activities and (ii) include administrative, technical and physical security measures to ensure the security of this personal information. . Make sure. .
As outlined below, Massachusetts regulations set minimum requirements for the protection of personal information and electronic storage or transfer of personal information. Both of these requirements recognize the complexity of doing business in the digital world and reflect how most investment advisers currently conduct their consulting business.
Massachusetts rules are quite specific in terms of the steps needed to develop and implement an information security plan. These measures include, but are not limited to: