FIN Family of Companies

Privacy Policy – Facebook, Regulators and Preventing Data Breaches

By Cory Roberson, Principal at RIA Review and RIA Consults


Advisors,

The challenges of safeguarding client information affect businesses in all industries. 

Earlier this month, Facebook revealed that it inadvertently allowed an unauthorized third party, Cambridge Analytica, to access data from over 50 million of its users.  This wide sweeping data breach prompted an investigation from the Federal Trade Commission (“FTC”) that will likely result in heavy fines for the social media juggernaut.

On February 2, 2018, my blog on “Data Protection/laptop theft security,” discussed the risks of data breaches for advisors who may work remotely in various settings, such as coffee shops.  As such, the financial industry is under a heavy microscope from regulators.  

The Securities and Exchange Commission (SEC) is conducting more tests in the face of an increasing frequency of cyber threats and data hacks.  Last May, the SEC Office of Inspections and Compliance Examinations (OICE) issued a report of its cybersecurity examinations of some of its registrants in response to a global cybersecurity attack (“Ransonware”).  

Even regulators are feeling its own scrutiny in terms of data breaches.  On March 27, 2018, Bloomberg uncovered a whistleblower’s complaint against self-regulatory organizations (“SRO’s”), such as the Financial Industry Regulatory Authority (FINRA) and the North American Securities Administrators Association (NASAA).  The complaint, filed against regulators who supervise broker-dealers and state registered advisors respectively, alleges that the agencies failed to safeguard social security and brokerage account numbers.

Client protection rulemaking is not a new issue.  In 2001, more than seventeen years ago, lawmakers created a broad sweeping rule for financial firms to mitigate the challenges of data protection, known as Regulation S-P (Gramm-Leach-Bliley Act).

What is required to safeguard client information?

Rule 30 of the Regulation S-P requires financial firms across multiple jurisdictions to include written policies and procedures in its operations (“Privacy Policy”).  Generally, firms can create a sufficient privacy policy through the creation of a client disclosure document and a summary of internal office procedures.
Regulation S-P covers: investment advisers, brokers-dealers, banking institutions, lending institutions, and investment companies ("mutual funds").

What types of client information should be protected?
Non-Public Information can include any of the following:
Customer financial data (income, tax status, assets held in other financial institutions), client names, addresses, dates of birth, social security numbers, tax identification numbers, bank account numbers, credit card information, and copies of driver’s licenses or passports.

How to create Policies and Procedures (“Privacy policy”)?

Step 1 – Maintenance of books and records
Firms should create procedures for handling both paper and electronic records that contain non-public or other sensitive customer information.  The policy can include the purpose for using data and who has access to sensitive information.

Step 2 – Protection of books and records
The policy should include steps for protection methods such as shredding paperwork, IT security systems, testing for breaches, encryption technology, password storage, remote working protocols, business continuity plans, and/or deleting sensitive firm information.

Step 3 – Communication with authorities
Firms should maintain policies for sharing information with regulators, government officials, or local authorities.  (e.g. what is required to share, what is not).

Step 4 – Steps for employee training
The policy should include steps for informing employees of best practices for safeguarding client information. 

Step 5 – Sharing information with third-party parties
Firms should include policies for sharing information with third parties, affiliates, or other outside individuals. (e.g. Account for situations where information may be shared to other groups for business purposes and/or provide disclosures when information will never be shared).

Step 6 – Reporting Breaches
The policy should include steps for reporting any actual or possible breaches of customer information. (e.g. procedures for informing clients, offering credit monitoring, or recompensing clients if a data breach results in a loss of securities or assets).

Step 7 – Updating Privacy Policy
The policy should be updated for any changes in firm policies, systems, or protection methods.

Q.  How to disclose details to clients (investment advisors)?

A.

Offer Letter:  Advisors are required to send an annual offer letter to clients within 120 days of the firm’s fiscal year end.  At this time, firms should include an updated copy of the Privacy Policy in paper or electronic format (e.g. link to form online).

Website:  Firms should place a copy of their privacy policy disclosure on their website (if applicable).

ADV:  Firms can reference that a copy of the privacy policy, code of ethics, and/or business continuity plan is available upon request.  Advisors may also attach a copy of privacy policy on their ADV (optional).

Summary:  Overall, both state and SEC-registered firms should adhere to Reg S-P guidelines for safeguarding client information.




Our Mission: “Serving the Investment Community to Make a Social Impact”

Cory Roberson is Principal of RIA Review, a compliance and document management portal (www.riareview.com) - 120+ users and growing.  He is also Principal of RIA Consults -Roberson Consults Group), a consulting firm providing compliance, operations, and business development services for registered investment advisors and next-gen fintech entrepreneurs (www.riaconsults.com) more than 160 SEC & State advisors clients across the US (including a few in Europe).  His third platform, RegTech Review, a FinTech compliance portal site: (http://regtechreview.com) is currently in prototype stage.   

As a social entrepreneur, through his mission-driven arm SoCap Missions (http://SoCapmissions.com), he provides business support group sessions and has volunteered for more than 15 youth programs in locations such as S. Korea, China, S. Africa, Thailand, and India.

No comments:

Powered by Blogger.