While waiting for the Security and Exchange Commission’s (SEC) proposed amendments to Regulation SP final rule situation, the Commonwealth of Massachusetts has set extensive new data security and identity theft legislation. At present, about 45 countries put some sort of data security law, but before Massachusetts passed new legislation, only California had a law that required all companies to adopt a written information security program. Unlike the rather vague rules California, though Massachusetts information security mandate is quite accurate about what is needed and carries the promise of aggressive enforcement and attendant monetary penalties for violations.
because the new Massachusetts regulations are a good indicator of policy privacy related regulation on the federal level, its effect is not limited solely to the investment advisers with Massachusetts customers. As with the new Massachusetts data security law and the proposed amendments to Regulation SP gives advisors an excellent sample of their compliance obligations as well as useful guidance in planning the current data security and protection plans. All investment advisers would benefit from understanding new Massachusetts rules and should consider using them as a basis for upgrading their security policies and procedures before amendments to Regulation SP. This article provides an overview of both the proposed amendments to Regulation SP and the new Massachusetts data storage and protection of law and suggests ways that investment advisors can use the new Massachusetts regulations to better prepare for the reality of more demanding Regulation SP.
Proposed changes to Regulation SP
SEC proposed amendments to Regulation SP sets out specific requirements to protect personal data against unauthorized disclosure and response to information security breaches. These changes would come Regulation SP more in line with the last rule Federal Trade Commission: standards for the preservation of customer information, now that the state registered advisers (the “security policy”) and, as will be described below, with the new Massachusetts regulations.
Information Security Program Requirements
Under current rules are investment advisers required to adopt written policies and procedures that deal with administrative, technical and physical protection of customer records and information. The proposed amendments make this requirement a step further by requiring consultants to develop, implement and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical and physical safeguards to protect personal information and to respond the unauthorized access to or use of personal information.
information security program must be appropriate to the size of consultants and complexity, the nature and scope of the operation and the sensitivity of any personal information in question. Information security program should be fairly designed to: (i) to ensure the security and confidentiality of information; (ii) protect against any anticipated threats or risks to the safety or integrity of personal data; and (iii) to protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience the consumer, employee, investor or security holder who is an individual. “Substantial harm or inconvenience” would theft, fraud, harassment, impersonation, intimidation, harm to reputation, loss of ability to credit or unauthorized use of information by a person to receive financial product or service, or to access, log in, perform transfer, or otherwise use the account person
Elements Information security
As part of the information security plan, consultants will :.
o appoint in writing an employee or employees to coordinate the information security program
o Identify writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of personal data
o Design and document in writing and implementing measures to control the identified risks
o Regularly test or a monitor and document writing efficiency of the main management systems and procedures because of contingencies, including the effectiveness of access controls on personal information, monitoring to detect, prevent and respond to attacks or unauthorized intrusions and training and supervision;
o train staff to implement information security program
o Oversee service by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for personal information in question, and require service providers by contract to implement and maintain appropriate security measures (and document such checks written); and
o Evaluate and adjust their plans to reflect the results of checks and tests, appropriate technology changes, material changes in operations or corporate arrangements and any other condition that may or institution reasonably believes may have a material effect on the program.
data security breach Responses
information security program consultant shall also include procedures for responding to incidents unauthorized access or use of personal data. Such procedures shall be made to relevant persons if the misuse of sensitive personal information has occurred or is realistic. The procedures shall also include notification to the SEC in situations where an individual with information has become substantial harm or inconvenience or deliberate unauthorized access to or use of sensitive personal information.
New Massachusetts regulations
entered into force on 1 January 2010, Massachusetts will require businesses that store or use the “personal information” of Massachusetts residents to implement a comprehensive information security program. Therefore, any investment adviser, whether state or federally registered and wherever located, which has just one client who is a Massachusetts resident must develop and implement security information measures. Similar to the requirements set forth in the proposed amendments to Regulation SP, these measures shall (i) be consistent with the size and scope of the advisory business and (ii) contain administrative, technical and physical safeguards to ensure the security of such personal information.
As discussed below, the Massachusetts regulations set out minimum requirements for both privacy and electronic storage or transmission of personal data. These dual requirements recognize the challenge of doing business in a digital world and reflect the way that most investment advisers currently conducting advisory business.
standards for the protection of personal data
The Massachusetts regulations are quite specific about what is necessary when developing and implementing information security program. Such measures include, but are not limited to:
o Identify and assess internal and external security risks, confidentiality and / or integrity of any electronic, paper or other documents containing personal data
o Assessment and improve, where necessary, existing safeguards for minimizing risk;
o Development of security for employees who Telecommute
o take reasonable steps to verify that the third-party service providers with access to personal information have the capacity to protect such information
o get from third party service providers written certification of such service providers have written, comprehensive information security program
o inventorying paper, electronic and other files, computing systems and storage media including laptops and portable devices used to store personal information to identify the records that contain personal information
o regularly monitor and review employee access to personal information in order to ensure a comprehensive information security program is operating in a way somewhat calculated to bring prevent unauthorized access to or unauthorized use of personal information,
o Review of the scope of security at least annually or when there is a significant change in the business as a going implicate the security or integrity of data containing personal information; and
o Sources responsive actions and mandatory for incident review.
requirement to first identify and assess risks should be, by now, familiar one to all SEC-registered investment advisers. The SEC made it abundantly clear in the “Compliance Rule” out they expect consultants to conduct a risk assessment for making compliance manual and implement policies and procedures to specifically address those risks. The Massachusetts regulations provide an excellent framework for both risk assessment and risk mitigation strategy process with a warning advisers to five main areas to address: (i) ongoing employee training; (ii) monitor employee compliance with policies and procedures, (iii) upgrading information systems; (iv) to store files and data; and (v) improve methods to detect, prevent and respond to security failures.
sectional Massachusetts regulations require companies to keep only those providers who can maintain adequate data security measures should also be familiar with SEC registered advisors. However, additional requirements that companies obtain written certification of the service provider in writing, a comprehensive information security program was a new and important addition to the information security procedures consultant is. Since the lack of correlation data is a common deficiency cited in the SEC examinations, obtain written certification from the service provider is an effective method as a consultant can one satisfy compliance obligations and memorialize compliance process.
One unique aspect of the new Massachusetts regulations is the recognition that a significant number of employees now spend at least some part of the business telecommuting them. This recognition should, in turn, translate into awareness consultant information security plan may be inadequate if it is not sufficient in this case. The amount of personal information that can be stored (and lost) in many portable electronic devices available to employees – be they laptops, smart phones or the next new gadget – should be enough to keep the chief compliance officer awake at night. As mandated in Massachusetts regulations, all right telecommuting policy must first begin by determining whether and how employee telecommuter should be allowed to keep, access and transport data consists of personal information. When these initial decisions have been made, consultants can develop appropriate policies and implement methods to protect customer information from ending up on the family computer using insecure wireless connection or on your laptop in the back seat of car.
Computer System Safety
128-bit encryption. Secure authentication protocol. Biometrics. The unique identifier as well as a password. Some consultants these terms and concepts are familiar and mutual funds, budgeting and assets under management. For a great many other consultants, although they represent the unknown and unknowable universe – and alien to the implementation of an advisory firm that is day-traded in the “buy and hold” expert. Sorry for the technical challenge, it will be necessary to become somewhat familiar with these concepts when amendments to Regulation SP set.
new Massachusetts regulations require that information security program security procedures cover the company’s computer system. These requirements are more detailed and restrictive than anything in Regulation SP, either in its current iteration or as proposed to change. In accordance with the new Massachusetts law, any company that uses computers to store personal information about Massachusetts residents must have at least the following elements of information security program
o Ensure user authentication protocols including (i) control user IDs and other identifiers, ((ii) a reasonably secure method to transfer and choose a password, or use Unique Identifier technology, such as biometrics or token device; ((iii) monitoring data security passwords to ensure that such passwords kept in place and / or format that is not detrimental to the safety of their data protected, ((iv) to restrict access to active users and active user accounts only; and (v) to prevent access to user identification after several unsuccessful attempts to get access to or restrictions placed on access relevant network;
o measures Secure access control to (i) limit access to data and files containing personal information to those who need such information to perform the duties of their job; and ((ii) assign unique identifiers along with the password, which is not the vendor supplied default passwords, for each person with computer access, reasonably designed to maintain the integrity of security access controls
o extent technically feasible, encrypt all transmitted data and files containing personal information that will travel across private networks and encryption of all data to wireless
o Reasonably monitoring system from unauthorized use or access to personal data
o Encrypt all personal information contained therein stored laptops or other portable devices
o files containing personal information about a system that is connected to the Internet, set reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of personal information,
o Set fairly up-to-date version security agent software that contains a malware protection and reasonably up-to-date patches and virus definitions, or a version of such software can still be supported with up-to -dagsetning patches and virus definitions, and is set to get the latest security updates regularly;
o Educate and train employees on the proper use of computer system security and the importance of personal safety; and
o Restrict physical access to the computer files containing personal information, including written outlining the way in which physical access to personal information is limited.
As can be seen from the above list, what Massachusetts regulations have generously provided a consultant is, in fact, a “shopping list” that they can take the next computer consultant. Any investment adviser who read this litany safety computer system and had an immediate adverse reaction would be well advised to turn each of the above listed elements of computer security checklist, find a reputable computer expert and outsource the project to those who have the knowledge to prepare your computer system with the necessary security capabilities .
The Massachusetts regulations can be viewed as setting out “best practices” in the field of information storage, data protection
and computer security. As most consultants already know, industry “best practices” have an unpleasant habit of quickly morphing into SEC expectations. Consultants should take advantage of the unique opportunity provided by the Massachusetts regulations, which they rarely obtain detailed instructions on what “best practices” in a given area regulation. Nor are they often have such a clear picture of the regulatory landscape will look like in their work in the very near future. It would be possible for consultants to compare the current information security plans with the standards set out in the new Massachusetts regulations and determine where their programs may benefit from incorporating one or more of these standards. While it may not be possible for all advisers to invest in state-of-the-art computer security, all consultants could certainly benefit from understanding what upgrades you can make to improve the current policies regarding information security and procedure.