Securities and Exchange Commission - Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information

Page 1
SECURITIES AND EXCHANGE COMMISSION
17 CFR PART 248
Release Nos. 34-57427; IC-28178; IA-2712; File No. S7-06-08
RIN 3235-AK08
Part 248 – Regulation S-P: Privacy of Consumer Financial Information and Safeguarding
Personal Information
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
SUMMARY: The Securities and Exchange Commission (“Commission”) is proposing
amendments to Regulation S-P, which implements certain provisions of the Gramm-Leach-
Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”) for entities regulated by the
Commission. The proposed amendments would set forth more specific requirements for
safeguarding information and responding to information security breaches, and broaden the
scope of the information covered by Regulation S-P’s safeguarding and disposal provisions.
They also would extend the application of the disposal provisions to natural persons associated
with brokers, dealers, investment advisers registered with the Commission (“registered
investment advisers”) and transfer agents registered with the Commission (“registered transfer
agents”), and would extend the application of the safeguarding provisions to registered transfer
agents. Finally, the proposed amendments would permit a limited transfer of information to a
nonaffiliated third party without the required notice and opt out when personnel move from one
broker-dealer or registered investment adviser to another.
DATES: Comments must be received on or before May 12, 2008.
ADDRESSES: Comments may be submitted by any of the following methods:
Page 2
Electronic Comments:
• Use the Commission’s Internet comment form
• Send an e-mail to rule-comments@sec.gov. Please include File Number S7-06-08 on the
subject line; or
• Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the
instructions for submitting comments.
Paper Comments:
• Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and
Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-06-08. This file number should be included on
the subject line if e-mail is used. To help us process and review your comments more efficiently,
please use only one method. The Commission will post all comments on the Commission’s
Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments are also available for
public inspection and copying in the Commission’s Public Reference Room, 100 F Street, NE,
Washington, DC 20549, on official business days between the hours of 10:00 am and 3:00 pm.
All comments received will be posted without change; we do not edit personal identifying
information from submissions. You should submit only information that you wish to make
available publicly.
FOR FURTHER INFORMATION CONTACT: Catherine McGuire, Chief Counsel, or Brice
Prince, Special Counsel, Office of the Chief Counsel, Division of Trading and Markets, (202)
551-5550; or Penelope Saltzman, Acting Assistant Director, or Vincent Meehan, Senior Counsel,
Office of Regulatory Policy, Division of Investment Management, (202) 551-6792, Securities
2
Page 3
and Exchange Commission, 100 F Street, NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Commission today is proposing amendments to
Regulation S-P
1
under Title V of the GLBA,
2
the FCRA,
3
the Securities Exchange Act of 1934
(the “Exchange Act”),
4
the Investment Company Act of 1940 (the “Investment Company Act”),
5
and the Investment Advisers Act of 1940 (the “Investment Advisers Act”).
6
1
17 CFR Part 248. Unless otherwise noted, all references to rules under Regulation S-P will be to
Part 248 of the Code of Federal Regulations (17 CFR 248).
2
15 U.S.C. 6801-6827.
3
15 U.S.C. 1681w.
4
15 U.S.C. 78a.
5
15 U.S.C. 80a.
6
15 U.S.C. 80b.
3
Page 4
TABLE OF CONTENTS
I.
B
ACKGROUND
...................................................................................................................... 5
A. Statutory Requirements and Current Regulation S-P Mandates................................ 5
B. Challenges Posed by Information Security Breaches ................................................ 8
II.
D
ISCUSSION
....................................................................................................................... 12
A. Information Security and Security Breach Response Requirements ....................... 12
B. Scope of the Safeguards and Disposal Rules........................................................... 29
C. Records of Compliance............................................................................................ 39
D. Exception for Limited Information Disclosure When Personnel Leave
Their Firms .............................................................................................................. 40
III. G
ENERAL
R
EQUEST FOR
C
OMMENTS
................................................................................. 47
IV. P
APERWORK
R
EDUCTION
A
CT
........................................................................................... 47
V. C
OST
-B
ENEFIT
A
NALYSIS
.................................................................................................. 57
VI. I
NITIAL
R
EGULATORY
F
LEXIBILITY
A
NALYSIS
.................................................................. 78
VII. C
ONSIDERATION OF
B
URDEN ON
C
OMPETITION AND
P
ROMOTION OF
E
FFICIENCY
,
C
OMPETITION AND
C
APITAL
F
ORMATION
.......................................................................... 88
VIII. S
MALL
B
USINESS
R
EGULATORY
E
NFORCEMENT
F
AIRNESS
A
CT
........................................ 90
IX. S
TATUTORY AUTHORITY
.................................................................................................... 91
X. T
EXT OF
P
ROPOSED
R
ULES AND
R
ULE
A
MENDMENTS
....................................................... 91
4
Page 5
I.
B
ACKGROUND
A.
Statutory Requirements and Current Regulation S-P Mandates
Subtitle A of Title V of the GLBA requires every financial institution to inform its
customers about its privacy policies and practices, and limits the circumstances in which a
financial institution may disclose nonpublic personal information about a consumer to a
nonaffiliated third party without first giving the consumer an opportunity to opt out of the
disclosure.
7
In enacting the legislation, Congress also specifically directed the Commission and
other federal financial regulators to establish and implement information safeguarding standards
requiring financial institutions subject to their jurisdiction to adopt administrative, technical and
physical information safeguards.
8
The GLBA specified that these standards were to “insure the
security and confidentiality of customer records and information,” “protect against any
anticipated threats or hazards to the security or integrity” of those records, and protect against
unauthorized access to or use of those records or information, which “could result in substantial
7
See 15 U.S.C. 6802(a) and (b). The GLBA and Regulation S-P draw a distinction between
“consumers” and “customers.” A “consumer” is defined in Section 3(g)(1) of Regulation S-P to
mean an individual who obtains a financial product or service that is to be used primarily for
personal, family, or household purposes. See 17 CFR 248.3(g)(1). A “customer” is defined in
Section 3(j) of Regulation S-P as a consumer who has a continuing relationship with the financial
institution. See 17 CFR 248.3(j). The distinction between customer and consumer determines
the notices that a financial institution must provide. Pursuant to Sections 4 and 5 of Regulation
S-P, a financial institution must provide customers with an initial notice describing the
institution’s privacy policies when a customer relationship is formed and at least annually
throughout the customer relationship. In contrast, if a consumer is not a customer, a financial
institution must only provide a notice if it intends to share nonpublic personal information about
the consumer with a nonaffiliated third party (outside of certain exceptions). See 17 CFR 248.4
and 248.5.
8
The GLBA directed the Commission, the Federal Trade Commission (“FTC”) and state insurance
authorities to implement the safeguarding standards by rule. See 15 U.S.C. 6805(b)(2). The
GLBA directed the Office of the Comptroller of the Currency, the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance Corporation (“FDIC”) and the Office of
Thrift Supervision (collectively, the “Banking Agencies”) and the National Credit Union
Administration (“NCUA”) to implement the safeguarding standards by regulation or by
guidelines. See 15 U.S.C. 6805(b)(1).
5
Page 6
harm or inconvenience to any customer.”
9
In response to these directives, we adopted Regulation S-P in 2000.
10
Section 30(a) of
Regulation S-P (the “safeguards rule”) requires institutions to safeguard customer records and
information,
11
while other sections of the regulation implement the notice and opt out provisions
9
15 U.S.C. 6801(b).
10
See Privacy of Consumer Financial Information (Regulation S-P), Exchange Act Release No.
42974, Investment Company Act (“ICA”) Release No. 24543, Investment Advisers Act (“IAA”)
Release No. 1883 (June 22, 2000), 65 FR 40334 (June 29, 2000). Pursuant to the GLBA
directive, Regulation S-P is consistent with and comparable to the financial privacy rules adopted
by other federal financial regulators in 2000. See FTC, Privacy of Consumer Financial
Information, 65 FR 33646 (May 24, 2000); Banking Agencies, Privacy of Consumer Financial
Information, 65 FR 35162 (June 1, 2000); and NCUA, Privacy of Consumer Financial
Information; Requirements for Insurance, 65 FR 31722 (May 18, 2000). See also 15 U.S.C.
6804(a)(2) (directing federal financial regulators to consult and coordinate to assure, to the extent
possible, that each agency’s regulations are consistent and comparable with the regulations
prescribed by the other agencies).
In 2001, we amended Regulation S-P to permit futures commission merchants and introducing
brokers that are registered by notice as broker-dealers in order to conduct business in security
futures products under Section 15(b)(11)(A) of the Exchange Act (“notice-registered broker-
dealers”) to comply with Regulation S-P by complying with financial privacy rules that the
Commodity Futures Trading Commission (“CFTC”) adopted that year. See 17 CFR 248.2(b);
Registration of Broker-Dealers Pursuant to Section 15(b)(11) of the Securities Exchange Act of
1934, Exchange Act Release No. 44730 (Aug. 21, 2001), 66 FR 45138 (Aug. 27, 2001); see also
CFTC, Privacy of Consumer Financial Information, 66 FR 21236 (Apr. 27, 2001).
11
17 CFR 248.30(a).
6
Page 7
of the GLBA.
12
The safeguards rule currently requires institutions to adopt written policies and
procedures for administrative, technical, and physical safeguards to protect customer records and
information. The safeguards must be reasonably designed to meet the GLBA’s objectives.
13
This approach provides flexibility for institutions to safeguard customer records and information
in accordance with their own privacy policies and practices and business models. The
safeguards rule and the notice and opt out provisions currently apply to brokers, dealers,
12
See 17 CFR 248.1-248.18. As described above, the GLBA and Regulation S-P require brokers,
dealers, investment advisers registered with the Commission, and investment companies to
provide an annual notice of their privacy policies and practices to their customers (and notice to
consumers before sharing their nonpublic personal information with nonaffiliated third parties
outside certain exceptions). See supra note 7; 15 U.S.C. 6803(a); 17 CFR 248.4; 17 CFR 248.5.
In general, the privacy notices must describe the institutions’ policies and practices with respect
to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated
third parties. 15 U.S.C. 6803; 17 CFR 248.6. The notices also must provide a consumer a
reasonable opportunity to direct the institution generally not to share nonpublic personal
information about the consumer (that is, to “opt out”) with nonaffiliated third parties. 15 U.S.C.
6802(b); 17 CFR 248.7. (The privacy notice also must provide, where applicable under the
FCRA, a notice and an opportunity for a consumer to opt out of certain information sharing
among affiliates.) Sections 13, 14, and 15 of Regulation S-P (17 CFR 248.13, 17 CFR 248.14,
and 17 CFR 248.15) set out exceptions from these general notice and opt out requirements under
the GLBA. Section 13 includes exceptions for sharing information with other financial
institutions under joint marketing agreements and with certain service providers. Section 14
includes exceptions for sharing information for everyday business purposes, such as maintaining
or servicing accounts. Section 15 includes exceptions for disclosures made with the consent or at
the direction of a consumer, disclosures for particular purposes such as protecting against fraud,
disclosures to consumer reporting agencies, and disclosures to law enforcement agencies. In
March 2007, the Commission, together with the Banking Agencies, the CFTC, the FTC, and the
NCUA, published for public comment in the Federal Register a proposed model privacy form that
financial institutions could use for their privacy notices to consumers required by the GLBA. See
Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, Exchange
Act Release No. 55497, IAA Release No. 2598, ICA Release No. 27755 (Mar. 20, 2007), 72 FR
14940 (Mar. 29, 2007) (“Interagency Model Privacy Form Proposal”).
13
Specifically, the safeguards must be reasonably designed to insure the security and confidentiality
of customer records and information, protect against anticipated threats to the security or integrity
of those records and information, and protect against unauthorized access to or use of such
records or information that could result in substantial harm or inconvenience to any customer.
See supra note 9 and accompanying text.
7
Page 8
registered investment advisers, and investment companies.
14
Pursuant to the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), the
Commission amended Regulation S-P in 2004 to protect against the improper disposal of
consumer report information.
15
Section 30(b) of Regulation S-P (the “disposal rule”) currently
applies to the institutions subject to the other provisions of Regulation S-P, except that it
excludes notice-registered broker-dealers and includes registered transfer agents.
B.
Challenges Posed by Information Security Breaches
In recent years, we have become concerned with the increasing number of information
security breaches that have come to light and the potential for identity theft and other misuse of
personal financial information. Once seemingly confined mainly to commercial banks and
14
Regulation S-P applies to investment companies as the term is defined in Section 3 of the
Investment Company Act (15 U.S.C. 80a-3), whether or not the investment company is registered
with the Commission. See 17 CFR 248.3(r). Thus, a business development company, which is
an investment company but is not required to register as such with the Commission, is subject to
Regulation S-P. In this release, institutions to which Regulation S-P currently applies, or to
which the proposed amendments would apply, are sometimes referred to as “covered
institutions.”
15
17 CFR 248.30(b). Section 216 of the FACT Act amended the FCRA by adding Section 628
(codified at 15 U.S.C. 1681w), which directed the Commission and other federal financial
regulators to adopt regulations for the proper disposal of consumer information, and provides that
any person who maintains or possesses consumer information or any compilation of consumer
information derived from a consumer report for a business purpose must properly dispose of the
information. See Disposal of Consumer Report Information, Exchange Act Release No. 50781,
IAA Release No. 2332, ICA Release No. 26685 (Dec. 2, 2004), 69 FR 71322 (Dec. 8, 2004)
(“Disposal Rule Adopting Release”). When we adopted the disposal rule, we also amended
Regulation S-P to require that the policies and procedures institutions must adopt under the
safeguards rule be in writing.
The disposal rule requires transfer agents registered with the Commission, as well as brokers and
dealers other than notice-registered broker-dealers, investment advisers registered with the
Commission, and investment companies that maintain or possess “consumer report information”
for a business purpose, to take “reasonable measures to protect against unauthorized access to or
use of the information in connection with its disposal.”
In order to provide clarity, the Disposal Rule Adopting Release included five examples intended
to provide guidance on disposal measures that would be deemed reasonable under the disposal
rule. See Disposal Rule Adopting Release at section II.A.2.
8
Page 9
retailers, this problem has spread throughout the business community, including the securities
industry.
16
In the last two years, we have seen a significant increase in information security breaches
involving institutions we regulate. Perhaps most disturbing is the increase in incidents involving
the takeover of online brokerage accounts, including the use of the accounts by foreign nationals
as part of “pump-and-dump” schemes.
17
The financial services sector also is a popular target for
online targeted attacks, and “phishing” attacks in which fraudsters set up an Internet site
designed to mimic a legitimate site and induce random Internet users to disclose personal
16
See Press Release, NASD, NASD Warns Investors to Protect Online Account Information,
Brokerages Also Reminded of Obligation to Protect Customer Information from New Threats
(last visited Nov. 6, 2007). See also In re NEXT Financial Group, Inc., Exchange Act Release
No. 56316 (Aug. 24, 2007), http://www.sec.gov/litigation/admin/2007/34-56316.pdf, and Order
Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C
of the Securities Exchange Act of 1934 (Aug. 24, 2007) (alleging violations of the notice and opt
out provisions of Regulation S-P and the safeguards rule in connection with recruiting registered
17
While some account takeovers may have been facilitated by investors failing to take adequate
precautions against security threats such as “keylogger” programs and “phishing” attacks, many
online brokerage firms have successfully reduced their exposure to account takeovers by
improving their authentication and monitoring procedures. The Commission has been active in
this area, and has brought several enforcement cases involving defendants in foreign jurisdictions.
See, e.g., Litigation Release No. 20037 (Mar. 12, 2007), available at
participating in an alleged fraudulent scheme to manipulate the prices of at least fourteen
securities through the unauthorized use of other people’s online brokerage accounts); and
Litigation Release No. 19949 (Dec. 19, 2006), available at
complaint alleged an alleged Estonia-based account intrusion scheme that targeted online
brokerage accounts in the U.S. to manipulate the markets).
9
Page 10
information.
18
In other recent incidents, registered representatives of broker-dealers disposed of
information and records about clients or prospective clients in accessible areas, from which
journalists were able to remove them. Sensitive securities-related data also has been lost or
stolen as a result of other incidents.
19
18
In 2006, Symantec Corporation, a seller of information security and information management
software, reported that in the first half of 2006, 84 percent of tracked phishing sites targeted the
financial sector and 9 of the top 10 brands phished this period were from the financial sector.
Because the financial services sector is a logical target for attackers increasingly motivated by
financial gain, that sector was also the second most frequent target of Internet-based attacks (after
home users). See Symantec, Symantec Internet Security Threat Report, Trends for January 06–
whitepaper_symantec_internet_security_threat_report_x_09_2006.en-us.pdf (last visited Nov. 6,
2007) (“Symantec September 2006 Internet Security Threat Report”). Reportedly, employees of
financial services firms “are increasingly being invited to visit Web sites or download programs
by people pretending to be colleagues or peers,” followed by attack programs on the sites or in
downloads that “then open tunnels into the corporate network.” More recently, although financial
services-related spam reportedly “made up 21 percent of all spam in the first six months of 2007,
making it the second most common type of spam during this period,” there was a 30-percent
decline in stock market “pump and dump” spam “due to a decline in spam touting penny stocks
that was triggered by actions taken by the United States Securities and Exchange Commission,
which limited the profitability of this type of spam by suspending trading of the stocks that are
touted.” See Symantec, Symantec Internet Security Threat Report, Trends for January–June 07,
whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf (last visited Nov. 6, 2007)
(citing Commission Press Release 2007-34, SEC Suspends Trading Of 35 Companies Touted In
Spam Email Campaigns (Mar. 8, 2007), available at http://www.sec.gov/news/press/2007/2007­
34.htm).
19
For example, in April 2005, a shipping company lost a computer backup tape containing account
information for more than 200,000 broker-dealer customers. The broker-dealer voluntarily
notified its affected customers, although the data was compressed and the tape was thought to
have been destroyed. In December 2005, a laptop computer containing unencrypted information
that included names and account numbers of 158,000 customers and the names and Social
Security numbers of 68,000 adviser personnel was stolen from a registered investment adviser,
and in March 2006, a laptop computer containing the names, addresses, Social Security numbers,
dates of birth, and other employment-related information of as many as 196,000 retirement plan
participants was stolen from a benefits plan administration subsidiary of a registered investment
adviser. In both cases, the laptops were taken from vehicles by thieves who appear to have stolen
them for their value as computer hardware rather than for the information contained on them.
The registered investment adviser voluntarily notified the more than 200,000 clients and financial
advisers whose information was compromised, while the benefits plan administrator voluntarily
notified the nearly 200,000 retirement plan participants whose information was compromised,
and offered to pay for a year of credit monitoring for each of them.
10
Page 11
Many firms in the securities industry are aware of these problems and have appropriate
safeguards in place to address them.
20
We are concerned, however, that some firms do not
regularly reevaluate and update their safeguarding programs to deal with these increasingly
sophisticated methods of attack.
21
For this reason, and in light of the increase in reported
security breaches and the potential for identity theft among the institutions we regulate, we
believe that our previous approach, requiring safeguards that must be reasonably designed to
meet the GLBA’s objectives, merits revisiting.
22
We also are concerned that while the information protected under the safeguards rule and
the disposal rule includes certain personal information, it does not include other information that
could be used to access investors’ financial information if obtained by an unauthorized user.
Finally we want to address other issues under Regulation S-P that have come to our attention,
including the application of the regulation to situations in which a representative of one broker­
20
Some institutions regulated by the Commission have already taken steps to strengthen their
policies and procedures for safeguarding investors’ information, such as by offering investors the
use of password-generating tokens for online brokerage accounts. We also note that some firms
have been sharing information about suspicious activity with one another for the purpose of
combating identity theft. To the extent it might involve sharing nonpublic personal information
about consumers of the firms, Regulation S-P does not prohibit such information sharing because
Section 15(a)(2)(ii) of Regulation S-P permits firms to disclose nonpublic personal information to
a nonaffiliated third party for the purpose of protecting against fraud without first giving
consumers notice of and an opportunity to opt out of the disclosures.
21
According to a September 2007 report from Deloitte Touche Tohmatsu, for example, 37 percent
of 169 surveyed financial institutions do not have an information security strategy in place, and
33 percent of these institutions do not conduct vulnerability testing, or only do so on an ad hoc
basis. See Deloitte Touche Tohmatsu, 2007 Global Security Survey, at 12, 36 (Sept. 2007),
.pdf (last visited Nov. 6, 2007).
22
In 2004 we sought comment on whether to revise our safeguards rule to require institutions to
address certain elements in designating their safeguarding policies and procedures. See Disposal
of Consumer Report Information, Exchange Act Release No. 50361, IAA Release No. 2293, ICA
Release No. 20596 (Sept. 14, 2004), 69 FR 56304 (Sept. 20, 2004) (“Disposal Rule Proposing
Release”), at section II.B. At that time we decided not to revise the safeguards rule, but noted we
would consider the comments we received in the event we proposed any amendment to the rule.
See Disposal Rule Adopting Release, supra note 15, at section II.B. See also infra note 31.
11
Page 12
dealer or registered investment adviser moves to another firm. Accordingly, today we are
proposing amendments to the safeguards and disposal rules that are designed to address these
concerns.
II.
D
ISCUSSION
To help prevent and address security breaches in the securities industry and thereby better
protect investor information, we propose to amend Regulation S-P in four principal ways. First,
we propose to require more specific standards under the safeguards rule, including standards that
would apply to data security breach incidents. Second, we propose to amend the scope of the
information covered by the safeguards and disposal rules and to broaden the types of institutions
and persons covered by the rules. Third, we propose to require institutions subject to the
safeguards and disposal rules to maintain written records of their policies and procedures and
their compliance with those policies and procedures. Finally, we are taking this opportunity to
propose a new exception from Regulation S-P’s notice and opt-out requirements to allow
investors more easily to follow a representative who moves from one brokerage or advisory firm
to another.
A.
Information Security and Security Breach Response Requirements
To help prevent and address security breaches at the institutions we regulate, we propose
to require more specific standards for safeguarding personal information, including standards for
responding to data security breaches. When we adopted Regulation S-P in 2001, the safeguards
rule simply required institutions to adopt policies and procedures to address the safeguarding
objectives stated in the GLBA. Following our adoption of the rule, the FTC and the Banking
Agencies issued regulations with more detailed standards for safeguarding customer records and
12
Page 13
23
information applicable to the institutions they regulate.
23
We believe these standards include
necessary elements that institutions should address when adopting and implementing
safeguarding policies and procedures. We have therefore looked to the other agencies’ standards
in developing our proposal and tailored them, where appropriate, to develop proposed standards
for the institutions we regulate.
1.
Revised safeguarding policies and procedures
As noted above, the safeguards rule requires institutions to adopt written policies and
procedures that address administrative, technical and physical safeguards to protect customer
records and information. The proposed amendments would further develop this requirement by
requiring each institution subject to the safeguards rule to develop, implement, and maintain a
comprehensive “information security program,” including written policies and procedures that
The Banking Agencies issued their guidelines for safeguarding customer records and information
in 2001. See Interagency Guidelines Establishing Standards for Safeguarding Customer
Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 FR 8616 (Feb.
1, 2001) (“Banking Agencies’ Security Guidelines”). The FTC adopted its safeguards rule in
2002. See Standards for Safeguarding Customer Information, 67 FR 36484 (May 23, 2002)
(“FTC Safeguards Rule”). The Banking Agencies also have jointly issued guidance on
responding to incidents of unauthorized access or use of customer information. See Interagency
Guidance on Response Programs for Unauthorized Access to Customer Information and
Customer Notice, 70 FR 15736 (Mar. 29, 2005) (“Banking Agencies’ Incident Response
Guidance”). More recently, through the Federal Financial Institutions Examination Council
(“FFIEC”), the Banking Agencies jointly issued guidance on the authentication of customers in
an Internet banking environment, and the Banking Agencies and the FTC jointly issued final rules
and guidelines for identity theft “red flags” programs to detect, prevent, and mitigate identity theft
in connection with the opening of certain accounts or certain existing accounts. See FFIEC,
Authentication in an Internet Banking Environment (July 27, 2006), available at
www.ffiec.gov/pdf/authentication_guidance.pdf (“Authentication Guidance”); Banking Agencies
and FTC, Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit
Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“Final Red Flag Rules”). See also
Banking Agencies and FTC, Identity Theft Red Flags and Address Discrepancies Under the Fair
and Accurate Credit Transactions Act of 2003, 71 FR 40785 (July 18, 2006) (“Proposed Red Flag
Guidelines”). In March of this year, the FTC also published a brochure on data security,
Protecting Personal Information: A Guide for Business (available at
http://www.ftc.gov/infosecurity/), and the FDIC issued a Supervisory Policy on Identity Theft,
FIL-32-2007 (Apr. 11, 2007), available at
13
Page 14
provide administrative, technical, and physical safeguards for protecting personal information,
and for responding to unauthorized access to or use of personal information.
24
This program
would have to be appropriate to the institution’s size and complexity, the nature and scope of its
activities, and the sensitivity of any personal information at issue.
25
Consistent with current
requirements for safeguarding policies and procedures, the information security program also
would have to be reasonably designed to: (i) ensure the security and confidentiality of personal
information; (ii) protect against any anticipated threats or hazards to the security or integrity of
personal information; and (iii) protect against unauthorized access to or use of personal
information that could result in substantial harm or inconvenience to any consumer, employee,
investor or securityholder who is a natural person.
26
Although the term “substantial harm or
inconvenience” is currently used in the safeguards rule, it is not defined. We propose to define
the term to mean “personal injury, or more than trivial financial loss, expenditure of effort or loss
of time.”
27
This definition is intended to include harms other than identity theft that may result
from failure to safeguard sensitive information about an individual. For example, a hacker could
use confidential information about an individual for extortion by threatening to make the
information public unless the individual agrees to the hacker’s demands. “Substantial harm or
24
As amended, Section 30 would be titled, “Information security programs for personal
information; records of compliance.”
25
See proposed paragraph (a)(1) of Section 30. The term “information security program” would
mean the administrative, technical, or physical safeguards used to access, collect, distribute,
process, protect, store, use, transmit, dispose of, or otherwise handle personal information. See
proposed paragraph (d)(6) of Section 30.
26
See proposed paragraph (a)(2) of Section 30. Compare 17 CFR 248.30(a)(1)-(3).
27
See proposed paragraph (d)(12) of Section 30. “Substantial harm or inconvenience” would
include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired
eligibility for credit, or the unauthorized use of the information identified with an individual to
obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise
use the individual’s account.
14
Page 15
inconvenience” would not include “unintentional access to personal information by an
unauthorized person that results only in trivial financial loss, expenditure of effort or loss of
time,” such as if use of the information results in an institution deciding to change the
individual’s account number or password.
28
The rule would provide an example of what would
not constitute harm or inconvenience that rises to the level of “substantial,” which should help
clarify the scope of what would constitute “substantial harm or inconvenience.”
The proposed amendments also would specify particular elements that a program meeting
the requirements of Regulation S-P must include.
29
These elements are intended to provide firms
in the securities industry with detailed standards for the policies and procedures that a well-
designed information security program should include to address recent identity theft-related
28
See proposed paragraph (d)(12)(ii) of Section 30. Thus, for example the proposed definition
would not encompass a firm’s occasional, unintentional delivery of an individual’s account
statement to an incorrect address if the institution determined that the information was highly
unlikely to be misused. This determination would have to be made promptly after the institution
becomes aware of an incident of unauthorized access to sensitive personal information, and
documented in writing. See proposed paragraph (a)(4)(iii) of Section 30.
29
Many of these elements are addressed by widely accepted information security standards. See,
e.g., National Institute of Standards and Technology (“NIST”), Special Publication 800 series
(Computer Security), for example Generally Accepted Principals and Practices for Securing
Information Technology Systems (SP 800-14) (Sept. 1996), Guide to Intrusion Detection and
Prevention Systems (IDPS) (SP 800-94) (Feb. 2007), and Guide to Secure Web Services (SP 800­
95) (Aug. 2007) (all available at http://csrc.nist.gov/publications/PubsSPs.html), and bulletins
dealing with computer security published by the NIST’s Information Technology Laboratory
(ITL), for example Secure Web Servers: Protecting Web Sites That Are Accessed By The Public
(ITL January 2008) (available at http://csrc.nist.gov/publications/PubsITLSB.html); Federal
Information System Controls Audit Manual, General Accounting Office, Accounting and
Information Management Division, Federal Information System Controls Audit Manual,
GAO/AIMD-12.19.6 (known as “FISCAM”) (Jan. 1999) (available at
http://www.gao.gov/special.pubs/ai12.19.6.pdf); International Organization for Standardization,
Code of Practice for Information Security Management (ISO/IEC 27002:2005) (known among
information security professionals as the “British Standard,” and formerly designated BS
ISO/IEC 17799:2005 and BS 7799-1:2005) (available for purchase at
Audit and Control Association/IT Governance Institute, Control Objectives for Information and
Related Technology (known as “COBIT”) (last updated, and published as version 4.1, May 2007)
15
Page 16
incidents such as firms in the securities industry losing data tapes and laptop computers and
failing to dispose properly of sensitive personal information, and hackers hijacking online
brokerage accounts.
30
These elements also are intended to maintain consistency with information
safeguarding guidelines and rules adopted by the Banking Agencies and FTC.
31
In addition,
these elements are consistent with policies and procedures we understand many institutions in
the securities industry have already adopted. We understand that large and complex
organizations generally have written policies that address information safeguarding procedures at
several layers, from an organization-wide policy statement to detailed procedures that address
particular controls.
32
Institutions subject to the rule would be required to:
(i)
designate in writing an employee or employees to coordinate the information
security program;
33
(ii)
identify in writing reasonably foreseeable security risks that could result in the
30
See supra notes 16-19 and accompanying text.
31
See Banking Agencies’ Security Guidelines and FTC Safeguards Rule, supra note 23. As noted
above, we sought comment on whether to revise our safeguards rule in 2004. See supra note 22.
At that time, several commenters noted that Rule 206(4)-7 under the Investment Advisers Act (17
CFR 275.206(4)-7) and Rule 38a-1 under the Investment Company Act (17 CFR 270.38a-1)
require registered investment advisers and registered investment companies to have written
policies and procedures reasonably designed to prevent violation of the federal securities laws,
including safeguards for the protection of customer records and information under Regulation
S-P. These rules also require registered investment advisers and funds to review, no less
frequently than annually, the adequacy of these policies and procedures. See Comment Letter of
the Investment Counsel Association of America (Oct. 20, 2004), at p. 3; Comment Letter of the
Investment Company Institute (Oct. 20, 2004) at p. 2. Each of these letters is available at
http://www.sec.gov/comments/s73304.shtml. We do not intend for the proposed amendments to
alter or conflict with these requirements.
32
See Disposal Rule Proposing Release, supra note 22, at 69 FR 56308 & n.29.
33
See proposed paragraph (a)(3)(i) of Section 30. Of course, the employee or employees
designated to coordinate an institution’s information security program would need to have
sufficient authority and access to the institution’s managers, officers and directors to effectively
implement the program and modify it as necessary.
16
Page 17
unauthorized disclosure, misuse, alteration, destruction or other compromise of
personal information or personal information systems;
34
(iii) design and document in writing and implement information safeguards to control
the identified risks;
35
(iv) regularly test or otherwise monitor and document in writing the effectiveness of
the safeguards’ key controls, systems, and procedures, including the effectiveness
of access controls on personal information systems, controls to detect, prevent and
respond to attacks, or intrusions by unauthorized persons, and employee training
and supervision;
36
(v)
train staff to implement the information security program;
37
(vi) oversee service providers by taking reasonable steps to select and retain service
providers capable of maintaining appropriate safeguards for the personal
information at issue, and require service providers by contract to implement and
maintain appropriate safeguards (and document such oversight in writing);
38
and
(vii) evaluate and adjust their information security programs to reflect the results of the
testing and monitoring, relevant technology changes, material changes to
operations or business arrangements, and any other circumstances that the
institution knows or reasonably believes may have a material impact on the
34
See proposed paragraph (a)(3)(ii) of Section 30. The term “personal information system” would
mean any method used to access, collect, store, use, transmit, protect or dispose of personal
information. See proposed paragraph (d)(9) of Section 30.
35
See proposed paragraph (a)(3)(iii) of Section 30.
36
See proposed paragraph (a)(3)(iv) of Section 30.
37
See proposed paragraph (a)(3)(v) of Section 30.
38
See proposed paragraph (a)(3)(vi) of Section 30.
17
Page 18
39
program.
The term “service provider” would mean any person or entity that receives, maintains,
processes, or otherwise is permitted access to personal information through its provision of
services directly to a person subject to the rule.
40
We understand that in large financial
complexes, a particular affiliate may be responsible for providing a particular service for all
affiliates in the complex. In that circumstance, each financial institution subject to Regulation
S-P would be responsible for taking reasonable steps to ensure that the service provider is
capable of maintaining appropriate safeguards and of overseeing the service provider’s
implementation, maintenance, evaluation, and modifications of appropriate safeguards for the
institution’s personal information. Under the proposed amendments, we anticipate that a covered
institution’s reasonable steps to evaluate the information safeguards of service providers could
include the use of a third-party review of those safeguards such as a Statement of Auditing
Standards No. 70 (“SAS 70”) report, a SysTrust report, or a WebTrust report.
41
We request comment on the proposed specific standards for safeguarding personal
39
See proposed paragraph (a)(3)(vii) of Section 30. This requirement is similar to the requirement
in the Banking Agencies’ Security Guidelines that institutions covered by those guidelines
monitor, evaluate, and adjust, as appropriate, their information security program in light of any
relevant changes in technology, the sensitivity of their customer information, internal or external
threats to information, and their own changing business arrangements, such as mergers and
acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer
information systems. See supra note 23, Banking Agencies’ Security Guidelines, 66 FR at 8634,
8635-36, 8637, 8639, 8641. The “material impact” standard in proposed paragraph (a)(3)(iii) is
intended to require adjustment of a covered institution’s information security program only when
a reasonable coordinator of the program would consider adjusting the program important in light
of changing circumstances.
40
See proposed paragraph (d)(11) of Section 30.
41
See Codification of Accounting Standards and Procedures, Statement on Auditing Standards No.
70, Reports on Processing of Transactions by Service Organizations (American Inst. of Certified
Public Accountants). See also description and comparison of these reports at
les+of+a+Reliable+System/SAS+No+70+SysTrust+and+WebTrust+A+Comparison.htm.
18
Page 19
information.
• Would these standards provide sufficient direction to institutions? Are there
particular standards that should be more or less prescriptive? For example, should
institutions be required to designate an employee or employees to coordinate the
information security program by name, or should institutions be permitted to make
these designations by position or office?
• Would additional standards be appropriate or are certain standards unnecessary?
Should the proposed standards be modified to more closely or less closely resemble
standards prescribed by the Banking Agencies or the FTC? For the securities
industry, are there any other standards that a well-designed information security
program should address? Are there any other standards that would provide more
flexibility to covered institutions?
• We also invite comment on the proposed requirement that entities assess the
sufficiency of safeguards in place, to control reasonably foreseeable risks. Should the
rules include more detailed standards and specifications for access controls? Should
the requirement specify factors such as those identified in the Banking Agencies’
guidance regarding authentication in an Internet banking environment or include
policies and procedures such as those in the Banking Agencies and the FTC’s
proposed or final “red flag” requirements?
42
For example, should we require that
covered institutions implement multifactor authentication, layered security, or other
See Authentication Guidance, Proposed Red Flag Guidance, and Final Red Flag Rules, supra note
23. The Authentication Guidance has been credited with helping to curtail online banking fraud,
but has been characterized as not adequately addressing authentication in the context of telephone
banking. See Daniel Wolfe, How New Authentication Systems are Altering Fraud Picture, Amer.
Banker (Dec. 26, 2007).
19
42
Page 20
controls for high-risk transactions involving access to customer information or the
movement of funds to third parties? Should we require that covered institutions
include in their information security programs “red flag” elements that would be
relevant to detecting, preventing and mitigating identity theft in connection with the
opening of accounts or existing accounts, or in connection with particular types of
accounts associated with a reasonably foreseeable risk of identity theft? Should we
require that covered institutions adopt policies and procedures for evaluating changes
of address followed closely by an account change or transaction, or for processing
address discrepancy notices from consumer reporting agencies? If the rule were to
include more detailed standards and specifications for access controls, how should
these apply to business conducted by telephone?
• Commenters are invited to discuss the proposed definition of “substantial harm or
inconvenience.” Are there circumstances that commenters believe would create
substantial harm or inconvenience to individuals that would not meet the proposed
definition? If so, how should the definition be revised to address these
circumstances?
• Commenters are invited to discuss the proposed requirements for written
documentation of compliance with the proposed safeguarding provisions.
• Commenters are invited to discuss the proposed definition of “service provider.”
They also are invited to discuss whether, if the proposed amendments are adopted,
they should include or be accompanied by guidance on the use of outside evaluations
of third-party service providers. For example, should the Commission provide
20
Page 21
guidance similar to that provided by the FFIEC on the appropriate use of SAS 70
reports in evaluating the information safeguards of service providers?
43
2.
Data security breach response
Because of the potential for harm or inconvenience to individuals when a data security
breach occurs, we are proposing that information security programs include procedures for
responding to incidents of unauthorized access to or use of personal information. These
procedures would include notice to affected individuals if misuse of sensitive personal
information has occurred or is reasonably possible. The procedures would also include notice to
the Commission (or for certain broker-dealers, their designated examining authority
44
) under
43
The FFIEC provided the following guidance on the use of SAS 70 reports in the oversight of
third-party service providers (“TSPs”) by financial institutions regulated by FFIEC member
agencies:
Financial institutions should ensure TSPs implement and maintain controls sufficient to
appropriately mitigate risk. In higher-risk relationships the institution by contract may
prescribe minimum control and reporting standards, obtain the right to require changes to
standards as external and internal environments change, and obtain access to the TSP for
institution or independent third-party evaluations of the TSP’s performance against the
standard. In lower risk relationships the institution may prescribe the use of standardized
reports, such as trust services reports or a Statement of Auditing Standards 70 (SAS 70)
report.
* * * * *
Financial institutions should carefully and critically evaluate whether a SAS 70 report
adequately supports their oversight responsibilities. The report may not provide a thorough
test of security controls and security monitoring unless requested by the T