[Federal Register: March 13, 2008 (Volume 73, Number 50)]
[Proposed Rules]
[Page 13691-13719]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr13mr08-32]
[[Page 13691]]
-----------------------------------------------------------------------
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Part 248
Part 248--Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Personal Information; Proposed Rule
[[Page 13692]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 248
[Release Nos. 34-57427; IC-28178; IA-2712; File No. S7-06-08]
RIN 3235-AK08
Part 248--Regulation S-P: Privacy of Consumer Financial
Information and Safeguarding Personal Information
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'') is
proposing amendments to Regulation S-P, which implements certain
provisions of the Gramm-Leach-Bliley Act (``GLBA'') and the Fair Credit
Reporting Act (``FCRA'') for entities regulated by the Commission. The
proposed amendments would set forth more specific requirements for
safeguarding information and responding to information security
breaches, and broaden the scope of the information covered by
Regulation S-P's safeguarding and disposal provisions. They also would
extend the application of the disposal provisions to natural persons
associated with brokers, dealers, investment advisers registered with
the Commission (``registered investment advisers'') and transfer agents
registered with the Commission (``registered transfer agents''), and
would extend the application of the safeguarding provisions to
registered transfer agents. Finally, the proposed amendments would
permit a limited transfer of information to a nonaffiliated third party
without the required notice and opt out when personnel move from one
broker-dealer or registered investment adviser to another.
DATES: Comments must be received on or before May 12, 2008.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's Internet comment form (http://
www.sec.gov/rules/proposed.shtml); or
Send an e-mail to rule-comments@sec.gov. Please include
File Number S7-06-08 on the subject line; or
Use the Federal eRulemaking Portal (http://
www.regulations.gov). Follow the instructions for submitting comments.
Paper Comments
Send paper comments in triplicate to Nancy M. Morris,
Secretary, Securities and Exchange Commission, 100 F Street, NE.,
Washington, DC 20549-1090.
All submissions should refer to File Number S7-06-08. This file number
should be included on the subject line if e-mail is used. To help us
process and review your comments more efficiently, please use only one
method. The Commission will post all comments on the Commission's
Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments
are also available for public inspection and copying in the
Commission's Public Reference Room, 100 F Street, NE., Washington, DC
20549, on official business days between the hours of 10 a.m. and 3
p.m. All comments received will be posted without change; we do not
edit personal identifying information from submissions. You should
submit only information that you wish to make available publicly.
FOR FURTHER INFORMATION CONTACT: Catherine McGuire, Chief Counsel, or
Brice Prince, Special Counsel, Office of the Chief Counsel, Division of
Trading and Markets, (202) 551-5550; or Penelope Saltzman, Acting
Assistant Director, or Vincent Meehan, Senior Counsel, Office of
Regulatory Policy, Division of Investment Management, (202) 551-6792,
Securities and Exchange Commission, 100 F Street, NE., Washington, DC
20549.
SUPPLEMENTARY INFORMATION: The Commission today is proposing amendments
to Regulation S-P \1\ under Title V of the GLBA,\2\ the FCRA,\3\ the
Securities Exchange Act of 1934 (the ``Exchange Act''),\4\ the
Investment Company Act of 1940 (the ``Investment Company Act''),\5\ and
the Investment Advisers Act of 1940 (the ``Investment Advisers
Act'').\6\
---------------------------------------------------------------------------
\1\ 17 CFR part 248. Unless otherwise noted, all references to
rules under Regulation S-P will be to Part 248 of the Code of
Federal Regulations (17 CFR 248).
\2\ 15 U.S.C. 6801-6827.
\3\ 15 U.S.C. 1681w.
\4\ 15 U.S.C. 78a.
\5\ 15 U.S.C. 80a.
\6\ 15 U.S.C. 80b.
---------------------------------------------------------------------------
Table of Contents
I. Background
A. Statutory Requirements and Current Regulation S-P Mandates
B. Challenges Posed by Information Security Breaches
II. Discussion
A. Information Security and Security Breach Response
Requirements
B. Scope of the Safeguards and Disposal Rules
C. Records of Compliance
D. Exception for Limited Information Disclosure When Personnel
Leave Their Firms
III. General Request for Comments
IV. Paperwork Reduction Act
V. Cost-Benefit Analysis
VI. Initial Regulatory Flexibility Analysis
VII. Consideration of Burden on Competition and Promotion of
Efficiency, Competition and Capital Formation
VIII. Small Business Regulatory Enforcement Fairness Act
IX. Statutory Authority
X. Text of Proposed Rules and Rule Amendments
I. Background
A. Statutory Requirements and Current Regulation S-P Mandates
Subtitle A of Title V of the GLBA requires every financial
institution to inform its customers about its privacy policies and
practices, and limits the circumstances in which a financial
institution may disclose nonpublic personal information about a
consumer to a nonaffiliated third party without first giving the
consumer an opportunity to opt out of the disclosure.\7\ In enacting
the legislation, Congress also specifically directed the Commission and
other federal financial regulators to establish and implement
information safeguarding standards requiring financial institutions
subject to their jurisdiction to adopt administrative, technical and
physical information safeguards.\8\ The GLBA specified that these
standards were to ``insure the
[[Page 13693]]
security and confidentiality of customer records and information,''
``protect against any anticipated threats or hazards to the security or
integrity'' of those records, and protect against unauthorized access
to or use of those records or information, which ``could result in
substantial harm or inconvenience to any customer.'' \9\
---------------------------------------------------------------------------
\7\ See 15 U.S.C. 6802(a) and (b). The GLBA and Regulation S-P
draw a distinction between ``consumers'' and ``customers.'' A
``consumer'' is defined in Section 3(g)(1) of Regulation S-P to mean
an individual who obtains a financial product or service that is to
be used primarily for personal, family, or household purposes. See
17 CFR 248.3(g)(1). A ``customer'' is defined in Section 3(j) of
Regulation S-P as a consumer who has a continuing relationship with
the financial institution. See 17 CFR 248.3(j). The distinction
between customer and consumer determines the notices that a
financial institution must provide. Pursuant to Sections 4 and 5 of
Regulation S-P, a financial institution must provide customers with
an initial notice describing the institution's privacy policies when
a customer relationship is formed and at least annually throughout
the customer relationship. In contrast, if a consumer is not a
customer, a financial institution must only provide a notice if it
intends to share nonpublic personal information about the consumer
with a nonaffiliated third party (outside of certain exceptions).
See 17 CFR 248.4 and 248.5.
\8\ The GLBA directed the Commission, the Federal Trade
Commission (``FTC'') and state insurance authorities to implement
the safeguarding standards by rule. See 15 U.S.C. 6805(b)(2). The
GLBA directed the Office of the Comptroller of the Currency, the
Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation (``FDIC'') and the Office of Thrift
Supervision (collectively, the ``Banking Agencies'') and the
National Credit Union Administration (``NCUA'') to implement the
safeguarding standards by regulation or by guidelines. See 15 U.S.C.
6805(b)(1).
\9\ 15 U.S.C. 6801(b).
---------------------------------------------------------------------------
In response to these directives, we adopted Regulation S-P in
2000.\10\ Section 30(a) of Regulation S-P (the ``safeguards rule'')
requires institutions to safeguard customer records and
information,\11\ while other sections of the regulation implement the
notice and opt out provisions of the GLBA.\12\ The safeguards rule
currently requires institutions to adopt written policies and
procedures for administrative, technical, and physical safeguards to
protect customer records and information. The safeguards must be
reasonably designed to meet the GLBA's objectives.\13\ This approach
provides flexibility for institutions to safeguard customer records and
information in accordance with their own privacy policies and practices
and business models. The safeguards rule and the notice and opt out
provisions currently apply to brokers, dealers, registered investment
advisers, and investment companies.\14\
---------------------------------------------------------------------------
\10\ See Privacy of Consumer Financial Information (Regulation
S-P), Exchange Act Release No. 42974, Investment Company Act
(``ICA'') Release No. 24543, Investment Advisers Act (``IAA'')
Release No. 1883 (June 22, 2000), 65 FR 40334 (June 29, 2000).
Pursuant to the GLBA directive, Regulation S-P is consistent with
and comparable to the financial privacy rules adopted by other
federal financial regulators in 2000. See FTC, Privacy of Consumer
Financial Information, 65 FR 33646 (May 24, 2000); Banking Agencies,
Privacy of Consumer Financial Information, 65 FR 35162 (June 1,
2000); and NCUA, Privacy of Consumer Financial Information;
Requirements for Insurance, 65 FR 31722 (May 18, 2000). See also 15
U.S.C. 6804(a)(2) (directing federal financial regulators to consult
and coordinate to assure, to the extent possible, that each agency's
regulations are consistent and comparable with the regulations
prescribed by the other agencies).
In 2001, we amended Regulation S-P to permit futures commission
merchants and introducing brokers that are registered by notice as
broker-dealers in order to conduct business in security futures
products under Section 15(b)(11)(A) of the Exchange Act (``notice-
registered broker-dealers'') to comply with Regulation S-P by
complying with financial privacy rules that the Commodity Futures
Trading Commission (``CFTC'') adopted that year. See 17 CFR
248.2(b); Registration of Broker-Dealers Pursuant to Section
15(b)(11) of the Securities Exchange Act of 1934, Exchange Act
Release No. 44730 (Aug. 21, 2001), 66 FR 45138 (Aug. 27, 2001); see
also CFTC, Privacy of Consumer Financial Information, 66 FR 21236
(Apr. 27, 2001).
\11\ 17 CFR 248.30(a).
\12\ See 17 CFR 248.1-248.18. As described above, the GLBA and
Regulation S-P require brokers, dealers, investment advisers
registered with the Commission, and investment companies to provide
an annual notice of their privacy policies and practices to their
customers (and notice to consumers before sharing their nonpublic
personal information with nonaffiliated third parties outside
certain exceptions). See supra note 7; 15 U.S.C. 6803(a); 17 CFR
248.4; 17 CFR 248.5. In general, the privacy notices must describe
the institutions' policies and practices with respect to disclosing
nonpublic personal information about a consumer to both affiliated
and nonaffiliated third parties. 15 U.S.C. 6803; 17 CFR 248.6. The
notices also must provide a consumer a reasonable opportunity to
direct the institution generally not to share nonpublic personal
information about the consumer (that is, to ``opt out'') with
nonaffiliated third parties. 15 U.S.C. 6802(b); 17 CFR 248.7. (The
privacy notice also must provide, where applicable under the FCRA, a
notice and an opportunity for a consumer to opt out of certain
information sharing among affiliates.) Sections 13, 14, and 15 of
Regulation S-P (17 CFR 248.13, 17 CFR 248.14, and 17 CFR 248.15) set
out exceptions from these general notice and opt out requirements
under the GLBA. Section 13 includes exceptions for sharing
information with other financial institutions under joint marketing
agreements and with certain service providers. Section 14 includes
exceptions for sharing information for everyday business purposes,
such as maintaining or servicing accounts. Section 15 includes
exceptions for disclosures made with the consent or at the direction
of a consumer, disclosures for particular purposes such as
protecting against fraud, disclosures to consumer reporting
agencies, and disclosures to law enforcement agencies. In March
2007, the Commission, together with the Banking Agencies, the CFTC,
the FTC, and the NCUA, published for public comment in the Federal
Register a proposed model privacy form that financial institutions
could use for their privacy notices to consumers required by the
GLBA. See Interagency Proposal for Model Privacy Form Under the
Gramm-Leach-Bliley Act, Exchange Act Release No. 55497, IAA Release
No. 2598, ICA Release No. 27755 (Mar. 20, 2007), 72 FR 14940 (Mar.
29, 2007) (``Interagency Model Privacy Form Proposal'').
\13\ Specifically, the safeguards must be reasonably designed to
insure the security and confidentiality of customer records and
information, protect against anticipated threats to the security or
integrity of those records and information, and protect against
unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.
See supra note 9 and accompanying text.
\14\ Regulation S-P applies to investment companies as the term
is defined in Section 3 of the Investment Company Act (15 U.S.C.
80a-3), whether or not the investment company is registered with the
Commission. See 17 CFR 248.3(r). Thus, a business development
company, which is an investment company but is not required to
register as such with the Commission, is subject to Regulation S-P.
In this release, institutions to which Regulation S-P currently
applies, or to which the proposed amendments would apply, are
sometimes referred to as ``covered institutions.''
---------------------------------------------------------------------------
Pursuant to the Fair and Accurate Credit Transactions Act of 2003
(``FACT Act''), the Commission amended Regulation S-P in 2004 to
protect against the improper disposal of consumer report
information.\15\ Section 30(b) of Regulation S-P (the ``disposal
rule'') currently applies to the institutions subject to the other
provisions of Regulation S-P, except that it excludes notice-registered
broker-dealers and includes registered transfer agents.
---------------------------------------------------------------------------
\15\ 17 CFR 248.30(b). Section 216 of the FACT Act amended the
FCRA by adding Section 628 (codified at 15 U.S.C. 1681w), which
directed the Commission and other federal financial regulators to
adopt regulations for the proper disposal of consumer information,
and provides that any person who maintains or possesses consumer
information or any compilation of consumer information derived from
a consumer report for a business purpose must properly dispose of
the information. See Disposal of Consumer Report Information,
Exchange Act Release No. 50781, IAA Release No. 2332, ICA Release
No. 26685 (Dec. 2, 2004), 69 FR 71322 (Dec. 8, 2004) (``Disposal
Rule Adopting Release''). When we adopted the disposal rule, we also
amended Regulation S-P to require that the policies and procedures
institutions must adopt under the safeguards rule be in writing.
The disposal rule requires transfer agents registered with the
Commission, as well as brokers and dealers other than notice-
registered broker-dealers, investment advisers registered with the
Commission, and investment companies that maintain or possess
``consumer report information'' for a business purpose, to take
``reasonable measures to protect against unauthorized access to or
use of the information in connection with its disposal.''
In order to provide clarity, the Disposal Rule Adopting Release
included five examples intended to provide guidance on disposal
measures that would be deemed reasonable under the disposal rule.
See Disposal Rule Adopting Release at section II.A.2.
---------------------------------------------------------------------------
B. Challenges Posed by Information Security Breaches
In recent years, we have become concerned with the increasing
number of information security breaches that have come to light and the
potential for identity theft and other misuse of personal financial
information. Once seemingly confined mainly to commercial banks and
retailers, this problem has spread throughout the business community,
including the securities industry.\16\
---------------------------------------------------------------------------
\16\ See Press Release, NASD, NASD Warns Investors to Protect
Online Account Information, Brokerages Also Reminded of Obligation
to Protect Customer Information from New Threats (July 28, 2005),
http://www.finra.org/PressRoom/NewsReleases/2005NewsReleases/P014775
(last visited Nov. 6, 2007). See also In re NEXT Financial Group,
Inc., Exchange Act Release No. 56316 (Aug. 24, 2007), http://
www.sec.gov/litigation/admin/2007/34-56316.pdf, and Order
Instituting Administrative and Cease-and-Desist Proceedings Pursuant
to Sections 15(b) and 21C of the Securities Exchange Act of 1934
(Aug. 24, 2007) (alleging violations of the notice and opt out
provisions of Regulation S-P and the safeguards rule in connection
with recruiting registered representatives), http://www.sec.gov/
litigation/admin/2007/34-56316-o.pdf.
---------------------------------------------------------------------------
In the last two years, we have seen a significant increase in
information security breaches involving institutions we regulate.
Perhaps most disturbing is the increase in incidents involving the
takeover of online brokerage accounts, including the use of the
accounts by foreign nationals as part of ``pump-and-dump'' schemes.\17\
The financial
[[Page 13694]]
services sector also is a popular target for online targeted attacks,
and ``phishing'' attacks in which fraudsters set up an Internet site
designed to mimic a legitimate site and induce random Internet users to
disclose personal information.\18\ In other recent incidents,
registered representatives of broker-dealers disposed of information
and records about clients or prospective clients in accessible areas,
from which journalists were able to remove them. Sensitive securities-
related data also has been lost or stolen as a result of other
incidents.\19\
---------------------------------------------------------------------------
\17\ While some account takeovers may have been facilitated by
investors failing to take adequate precautions against security
threats such as ``keylogger'' programs and ``phishing'' attacks,
many online brokerage firms have successfully reduced their exposure
to account takeovers by improving their authentication and
monitoring procedures. The Commission has been active in this area,
and has brought several enforcement cases involving defendants in
foreign jurisdictions. See, e.g., Litigation Release No. 20037 (Mar.
12, 2007), available at http://www.sec.gov/litigation/litreleases/
2007/lr20037.htm (three Indian nationals charged with participating
in an alleged fraudulent scheme to manipulate the prices of at least
fourteen securities through the unauthorized use of other people's
online brokerage accounts); and Litigation Release No. 19949 (Dec.
19, 2006), available at http://www.sec.gov/litigation/litreleases/
2006/lr19949.htm (emergency asset freeze obtained; complaint alleged
an alleged Estonia-based account intrusion scheme that targeted
online brokerage accounts in the U.S. to manipulate the markets).
\18\ In 2006, Symantec Corporation, a seller of information
security and information management software, reported that in the
first half of 2006, 84 percent of tracked phishing sites targeted
the financial sector and 9 of the top 10 brands phished this period
were from the financial sector. Because the financial services
sector is a logical target for attackers increasingly motivated by
financial gain, that sector was also the second most frequent target
of Internet-based attacks (after home users). See Symantec, Symantec
Internet Security Threat Report, Trends for January 06-June 06, at
9, 23 (Sept. 2006), http://www.symantec.com/specprog/threatreport/
ent-whitepaper_symantec_internet_security_threat_report_x_
09_2006.en-us.pdf (last visited Nov. 6, 2007) (``Symantec September
2006 Internet Security Threat Report''). Reportedly, employees of
financial services firms ``are increasingly being invited to visit
Web sites or download programs by people pretending to be colleagues
or peers,'' followed by attack programs on the sites or in downloads
that ``then open tunnels into the corporate network.'' More
recently, although financial services-related spam reportedly ``made
up 21 percent of all spam in the first six months of 2007, making it
the second most common type of spam during this period,'' there was
a 30-percent decline in stock market ``pump and dump'' spam ``due to
a decline in spam touting penny stocks that was triggered by actions
taken by the United States Securities and Exchange Commission, which
limited the profitability of this type of spam by suspending trading
of the stocks that are touted.'' See Symantec, Symantec Internet
Security Threat Report, Trends for January-June 07, Volume XII, at
107 (Sept. 2007), http://eval.symantec.com/mktginfo/enterprise/
white--papers/ent-whitepaper--internet--security--threat--report--
xii--09--2007.en-us.pdf (last visited Nov. 6, 2007) (citing
Commission Press Release 2007-34, SEC Suspends Trading Of 35
Companies Touted In Spam E-mail Campaigns (Mar. 8, 2007), available
at http://www.sec.gov/news/press/2007/2007-34.htm).
\19\ For example, in April 2005, a shipping company lost a
computer backup tape containing account information for more than
200,000 broker-dealer customers. The broker-dealer voluntarily
notified its affected customers, although the data was compressed
and the tape was thought to have been destroyed. In December 2005, a
laptop computer containing unencrypted information that included
names and account numbers of 158,000 customers and the names and
Social Security numbers of 68,000 adviser personnel was stolen from
a registered investment adviser, and in March 2006, a laptop
computer containing the names, addresses, Social Security numbers,
dates of birth, and other employment-related information of as many
as 196,000 retirement plan participants was stolen from a benefits
plan administration subsidiary of a registered investment adviser.
In both cases, the laptops were taken from vehicles by thieves who
appear to have stolen them for their value as computer hardware
rather than for the information contained on them. The registered
investment adviser voluntarily notified the more than 200,000
clients and financial advisers whose information was compromised,
while the benefits plan administrator voluntarily notified the
nearly 200,000 retirement plan participants whose information was
compromised, and offered to pay for a year of credit monitoring for
each of them.
---------------------------------------------------------------------------
Many firms in the securities industry are aware of these problems
and have appropriate safeguards in place to address them.\20\ We are
concerned, however, that some firms do not regularly reevaluate and
update their safeguarding programs to deal with these increasingly
sophisticated methods of attack.\21\ For this reason, and in light of
the increase in reported security breaches and the potential for
identity theft among the institutions we regulate, we believe that our
previous approach, requiring safeguards that must be reasonably
designed to meet the GLBA's objectives, merits revisiting.\22\
---------------------------------------------------------------------------
\20\ Some institutions regulated by the Commission have already
taken steps to strengthen their policies and procedures for
safeguarding investors' information, such as by offering investors
the use of password-generating tokens for online brokerage accounts.
We also note that some firms have been sharing information about
suspicious activity with one another for the purpose of combating
identity theft. To the extent it might involve sharing nonpublic
personal information about consumers of the firms, Regulation S-P
does not prohibit such information sharing because Section
15(a)(2)(ii) of Regulation S-P permits firms to disclose nonpublic
personal information to a nonaffiliated third party for the purpose
of protecting against fraud without first giving consumers notice of
and an opportunity to opt out of the disclosures.
\21\ According to a September 2007 report from Deloitte Touche
Tohmatsu, for example, 37 percent of 169 surveyed financial
institutions do not have an information security strategy in place,
and 33 percent of these institutions do not conduct vulnerability
testing, or only do so on an ad hoc basis. See Deloitte Touche
Tohmatsu, 2007 Global Security Survey, at 12, 36 (Sept. 2007),
http://www.deloitte.com/dtt/cda/doc/content/dtt_gfsi_
GlobalSecuritySurvey_20070901%281%29.pdf (last visited Nov. 6,
2007).
\22\ In 2004 we sought comment on whether to revise our
safeguards rule to require institutions to address certain elements
in designating their safeguarding policies and procedures. See
Disposal of Consumer Report Information, Exchange Act Release No.
50361, IAA Release No. 2293, ICA Release No. 20596 (Sept. 14, 2004),
69 FR 56304 (Sept. 20, 2004) (``Disposal Rule Proposing Release''),
at section II.B. At that time we decided not to revise the
safeguards rule, but noted we would consider the comments we
received in the event we proposed any amendment to the rule. See
Disposal Rule Adopting Release, supra note 15, at section II.B. See
also infra note 31.
---------------------------------------------------------------------------
We also are concerned that while the information protected under
the safeguards rule and the disposal rule includes certain personal
information, it does not include other information that could be used
to access investors' financial information if obtained by an
unauthorized user. Finally we want to address other issues under
Regulation S-P that have come to our attention, including the
application of the regulation to situations in which a representative
of one broker-dealer or registered investment adviser moves to another
firm. Accordingly, today we are proposing amendments to the safeguards
and disposal rules that are designed to address these concerns.
II. Discussion
To help prevent and address security breaches in the securities
industry and thereby better protect investor information, we propose to
amend Regulation S-P in four principal ways. First, we propose to
require more specific standards under the safeguards rule, including
standards that would apply to data security breach incidents. Second,
we propose to amend the scope of the information covered by the
safeguards and disposal rules and to broaden the types of institutions
and persons covered by the rules. Third, we propose to require
institutions subject to the safeguards and disposal rules to maintain
written records of their policies and procedures and their compliance
with those policies and procedures. Finally, we are taking this
opportunity to propose a new exception from Regulation S-P's notice and
opt-out requirements to allow investors more easily to follow a
representative who moves from one brokerage or advisory firm to
another.
A. Information Security and Security Breach Response Requirements
To help prevent and address security breaches at the institutions
we regulate, we propose to require more specific standards for
safeguarding personal information, including standards for responding
to data security breaches. When we adopted Regulation S-P in 2001, the
safeguards rule simply required institutions to adopt policies and
procedures to address the safeguarding objectives stated in the GLBA.
Following our adoption of the rule, the FTC and the Banking Agencies
issued regulations with more detailed standards for safeguarding
customer
[[Page 13695]]
records and information applicable to the institutions they
regulate.\23\ We believe these standards include necessary elements
that institutions should address when adopting and implementing
safeguarding policies and procedures. We have therefore looked to the
other agencies' standards in developing our proposal and tailored them,
where appropriate, to develop proposed standards for the institutions
we regulate.
---------------------------------------------------------------------------
\23\ The Banking Agencies issued their guidelines for
safeguarding customer records and information in 2001. See
Interagency Guidelines Establishing Standards for Safeguarding
Customer Information and Rescission of Year 2000 Standards for
Safety and Soundness, 66 FR 8616 (Feb. 1, 2001) (``Banking
Agencies'' Security Guidelines''). The FTC adopted its safeguards
rule in 2002. See Standards for Safeguarding Customer Information,
67 FR 36484 (May 23, 2002) (``FTC Safeguards Rule''). The Banking
Agencies also have jointly issued guidance on responding to
incidents of unauthorized access or use of customer information. See
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice, 70 FR 15736 (Mar. 29,
2005) (``Banking Agencies'' Incident Response Guidance''). More
recently, through the Federal Financial Institutions Examination
Council (``FFIEC''), the Banking Agencies jointly issued guidance on
the authentication of customers in an Internet banking environment,
and the Banking Agencies and the FTC jointly issued final rules and
guidelines for identity theft ``red flags'' programs to detect,
prevent, and mitigate identity theft in connection with the opening
of certain accounts or certain existing accounts. See FFIEC,
Authentication in an Internet Banking Environment (July 27, 2006),
available at www.ffiec.gov/pdf/authentication_guidance.pdf
(``Authentication Guidance''); Banking Agencies and FTC, Identity
Theft Red Flags and Address Discrepancies under the Fair and
Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007)
(``Final Red Flag Rules''). See also Banking Agencies and FTC,
Identity Theft Red Flags and Address Discrepancies Under the Fair
and Accurate Credit Transactions Act of 2003, 71 FR 40785 (July 18,
2006) (``Proposed Red Flag Guidelines''). In March of this year, the
FTC also published a brochure on data security, Protecting Personal
Information: A Guide for Business (available at http://www.ftc.gov/
infosecurity/), and the FDIC issued a Supervisory Policy on Identity
Theft, FIL-32-2007 (Apr. 11, 2007), available at http://
www.fdic.gov/news/news/financial/2007/fil07032a.html.
---------------------------------------------------------------------------
1. Revised Safeguarding Policies and Procedures
As noted above, the safeguards rule requires institutions to adopt
written policies and procedures that address administrative, technical
and physical safeguards to protect customer records and information.
The proposed amendments would further develop this requirement by
requiring each institution subject to the safeguards rule to develop,
implement, and maintain a comprehensive ``information security
program,'' including written policies and procedures that provide
administrative, technical, and physical safeguards for protecting
personal information, and for responding to unauthorized access to or
use of personal information.\24\ This program would have to be
appropriate to the institution's size and complexity, the nature and
scope of its activities, and the sensitivity of any personal
information at issue.\25\ Consistent with current requirements for
safeguarding policies and procedures, the information security program
also would have to be reasonably designed to: (i) Ensure the security
and confidentiality of personal information; (ii) protect against any
anticipated threats or hazards to the security or integrity of personal
information; and (iii) protect against unauthorized access to or use of
personal information that could result in substantial harm or
inconvenience to any consumer, employee, investor or securityholder who
is a natural person.\26\ Although the term ``substantial harm or
inconvenience'' is currently used in the safeguards rule, it is not
defined. We propose to define the term to mean ``personal injury, or
more than trivial financial loss, expenditure of effort or loss of
time.'' \27\ This definition is intended to include harms other than
identity theft that may result from failure to safeguard sensitive
information about an individual. For example, a hacker could use
confidential information about an individual for extortion by
threatening to make the information public unless the individual agrees
to the hacker's demands. ``Substantial harm or inconvenience'' would
not include ``unintentional access to personal information by an
unauthorized person that results only in trivial financial loss,
expenditure of effort or loss of time,'' such as if use of the
information results in an institution deciding to change the
individual's account number or password.\28\ The rule would provide an
example of what would not constitute harm or inconvenience that rises
to the level of ``substantial,'' which should help clarify the scope of
what would constitute ``substantial harm or inconvenience.''
---------------------------------------------------------------------------
\24\ As amended, Section 30 would be titled, ``Information
security programs for personal information; records of compliance.''
\25\ See proposed paragraph (a)(1) of Section 30. The term
``information security program'' would mean the administrative,
technical, or physical safeguards used to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or
otherwise handle personal information. See proposed paragraph (d)(6)
of Section 30.
\26\ See proposed paragraph (a)(2) of Section 30. Compare 17 CFR
248.30(a)(1)-(3).
\27\ See proposed paragraph (d)(12) of Section 30. ``Substantial
harm or inconvenience'' would include theft, fraud, harassment,
impersonation, intimidation, damaged reputation, impaired
eligibility for credit, or the unauthorized use of the information
identified with an individual to obtain a financial product or
service, or to access, log into, effect a transaction in, or
otherwise use the individual's account.
\28\ See proposed paragraph (d)(12)(ii) of Section 30. Thus, for
example the proposed definition would not encompass a firm's
occasional, unintentional delivery of an individual's account
statement to an incorrect address if the institution determined that
the information was highly unlikely to be misused. This
determination would have to be made promptly after the institution
becomes aware of an incident of unauthorized access to sensitive
personal information, and documented in writing. See proposed
paragraph (a)(4)(iii) of Section 30.
---------------------------------------------------------------------------
The proposed amendments also would specify particular elements that
a program meeting the requirements of Regulation S-P must include.\29\
These elements are intended to provide firms in the securities industry
with detailed standards for the policies and procedures that a well-
designed information security program should include to address recent
identity theft-related incidents such as firms in the securities
industry losing data tapes and laptop computers and failing to dispose
properly of sensitive personal information, and hackers hijacking
online brokerage accounts.\30\ These elements also are intended to
maintain consistency with information safeguarding guidelines and rules
adopted by the Banking Agencies and
[[Page 13696]]
FTC.\31\ In addition, these elements are consistent with policies and
procedures we understand many institutions in the securities industry
have already adopted. We understand that large and complex
organizations generally have written policies that address information
safeguarding procedures at several layers, from an organization-wide
policy statement to detailed procedures that address particular
controls.\32\
---------------------------------------------------------------------------
\29\ Many of these elements are addressed by widely accepted
information security standards. See, e.g., National Institute of
Standards and Technology (``NIST''), Special Publication 800 series
(Computer Security), for example Generally Accepted Principals and
Practices for Securing Information Technology Systems (SP 800-14)
(Sept. 1996), Guide to Intrusion Detection and Prevention Systems
(IDPS) (SP 800-94) (Feb. 2007), and Guide to Secure Web Services (SP
800-95) (Aug. 2007) (all available at http://csrc.nist.gov/
publications/PubsSPs.html), and bulletins dealing with computer
security published by the NIST's Information Technology Laboratory
(ITL), for example Secure Web Servers: Protecting Web Sites That Are
Accessed By The Public (ITL January 2008) (available at http://
csrc.nist.gov/publications/PubsITLSB.html); Federal Information
System Controls Audit Manual, General Accounting Office, Accounting
and Information Management Division, Federal Information System
Controls Audit Manual, GAO/AIMD-12.19.6 (known as ``FISCAM'') (Jan.
1999) (available at http://www.gao.gov/special.pubs/ai12.19.6.pdf);
International Organization for Standardization, Code of Practice for
Information Security Management (ISO/IEC 27002:2005) (known among
information security professionals as the ``British Standard,'' and
formerly designated BS ISO/IEC 17799:2005 and BS 7799-1:2005)
(available for purchase at http://www.standardsdirect.org/
iso17799.htm and at http://www.bsi-global.com/en/Shop/Publication-
Detail/?pid=000000000030166440); and Information Systems Audit and
Control Association/IT Governance Institute, Control Objectives for
Information and Related Technology (known as ``COBIT'') (last
updated, and published as version 4.1, May 2007) (available at
http://www.isaca.org).
\30\ See supra notes 16-19 and accompanying text.
\31\ See Banking Agencies' Security Guidelines and FTC
Safeguards Rule, supra note 23. As noted above, we sought comment on
whether to revise our safeguards rule in 2004. See supra note 22. At
that time, several commenters noted that Rule 206(4)-7 under the
Investment Advisers Act (17 CFR 275.206(4)-7) and Rule 38a-1 under
the Investment Company Act (17 CFR 270.38a-1) require registered
investment advisers and registered investment companies to have
written policies and procedures reasonably designed to prevent
violation of the federal securities laws, including safeguards for
the protection of customer records and information under Regulation
S-P. These rules also require registered investment advisers and
funds to review, no less frequently than annually, the adequacy of
these policies and procedures. See Comment Letter of the Investment
Counsel Association of America (Oct. 20, 2004), at p. 3; Comment
Letter of the Investment Company Institute (Oct. 20, 2004) at p. 2.
Each of these letters is available at http://www.sec.gov/comments/
s73304.shtml. We do not intend for the proposed amendments to alter
or conflict with these requirements.
\32\ See Disposal Rule Proposing Release, supra note 22, at 69
FR 56308 & n.29.
---------------------------------------------------------------------------
Institutions subject to the rule would be required to:
(i) Designate in writing an employee or employees to coordinate the
information security program; \33\
---------------------------------------------------------------------------
\33\ See proposed paragraph (a)(3)(i) of Section 30. Of course,
the employee or employees designated to coordinate an institution's
information security program would need to have sufficient authority
and access to the institution's managers, officers and directors to
effectively implement the program and modify it as necessary.
---------------------------------------------------------------------------
(ii) Identify in writing reasonably foreseeable security risks that
could result in the unauthorized disclosure, misuse, alteration,
destruction or other compromise of personal information or personal
information systems; \34\
---------------------------------------------------------------------------
\34\ See proposed paragraph (a)(3)(ii) of Section 30. The term
``personal information system'' would mean any method used to
access, collect, store, use, transmit, protect or dispose of
personal information. See proposed paragraph (d)(9) of Section 30.
---------------------------------------------------------------------------
(iii) Design and document in writing and implement information
safeguards to control the identified risks; \35\
---------------------------------------------------------------------------
\35\ See proposed paragraph (a)(3)(iii) of Section 30.
---------------------------------------------------------------------------
(iv) Regularly test or otherwise monitor and document in writing
the effectiveness of the safeguards' key controls, systems, and
procedures, including the effectiveness of access controls on personal
information systems, controls to detect, prevent and respond to
attacks, or intrusions by unauthorized persons, and employee training
and supervision; \36\
---------------------------------------------------------------------------
\36\ See proposed paragraph (a)(3)(iv) of Section 30.
---------------------------------------------------------------------------
(v) Train staff to implement the information security program; \37\
---------------------------------------------------------------------------
\37\ See proposed paragraph (a)(3)(v) of Section 30.
---------------------------------------------------------------------------
(vi) Oversee service providers by taking reasonable steps to select
and retain service providers capable of maintaining appropriate
safeguards for the personal information at issue, and require service
providers by contract to implement and maintain appropriate safeguards
(and document such oversight in writing); \38\ and
---------------------------------------------------------------------------
\38\ See proposed paragraph (a)(3)(vi) of Section 30.
---------------------------------------------------------------------------
(vii) Evaluate and adjust their information security programs to
reflect the results of the testing and monitoring, relevant technology
changes, material changes to operations or business arrangements, and
any other circumstances that the institution knows or reasonably
believes may have a material impact on the program.\39\
---------------------------------------------------------------------------
\39\ See proposed paragraph (a)(3)(vii) of Section 30. This
requirement is similar to the requirement in the Banking Agencies'
Security Guidelines that institutions covered by those guidelines
monitor, evaluate, and adjust, as appropriate, their information
security program in light of any relevant changes in technology, the
sensitivity of their customer information, internal or external
threats to information, and their own changing business
arrangements, such as mergers and acquisitions, alliances and joint
ventures, outsourcing arrangements, and changes to customer
information systems. See supra note 23, Banking Agencies' Security
Guidelines, 66 FR at 8634, 8635-36, 8637, 8639, 8641. The ``material
impact'' standard in proposed paragraph (a)(3)(iii) is intended to
require adjustment of a covered institution's information security
program only when a reasonable coordinator of the program would
consider adjusting the program important in light of changing
circumstances.
---------------------------------------------------------------------------
The term ``service provider'' would mean any person or entity that
receives, maintains, processes, or otherwise is permitted access to
personal information through its provision of services directly to a
person subject to the rule.\40\ We understand that in large financial
complexes, a particular affiliate may be responsible for providing a
particular service for all affiliates in the complex. In that
circumstance, each financial institution subject to Regulation S-P
would be responsible for taking reasonable steps to ensure that the
service provider is capable of maintaining appropriate safeguards and
of overseeing the service provider's implementation, maintenance,
evaluation, and modifications of appropriate safeguards for the
institution's personal information. Under the proposed amendments, we
anticipate that a covered institution's reasonable steps to evaluate
the information safeguards of service providers could include the use
of a third-party review of those safeguards such as a Statement of
Auditing Standards No. 70 (``SAS 70'') report, a SysTrust report, or a
WebTrust report.\41\
---------------------------------------------------------------------------
\40\ See proposed paragraph (d)(11) of Section 30.
\41\ See Codification of Accounting Standards and Procedures,
Statement on Auditing Standards No. 70, Reports on Processing of
Transactions by Service Organizations (American Inst. of Certified
Public Accountants). See also description and comparison of these
reports at http://infotech.aicpa.org/Resources/
System+Security+and+Reliability/System+Reliability/
Principles+of+a+Reliable+System/
SAS+No+70+SysTrust+and+WebTrust+A+Comparison.htm.
---------------------------------------------------------------------------
We request comment on the proposed specific standards for
safeguarding personal information.
Would these standards provide sufficient direction to
institutions? Are there particular standards that should be more or
less prescriptive? For example, should institutions be required to
designate an employee or employees to coordinate the information
security program by name, or should institutions be permitted to make
these designations by position or office?
Would additional standards be appropriate or are certain
standards unnecessary? Should the proposed standards be modified to
more closely or less closely resemble standards prescribed by the
Banking Agencies or the FTC? For the securities industry, are there any
other standards that a well-designed information security program
should address? Are there any other standards that would provide more
flexibility to covered institutions?
We also invite comment on the proposed requirement that
entities assess the sufficiency of safeguards in place, to control
reasonably foreseeable risks. Should the rules include more detailed
standards and specifications for access controls? Should the
requirement specify factors such as those identified in the Banking
Agencies' guidance regarding authentication in an Internet banking
environment or include policies and procedures such as those in the
Banking Agencies and the FTC's proposed or final ``red flag''
requirements? \42\ For example, should we require that covered
institutions implement multifactor authentication, layered security, or
other controls for high-risk transactions involving access to customer
information or the movement of funds to third parties? Should we
require that covered institutions include in their information security
programs ``red flag'' elements
[[Page 13697]]
that would be relevant to detecting, preventing and mitigating identity
theft in connection with the opening of accounts or existing accounts,
or in connection with particular types of accounts associated with a
reasonably foreseeable risk of identity theft? Should we require that
covered institutions adopt policies and procedures for evaluating
changes of address followed closely by an account change or
transaction, or for processing address discrepancy notices from
consumer reporting agencies? If the rule were to include more detailed
standards and specifications for access controls, how should these
apply to business conducted by telephone?
---------------------------------------------------------------------------
\42\ See Authentication Guidance, Proposed Red Flag Guidance,
and Final Red Flag Rules, supra note 23. The Authentication Guidance
has been credited with helping to curtail online banking fraud, but
has been characterized as not adequately addressing authentication
in the context of telephone banking. See Daniel Wolfe, How New
Authentication Systems are Altering Fraud Picture, Amer. Banker
(Dec. 26, 2007).
---------------------------------------------------------------------------
Commenters are invited to discuss the proposed definition
of ``substantial harm or inconvenience.'' Are there circumstances that
commenters believe would create substantial harm or inconvenience to
individuals that would not meet the proposed definition? If so, how
should the definition be revised to address these circumstances?
Commenters are invited to discuss the proposed
requirements for written documentation of compliance with the proposed
safeguarding provisions.
Commenters are invited to discuss the proposed definition
of ``service provider.'' They also are invited to discuss whether, if
the proposed amendments are adopted, they should include or be
accompanied by guidance on the use of outside evaluations of third-
party service providers. For example, should the Commission provide
guidance similar to that provided by the FFIEC on the appropriate use
of SAS 70 reports in evaluating the information safeguards of service
providers? \43\
---------------------------------------------------------------------------
\43\ The FFIEC provided the following guidance on the use of SAS
70 reports in the oversight of third-party service providers
(``TSPs'') by financial institutions regulated by FFIEC member
agencies:
Financial institutions should ensure TSPs implement and maintain
controls sufficient to appropriately mitigate risk. In higher-risk
relationships the institution by contract may prescribe minimum
control and reporting standards, obtain the right to require changes
to standards as external and internal environments change, and
obtain access to the TSP for institution or independent third-party
evaluations of the TSP's performance against the standard. In lower
risk relationships the institution may prescribe the use of
standardized reports, such as trust services reports or a Statement
of Auditing Standards 70 (SAS 70) report.
* * * * *
Financial institutions should carefully and critically evaluate
whether a SAS 70 report adequately supports their oversight
responsibilities. The report may not provide a thorough test of
security controls and security monitoring unless requested by the
TSP. It may not address the effectiveness of the security process in
continually mitigating changing risks. Additionally, the SAS 70
report may not address whether the TSP is meeting the institution's
specific risk mitigation requirements. Therefore, the contracting
oversight exercised by financial institutions may require additional
tests, evaluations, and reports to appropriately oversee the
security program of the service provider.
FFIEC, FFIEC IT Examination Handbook, Information Security
Booklet--July 2006, at 77, 78 (available at http://www.ffiec.gov/
ffiecinfobase/booklets/information_security/information_
security.pdf).
---------------------------------------------------------------------------
2. Data Security Breach Response
Because of the potential for harm or inconvenience to individuals
when a data security breach occurs, we are proposing that information
security programs include procedures for responding to incidents of
unauthorized access to or use of personal information. These procedures
would include notice to affected individuals if misuse of sensitive
personal information has occurred or is reasonably possible. The
procedures would also include notice to the Commission (or for certain
broker-dealers, their designated examining authority \44\) under
circumstances in which an individual identified with the information
has suffered substantial harm or inconvenience or an unauthorized
person has intentionally obtained access to or used sensitive personal
information. The proposed rules that would require prompt notice of
information security breach incidents to individuals, as well as the
Commission or designated examining authorities, are intended to
facilitate swift and appropriate action to minimize the impact of the
security breach.
---------------------------------------------------------------------------
\44\ A broker-dealer's designated examining authority is the
self-regulatory organization (``SRO'') of which the broker-dealer is
a member, or, if the broker-dealer is a member of more than one SRO,
the SRO designated by the Commission pursuant to 17 CFR 240.17d-1 as
responsible for examination of the member for compliance with
applicable financial responsibility rules (including the
Commission's customer account protection rules at 17 CFR 240.15c3-
3).
---------------------------------------------------------------------------
The data security breach response provisions of the proposed
amendments include elements intended to provide firms in the securities
industry with detailed standards for responding to a breach so as to
protect against unauthorized use of compromised data. The proposed
standards would specify procedures a covered institution's information
security program would need to include. These procedures would be
required to be written to provide clarity for firm personnel and to
facilitate Commission and SRO examination and inspection. The proposed
standards are intended to ensure that covered institutions adopt plans
for responding to an information security breach incident so as to
minimize the risk of identity theft or other significant investor harm
or inconvenience from the incident. These proposed procedures also are
intended to be consistent with security breach notification guidelines
adopted by the Banking Agencies.\45\
---------------------------------------------------------------------------
\45\ See Banking Agencies' Incident Response Guidance, supra
note 23.
---------------------------------------------------------------------------
Under the proposed amendments, institutions subject to the rule
would be required to have written procedures to:
(i) Assess any incident involving unauthorized access or use, and
identify in writing what personal information systems and what types of
personal information may have been compromised; \46\
---------------------------------------------------------------------------
\46\ See proposed paragraph (a)(4)(i) of Section 30.
---------------------------------------------------------------------------
(ii) Take steps to contain and control the incident to prevent
further unauthorized access or use and document all such steps taken in
writing; \47\
---------------------------------------------------------------------------
\47\ See proposed paragraph (a)(4)(ii) of Section 30.
---------------------------------------------------------------------------
(iii) Promptly conduct a reasonable investigation and determine in
writing the likelihood that the information has been or will be misused
after the institution becomes aware of any unauthorized access to
sensitive personal information; \48\ and
---------------------------------------------------------------------------
\48\ See proposed paragraph (a)(4)(iii) of Section 30.
---------------------------------------------------------------------------
(iv) Notify individuals with whom the information is identified as
soon as possible (and document the provision of such notification in
writing) if the institution determines that misuse of the information
has occurred or is reasonably possible.\49\
---------------------------------------------------------------------------
\49\ See proposed paragraph (a)(4)(iv) of Section 30.
Notification could be delayed, however, if an appropriate law
enforcement agency determines that notification will interfere with
a criminal investigation and requests in writing a delay in
notification. We propose to require notification of individuals only
if misuse of the compromised information has occurred or is
reasonably possible to avoid requiring notification in circumstances
in which there is no significant risk of substantial harm or
inconvenience. If covered institutions were required to notify
individuals of every instance of unauthorized access or use, such as
if an employee accidentally opened and quickly closed an electronic
account record, individuals could receive an excessive number of
data breach notifications and become desensitized to incidents that
pose a real risk of identity theft.
---------------------------------------------------------------------------
We propose to define the term, ``sensitive personal information,''
to mean ``any personal information, or any combination of components of
personal information, that would allow an unauthorized person to use,
log into, or access an individual's account, or to establish a new
account using the individual's identifying information,'' including the
individual's Social Security number, or any one of the individual's
name, telephone number, street address, e-mail address, or online user
name, in combination with any one
[[Page 13698]]
of the individual's account number, credit or debit card number,
driver's license number, credit card expiration date or security code,
mother's maiden name, password, personal identification number,
biometric authentication record, or other authenticating
information.\50\ This definition is intended to cover the types of
information that would be most useful to an identity thief, and to
which unauthorized access would create a reasonable possibility of
substantial harm or inconvenience to an affected individual.
---------------------------------------------------------------------------
\50\ See proposed paragraph (d)(10) of Section 30.
---------------------------------------------------------------------------
The amendments also would require an institution to provide notice
to the Commission as soon as possible after the institution becomes
aware of any incident of unauthorized access to or use of personal
information in which there is a significant risk that an individual
identified with the information might suffer substantial harm or
inconvenience, or in which an unauthorized person has intentionally
obtained access to or used sensitive personal information.\51\ This
requirement would allow Commission and SRO investigators or examiners
to review the notices to determine if an immediate investigative or
examination response would be appropriate. In this regard, it is
crucial that institutions respond promptly to any follow-up requests
for records or information from our staff or the staff of the
designated examining authority.\52\ Under the proposed amendments, a
prompt response in accordance with existing Commission guidance on the
timely production of records would be particularly important in
circumstances involving ongoing misuse of sensitive personal
information.
---------------------------------------------------------------------------
\51\ See proposed paragraph (a)(4)(v) of Section 30.
\52\ See generally 15 U.S.C. 21(a) (investigative requests); 17
CFR 240.17a 4(j) (examinations of broker-dealers); 17 CFR 275.204-
2(g) (examinations of investment advisers).
---------------------------------------------------------------------------
The regulatory notification requirement in the Banking Agencies'
guidance requires a report to the appropriate regulator as soon as
possible after the institution becomes aware of an incident involving
unauthorized access to or use of sensitive customer information.\53\
Our proposed notice requirement differs from the Banking Agencies'
approach in that it would require notice to the Commission (or a
designated examining authority) when an incident of unauthorized access
to or use of personal information poses a significant risk that an
individual identified with the information might suffer substantial
harm or inconvenience, or in which an unauthorized person has
intentionally obtained access to or used sensitive personal
information. The proposed notice requirement is intended to avoid
notice to the Commission in every case of unauthorized access, and to
focus scrutiny on information security breaches that present a greater
potential likelihood for harm. We believe that this approach would help
conserve institutions', as well as the Commission's, administrative
resources by allowing minor incidents to be addressed in a way that is
commensurate with the risk they present. The information to be included
in the notice would allow the Commission or a broker-dealer's
designated examining authority to evaluate whether any legal action
against a would-be identity thief or other action is warranted in light
of the circumstances. A broker-dealer, other than a notice-registered
broker dealer, would be required to notify the appropriate designated
examining authority on proposed Form SP-30. An investment company or
registered investment adviser or transfer agent would be required to
notify the Commission on proposed Form SP-30.\54\
---------------------------------------------------------------------------
\53\ See Banking Agencies' Incident Response Guidance, supra
note 23, at 70 FR 15740-15741 (concluding that the Banking Agencies'
standard for notification to regulators should provide an early
warning to allow an institution's regulator to assess the
effectiveness of an institution's response plan, and, where
appropriate, to direct that notice be given to customers if the
institution has not already done so).
\54\ We anticipate that this form could be downloaded from our
Web site and would be required to be filed electronically with the
Registrations Branch in the Office of Compliance Inspections and
Examinations. While broker-dealers generally would file the form
with their designated examining authority rather than the
Commission, investment advisers that are dually registered with the
Commission as broker-dealers also would file with the Commission and
indicate their dual-registrant status on the form.
---------------------------------------------------------------------------
Proposed Form SP-30 would require the institution to disclose
information that the Commission (or the designated examining authority)
needs to understand the nature of the unauthorized access or misuse of
personal information and the institution's intended response to the
incident.\55\ Accordingly, in addition to identifying and contact
information for the covered institution, the form would request a
description of the incident, when it occurred and what offices or parts
of the registrant's business were affected. The form also would require
disclosure of any third-party service providers that were involved, the
type of services provided and, if the service provider is an affiliate,
the nature of the affiliation. This information would help examiners to
assess the information security policies and procedures of the service
provider. In addition, the form would require a description of any
customer account losses.
---------------------------------------------------------------------------
\55\ See proposed Form SP-30. Information submitted to the
Commission on the form would be accorded confidential treatment to
the extent permitted by law. See, e.g., 17 CFR 200.83. We realize
that the full amount of losses may not be known at the time an
information security breach is discovered, but we would expect
covered institutions to make a good faith effort to complete the
proposed form to the extent possible.
---------------------------------------------------------------------------
Under the proposed amendments, if a covered institution determined
that an unauthorized person had obtained access to or used sensitive
personal information, and that misuse of the information had occurred
or was reasonably possible, the institution also would be required to
provide notification, in a clear and conspicuous manner, to each
individual identified with the information.\56\ The proposed
requirements for notices to individuals are intended to give investors
information that would help them protect themselves against identity
theft. They also are intended to be consistent with similar
requirements in the Banking Agencies' Incident Response Guidance.\57\
---------------------------------------------------------------------------
\56\ See proposed paragraph (a)(5) of Section 30.
\57\ See Banking Agencies' Incident Response Guidance, supra
note 23.
---------------------------------------------------------------------------
The notices to affected individuals that would be required by the
proposed amendments would have to:
(i) Describe the incident and the type of information that was
compromised, and what was done to protect the individual's information
from further unauthorized access or use; \58\
---------------------------------------------------------------------------
\58\ See proposed paragraphs (a)(5)(i) and (a)(5)(ii) of Section
30.
---------------------------------------------------------------------------
(ii) Include a toll-free telephone number or other contact
information for further information and assistance from the
institution; \59\
---------------------------------------------------------------------------
\59\ See proposed paragraph (a)(5)(iii) of Section 30.
---------------------------------------------------------------------------
(iii) Recommend that the individual review account statements and
immediately report any suspicious activity to the institution; \60\ and
---------------------------------------------------------------------------
\60\ See proposed paragraphs (a)(5)(iv) and (a)(5)(v) of Section
30.
---------------------------------------------------------------------------
(iv) Include information about FTC guidance regarding the steps an
individual can take to protect against identity theft, a statement
encouraging the individual to report any incidents of identity theft to
the FTC, and the FTC's Web site address and toll-free telephone number
for obtaining identity theft guidance and reporting suspected incidents
of identity theft.\61\
---------------------------------------------------------------------------
\61\ See proposed paragraph (a)(5)(vi) of Section 30.
---------------------------------------------------------------------------
[[Page 13699]]
We request comment on the proposed specific standards relating to
incidents of unauthorized access to or misuse of personal information.
Commenters are invited to discuss the proposed
requirements for procedures for responding to incidents of unauthorized
access to or use of personal information. Are there any particular
steps that may not be necessary, or not necessary in all situations?
Are there any other steps that could be taken in response to a security
breach that also should be required in some or all situations?
We request comment on the proposed provisions regarding
procedures for notifying the Commission (or a broker-dealer's
designated examining authority) of incidents in which an individual
identified with compromised information has suffered substantial harm
or inconvenience, or an unauthorized person has intentionally obtained
access to or used sensitive personal information.
For example, should firms be required to provide notice
only if the information compromised in an incident is identified with a
certain number of individuals? Should the rule include a numerical or
other threshold for when notice to the Commission (or to a broker-
dealer's designated examining authority) is required? If so, how would
a threshold work for smaller institutions that may be far more likely
than larger institutions to meet the threshold? Will the proposed
standard provide a sufficient early warning to the Commission, or
should the Commission broaden the circumstances under which notices
would be required to be provided to the Commission (or to a broker-
dealer's designated examining authority), such as the standard adopted
by the Banking Agencies? Commenters should explain their views.
Is the proposed definition of ``sensitive personal
information'' sufficient? Are there particular types of information
that should or should not be included?
We request comment on proposed Form SP-30. Is the form
easy to understand and use? For example, is the form clear, or would
additional guidance, such as instructions or further explanation of
particular questions or terms be helpful? Would it be easier or more
cost-effective for firms if the rule specified the information they are
required to provide rather than provide a form? Would the form be more
useful if it were in a tabular format? Commenters should be specific
regarding changes they believe should be made to the content or format
of the proposed form.
Similarly, we invite comment on the proposed provisions
regarding procedures for notifying individuals of incidents of
unauthorized use or access if an institution determines that an
unauthorized person has obtained access to or used the information and
that misuse of sensitive personal information has occurred or is
reasonably possible. Is the information in the proposed notice to
individuals appropriate? Is there additional information that
institutions should include, or information, proposed to be included,
that should be eliminated? Is the proposed threshold for notice
appropriate? If not, are there alternative thresholds for notice to
individuals that would be more appropriate? If so, commenters should
explain their views.
Commenters are invited to discuss the proposed
requirements for written documentation of compliance with the proposed
incident response provisions.
B. Scope of the Safeguards and Disposal Rules
1. Information Covered by the Safeguards and Disposal Rules
The Commission adopted the safeguards and disposal rules at
different times under different statutes--respectively, the GLBA and
the FACT Act--that differ in the scope of information they cover. As
noted above, Regulation S-P implements the GLBA privacy provisions
governing requirements for notice and opt out before an institution can
share certain information with nonaffiliates and for safeguarding
information. The regulation's notice and opt out provisions limit
institutions from sharing ``nonpublic personal information'' about
consumers and customers as defined in the GLBA and in Regulation S-P,
with nonaffiliated third parties.\62\ As required under the GLBA, the
safeguards rule requires covered institutions to maintain written
policies and procedures to protect ``customer records and
information,'' \63\ which is not defined in the GLBA or in Regulation
S-P. The disposal rule requires institutions to properly dispose of
``consumer report information,'' a third term, which Regulation S-P
defines consistent with the FACT Act provisions.\64\ Each of these
terms includes a different set of information, although the terms
include some of the same information.\65\ Each term also does not
include some information that, if obtained by an unauthorized user,
could permit access to personal financial information about an
institution's customers. We preliminarily believe that in order to
provide better protection against the unauthorized disclosure of this
personal financial information, the scope of information protected by
both the safeguards rule and the disposal rule should be broader.
Broadening the scope of information covered by the safeguards and
disposal rules would more appropriately implement Section 525 of the
GLBA. Section 525 directs the Commission to revise its regulations as
necessary to ensure that covered institutions have policies,
procedures, and controls in place to prevent the unauthorized
disclosure of ``customer financial information.'' Section 521 of Title
V of the GLBA prohibits persons from obtaining or requesting a person
to obtain, customer information by making false or fraudulent
statements to an officer, employee, agent, or customer of a financial
institution.\66\ In furtherance of these prohibitions, the GLBA directs
the Commission and the other federal financial regulators to review
their regulations and to revise them as necessary to ensure that
financial institutions have policies, procedures and controls in place
to prevent the unauthorized disclosure of ``customer financial
information'' and to deter and detect the activity described in Section
521.\67\ Applying both the safeguards and disposal rules to a
consistent set of information also could reduce any burden that may
have been created by the application of the safeguards and disposal
rules to different information.\68\
---------------------------------------------------------------------------
\62\ See 15 U.S.C. 6802(a), (b). ``Nonpublic personal
information'' is generally defined in the GLBA and Regulation S-P as
encompassing personally identifiable financial information, as well
as any list, description, or other grouping of consumers (and
publicly available information pertaining to them) derived using any
personally identifiable financial information that is not publicly
available, subject to certain exceptions. See 15 U.S.C. 6809(4); 17
CFR 248.3(t) and 248.3(u). See supra note 12 for a discussion of the
notice and opt out provisions.
\63\ See 17 CFR 248.30; 15 U.S.C. 6801(b)(1).
\64\ 17 CFR 248.30(b)(2). Section 628(a)(1) of the FCRA directed
the Commission to adopt rules requiring the proper disposal of
``consumer information, or any compilation of consumer information,
derived from consumer reports for a business purpose.'' 15 U.S.C.
1681w(a)(1). Regulation S-P uses the term ``consumer report
information'' and defines it to mean a record in any form about an
individual ``that is a consumer report or is derived from a consumer
report.'' 17 CFR 248.30(b)(1)(ii). ``Consumer report'' has the same
meaning as in Section 603(d) of the Fair Credit Reporting Act (15
U.S.C. 1681(d)). 17 CFR 248.30(b)(1)(i).
\65\ See Disposal Rule Adopting Release, supra note 15, at 69 FR
71323 n.13.
\66\ See 15 U.S.C. 6821(a), (b).
\67\ See 15 U.S.C. 6825.
\68\ See David Annecharico, Note, Online Transactions: Squaring
the Gramm-Leach-Bliley Act Privacy Provisions With the FTC Fair
Information Practice Principles, 6 N.C. Banking Inst. 637, 662
(2002), available at http://www.unc.edu/ncbank/
Articles%20and%20Notes%20PDFs/Volume%206/DavidAnnecharico%5Bpp637-
664%5D.pdf (``To require financial institutions to treat the
security of consumer information on par with customer information
may be cost effective and efficient. It could merely mean storing
consumer information within the already mandated secure storage
systems that are being used to store customer information.'').
---------------------------------------------------------------------------
[[Page 13700]]
Accordingly, we propose to amend the safeguards and disposal rules
so that both protect ``personal information,'' and to define that term
to encompass any record containing either ``nonpublic personal
information'' or ``consumer report information.'' \69\ As noted above,
each of these terms is defined in Regulation S-P.\70\ The term
``consumer report information'' would continue to mean any record about
an individual, whether in paper, electronic or other form, that is a
consumer report or is derived from a consumer report, as well as a
compilation of such records, but not including information that does
not identify individuals, such as aggregate information or blind
data.\71\ The proposed amendments would leave the meaning of the term
``consumer report'' unchanged from the definition set forth in Section
603(d) of the FCRA.\72\ Section 603(d) defines ``consumer report'' in
general as encompassing communications of information by a consumer
reporting agency bearing on a consumer's creditworthiness, credit
standing, reputation or particular other factors used in connection
with establishing the consumer's eligibility for credit or insurance,
or for employment purposes or other authorized purposes, subject to
certain exclusions.\73\
---------------------------------------------------------------------------
\69\ Proposed paragraph (d)(8) of Section 30.
\70\ See 17 CFR 248.3(t)(1) (definition of ``nonpublic personal
information''); 17 CFR 248.30(b)(ii) (definition of ``consumer
report information'').
\71\ See proposed paragraph (c)(4) of Section 30 and current
paragraph (b)(ii) of Section 30 (definition governing current
disposal requirements).
\72\ See proposed paragraph (d)(3) of Section 30.
\73\ See 15 U.S.C. 1681a(d).
---------------------------------------------------------------------------
In addition to nonpublic personal information and consumer report
information, ``personal information'' also would include information
identified with any consumer, or with any employee, investor, or
securityholder who is a natural person,\74\ in paper, electronic or
other form, that is handled by the institution or maintained on the
institution's behalf.\75\ Thus, for example, the definition would
include records of employee user names and passwords maintained by a
brokerage firm, and records about securityholders maintained by a
transfer agent. We believe safeguarding employee user names and
passwords promotes information security because unauthorized access to
this information could facilitate unauthorized access to a firm's
network and its clients' personal information.\76\ Safeguarding
information about investors and securityholders, such as maintained by
registered transfer agents, is necessary to protect investors who may,
directly or indirectly, do business with the Commission's regulated
entities even though they may not be ``consumers'' or ``customers'' of
those entities as those terms are defined for purposes of Regulation S-
P.\77\ We also propose to make a conforming change to the definition of
``personally identifiable financial information'' by including within
the definition information that is handled or maintained by a covered
institution or on its behalf, and that is identified with any consumer,
or with any employee, investor, or securityholder who is a natural
person.\78\ We preliminarily believe that this change would be
appropriate in the public interest and for the protection of investors
because it would help protect information identified with an investor
who may not be a ``consumer'' or ``customer'' of a covered institution.
---------------------------------------------------------------------------
\74\ This element of the definition would exclude information
identified only with persons other than natural persons, such as
corporations. The GLBA limits the protections provided under
subtitle A of the privacy provisions to ``consumers,'' who are
individuals who obtain from a financial institution financial
products or services to be used for personal, family or household
purposes. 15 U.S.C. 6809(9). The FACT Act defines a ``consumer'' to
mean an individual. 15 U.S.C. 1681a(c).
\75\ See proposed paragraph (d)(8) of Section 30.
\76\ See supra note 17 and accompanying text.
\77\ As discussed supra at note 7, Regulation S-P defines the
terms ``consumer'' and ``customer'' at 17 CFR 248.3(g) and 248.3(j),
respectively.
\78\ See proposed new paragraph (u)(1)(iv) of Section 3. The
proposed amendments also would include technical, conforming changes
to references to Section 30 in Sections 1(b) and 2(b) of Regulation
S-P.
---------------------------------------------------------------------------
To better protect investors'' and securityholders' information from
unauthorized disclosure, the proposed amendments would apply the
safeguards and disposal rules to nonpublic personal information or
consumer report information that is identified with any individual
consumer, employee, investor or securityholder and handled or
maintained by or on behalf of the institution. The proposal to include
personal information and consumer report information about employees of
covered institutions is intended to reduce the risk that a would-be
identity thief could access investor information by impersonating an
employee or employing ``social engineering'' techniques or bribery.
Including consumer report information within the definition of
``personal information'' (to which the safeguards rule would apply)
would be consistent with the congressional intent behind making
consumer report information subject to the disposal requirements set
forth in the FACT Act.\79\ Furthermore, the proposed scope of
protection appears to be consistent with the practices of many covered
institutions that currently protect employee information, consumer
report information, and nonpublic personal information about consumers
and customers in the same manner.\80\
---------------------------------------------------------------------------
\79\ The disposal rule was intended to reduce the risk of fraud
or related crimes, including identity theft, by ensuring that
records containing sensitive financial or personal information are
appropriately redacted or destroyed before being discarded. See 108
Cong. Rec. S13,889 (Nov. 4, 2003) (statement of Sen. Nelson).
\80\ Based on our staff's informal discussions with industry
representatives about Regulation S-P issues, as well as the
estimated costs and benefits of the proposed amendments we believe
that many covered institutions currently protect both kinds of
information in the same way out of prudence and for reasons of
operational efficiency. See infra section V.B.
---------------------------------------------------------------------------
We invite comment on the proposed definition of ``personal
information.''
Should the safeguards rule extend to consumer report
information that is not nonpublic personal information?
Should the disposal rule extend to nonpublic personal
information that is not consumer report information?
To what extent do institutions currently take the same
measures in disposing of consumer report information, customer records
and information, nonpublic personal information about consumers and
customers, and information other than consumer report information that
is identified with employees, investors, or securityholders who are not
consumers or customers? To the extent that measures are different, what
is the basis for those differences?
Is the proposed definition of ``personal information,''
which includes all records containing either consumer report
information or nonpublic personal information, broad enough to
encompass the information that needs to be protected? If not, how
should we expand the definition? Are there any aspects of the proposed
definition that, in the context of the information security
requirements discussed below, may be over-inclusive with regard to
particular types of entities? If so, how should we tailor the
definition?
The proposed definition of ``personal information''
encompasses
[[Page 13701]]
information identified with any consumer, or with any employee,
investor, or securityholder who is a natural person. Are there any
other persons whose information should be protected under the
safeguards rule, or should the safeguards rule cover only information
identified with individuals who are customers of a financial
institution?
Should the proposed definition of ``personal information''
be expanded to include information identified with non-natural persons,
such as corporate clients? Commenters should explain their views.
2. Institutions Covered by the Safeguards Rule
As discussed above, the safeguards rule currently applies to
brokers, dealers, registered investment advisers, and investment
companies. The disposal rule currently applies to those entities as
well as to registered transfer agents. We propose to extend the
safeguards rule to apply to registered transfer agents.\81\ These
institutions, like those currently subject to both the safeguards and
disposal rules, may maintain personal information such as Social
Security numbers, account numbers, passwords, account balances, and
records of securities transactions and positions. Unauthorized access
to or misuse of such information could result in substantial harm and
inconvenience to the individuals identified with the information. The
proposed amendments thus would require that covered institutions that
may receive personal information in the course of effecting, processing
or otherwise supporting securities transactions must protect that
information by maintaining appropriate safeguards in addition to taking
measures to properly dispose of the information.\82\ Registered
transfer agents may maintain sensitive personal information about
investors, the unauthorized access to or use of which could cause
investors substantial inconvenience or harm. Therefore, we
preliminarily believe that extending the safeguards rule to registered
transfer agents would be appropriate in the public interest and for the
protection of investors.\83\
---------------------------------------------------------------------------
\81\ The term ``transfer agent'' would be defined by proposed
paragraph (d)(14) of Section 30 to have the same meaning as in
Section 3(a)(25) of the Exchange Act (15 U.S.C. 78c(a)(25)).
As discussed below, we also propose to extend the disposal rule
to associated persons of broker-dealers, supervised persons of
registered investment advisers, and associated persons of registered
transfer agents.
\82\ The proposed definition of ``personal information'' would
include information about individual investors maintained by
registered transfer agents even though transfer agents typically do
not have consumers or customers for purposes of Regulation S-P
because their clients generally are not individuals, but are the
companies in which investors, including individuals, hold shares.
\83\ Under Section 17A of the Exchange Act (15 U.S.C. 78q-1) the
Commission has authority to prescribe rules and regulations for
transfer agents as necessary or appropriate in the public interest,
for the protection of investors, or otherwise in furtherance of the
purposes of Title I of the Exchange Act.
---------------------------------------------------------------------------
The proposed amendments also would limit the scope of broker-
dealers covered by the safeguards rule to brokers or dealers other than
those registered by notice with the Commission under Section 15(b)(11)
of the Exchange Act.\84\ Notice-registered broker-dealers must comply
with the privacy rules, including rules requiring the safeguarding of
customer records and information, adopted by the CFTC.\85\ Excluding
notice-registered broker-dealers from the scope of the Commission's
safeguards rule would clarify that both sets of rules do not apply to
notice-registered broker-dealers, and that the CFTC would have primary
responsibility for oversight of those broker-dealers in this area.
---------------------------------------------------------------------------
\84\ Proposed paragraph (a)(1) of Section 30. See 15 U.S.C.
78o(b)(11). The Commodity Futures Modernization Act of 2000
established a system of notice registration under which trading
facilities and intermediaries that are already registered with
either the Commission or the CFTC may register with the other agency
on an expedited basis for the limited purpose of trading security
futures products. Under the substituted compliance provision in
Section 2(b) of Regulation S-P (17 CFR 248.2(b)), CFTC-regulated
futures commission merchants and introducing brokers that are
registered by notice with the Commission and in compliance with the
financial privacy rules of the CFTC are deemed to be in compliance
with Regulation S-P, except with respect to Regulation S-P's
disposal rule (currently 17 CFR 248.30(b)). Notice-registered
broker-dealers are already excluded from the scope of the disposal
rule.
\85\ See 17 CFR 160.30.
---------------------------------------------------------------------------
We seek comment on the proposed scope of the safeguards rule.
Should registered transfer agents be subject to the
safeguards rule? To what extent are registered transfer agents expected
to possess, or lack, the type of information that could be used to
commit identity theft or otherwise cause individuals substantial harm
or inconvenience? \86\ Are there special issues that registered
transfer agents might have in implementing or meeting the requirements
of the safeguards rule?
---------------------------------------------------------------------------
\86\ Such information could include address and account
information used to disseminate shareholder communications and
dividend and interest payments, as well as information collected
pursuant to Rule 17Ad-17 under the Exchange Act (17 CFR 240.17Ad-
17), which requires transfer agents registered with the Commission
to use taxpayer identification numbers or names to search databases
for addresses of lost securityholders.
---------------------------------------------------------------------------
Should the Commission propose to extend the safeguards and
disposal rules to self-regulatory organizations or other types of
institutions in the securities industry? If so, which ones?
Should notice-registered broker-dealers be excluded from
the scope of the proposed amended safeguards rule? If not, why not?
3. Persons Covered by the Disposal Rule
As noted above, the disposal rule currently applies to broker-
dealers, investment companies, registered investment advisers and
registered transfer agents. We propose to extend the disposal rule to
apply to natural persons who are associated persons of a broker or
dealer, supervised persons of a registered investment adviser, and
associated persons of a registered transfer agent.\87\ As noted above,
we have become concerned that some of these persons, who may work in
branches far from the registered entity's main office, may not dispose
of sensitive personal financial information consistent with the
registered entity's disposal policies. The proposal is intended to make
persons associated with a covered institution directly responsible for
properly disposing of personal information consistent with the
institution's policies.
---------------------------------------------------------------------------
\87\ See proposed paragraph (b)(1) of Section 30. The term
``associated person of a broker or dealer'' would be defined by
proposed paragraph (d)(1) of Section 30 to have the same meaning as
in Section 3(a)(18) of the Exchange Act (15 U.S.C. 78c(a)(18)). The
term ``supervised person of an investment adviser'' would be defined
by proposed paragraph (d)(13) of Section 30 to have the same meaning
as in Section 202(a)(25) of the Investment Advisers Act of (15
U.S.C. 80b-2(a)(25)). We are proposing to include ``supervised''
persons of an investment adviser, rather than ``associated'' persons
in order to include all employees, including clerical employees, of
an investment adviser who may be responsible for disposing of
personal information. See 15 U.S.C. 80b-2(a)(17) (defining term
``person associated with an investment adviser'' not to include
associated persons whose functions are clerical or ministerial).
This approach is intended to cover the same range of employees as
investment advisers, broker-dealers, and registered transfer agents.
The term ``associated person of a transfer agent'' would be defined
by proposed paragraph (d)(2) of Section 30 to have the same meaning
as in Section 3(a)(49) of the Exchange Act (15 U.S.C. 78c(a)(49).
An additional proposed extension to the scope of the disposal
rule is discussed below. See infra section II.B.
---------------------------------------------------------------------------
We request comment on the proposed extension of the scope
of the disposal rule to apply to natural persons who are associated
with broker-dealers, supervised persons of registered investment
advisers, or who are associated persons of registered transfer agents.
Are there alternative ways of helping to ensure that these
persons would follow the covered institution's disposal policies and
properly dispose of personal information?
[[Page 13702]]
C. Records of Compliance
We further propose to amend Regulation S-P to require institutions
subject to the safeguards and disposal rules to make and preserve
written records of their safeguards and disposal policies and
procedures. We also propose to require that institutions document that
they have complied with the elements required to develop, maintain and
implement these policies and procedures for protecting and disposing of
personal information, including procedures relating to incidents of
unauthorized access to or misuse of personal information. These records
would help institutions assess their policies and procedures
internally, and help examiners to monitor compliance with the
requirements of the amended rules. The periods of time for which the
records would have to be preserved would vary by institution, because
the requirements would be consistent with existing recordkeeping rules,
beginning with when the records were made, and, for records of written
policies and procedures, after any change in the policies or procedures
they document.\88\ Broker-dealers would have to preserve the records
for a period of not less than three years, the first two years in an
easily accessible place. Registered transfer agents would have to
preserve the records for a period of not less than two years, the first
year in an easily accessible place. Investment companies would have to
preserve the records for a period not less than six years, the first
two years in an easily accessible place. Registered investment advisers
would have to preserve the records for five years, the first two years
in an appropriate office of the investment adviser. We believe that
these proposed recordkeeping provisions, while varying among covered
institutions, would all result in the maintenance of the proposed
records for sufficiently long periods of time and in locations in which
they would be useful to examiners. Moreover, we do not believe that
shorter or longer maintenance periods would be warranted by any
difference between the proposed records and other records that covered
institutions currently must maintain for these lengths of time. We also
believe that conforming the proposed retention periods to existing
requirements would allow covered institutions to minimize their
compliance costs by integrating the proposed requirements into their
existing recordkeeping systems.\89\
---------------------------------------------------------------------------
\88\ See proposed paragraph (c) of Section 30.
\89\ See 17 CFR 240.17a-4(b); 240.17Ad-7(b); 270.31a-2(a)(4)-
(6); 275.204-2(e)(1).
---------------------------------------------------------------------------
We request comment on the proposed requirements for making and
retaining records.
Are the proposed periods of time for preserving the
records appropriate, or should certain records be preserved for
different periods of time?
Would the costs associated with preserving records for
periods of time consistent with covered institutions' other
recordkeeping requirements be less than they would be if all
institutions were required to keep these records for the same period of
time?
D. Exception for Limited Information Disclosure When Personnel Leave
Their Firms
Finally, we propose to amend Regulation S-P to add a new exception
from the notice and opt out requirements to permit limited disclosures
of investor information when a registered representative of a broker-
dealer or a supervised person of a registered investment adviser moves
from one brokerage or advisory firm to another. The proposed exception
is intended to allow firms with departing representatives to share
limited customer information with the representatives' new firms that
could be used to contact clients and offer them a choice about whether
to follow a representative to the new firm. At many firms,
representatives develop close professional and personal relationships
with investors over time. Representatives at such firms likely remember
the basic contact information for their clients or have recorded it in
their own personal records. Some firms discourage departing
representatives from soliciting clients to move to another firm, while
others do not. At any firm, departing representatives may have a strong
incentive to transfer as much customer information as possible to their
new firms, and it has been brought to our attention that, at some
firms, information may have been transferred without adequate
supervision, in contradiction of privacy notices provided to customers,
or potentially in violation of Regulation S-P.\90\
---------------------------------------------------------------------------
\90\ See, e.g., In re NEXT Financial Group, Inc., supra note 16.
---------------------------------------------------------------------------
The proposed exception is designed to provide an orderly framework
under which firms with departing representatives could share certain
limited customer contact information and could supervise the
information transfer.\91\ The proposed exception would permit one firm
to disclose to another only the following information: the customer's
name, a general description of the type of account and products held by
the customer, and contact information, including address, telephone
number and e-mail information.\92\ We propose to include this
particular information as it would be useful for a representative
seeking to maintain contact with investors, but appears unlikely to put
an investor at serious risk of identity theft. It also is the type of
information an investor would expect a representative to remember.
Broker-dealers and registered investment advisers seeking to rely on
the exception would have to require their departing representatives to
provide to them, not later than the representative's separation from
employment, a written record of the information that would be disclosed
pursuant to the exception, and broker-dealers and registered investment
advisers would be required to preserve such records consistent with the
proposed recordkeeping provisions of Section 30.\93\ This condition is
intended
[[Page 13703]]
to help ensure that firms relying on the exception are appropriately
accounting for the information they are disclosing in connection with
departures of their representatives.\94\
---------------------------------------------------------------------------
\91\ In 2004, certain large broker-dealers entered into a
protocol under which signatories agreed not to sue one another for
recruiting one another's registered representatives, if the
representatives take only limited client information to another
participating firm. The initial signatories, Citigroup Global
Markets/Smith Barney, Merrill Lynch, and UBS Financial Services,
were joined more recently by Raymond James, Wachovia Securities and
others.
We understand that, under the protocol, the information that a
departing representative may take to another firm is limited to each
client's name, address, a general description of the type of account
and products held by the client, and the client's phone number and
e-mail address. This information may be used at the representative's
new firm only by the representative, and only for the purpose of
soliciting the representative's former clients.
We further understand that there may be some confusion in the
securities industry regarding what information may be disclosed to a
departing representative's new firm consistent with the limitations
in Regulation S-P, and that at times these limitations may cause
inconvenience to investors. NASD (now consolidated into FINRA)
issued guidance to its member firms regarding the permissible and
impermissible use of ``negative response letters'' for bulk
transfers of customer accounts and changes in the broker-dealer of
record on certain types of accounts (see NASD NtM 04-72 (Oct. 2004);
NtM 02-57 (Sept. 2002)). More recently, FINRA issued guidance
relating to Regulation S-P in the context special considerations
firms should use to supervise recommendations of newly associated
registered representatives to replace mutual funds and variable
products). See FINRA, Regulatory Notice 07-36, available at http://
www.finra.org/web/groups/rules_regs/documents/notice_to_members/
p036445.pdf. However, our staff reports that scenarios involving
representatives moving from one firm to another continue to create
uncertainty regarding firms' obligations under Regulation S-P.
\92\ See proposed paragraph (a)(8)(i) of Section 15.
\93\ See proposed paragraph (a)(8)(iii) of Section 15 and
proposed paragraph (c) of Section 30. For purposes of the proposed
exception, the term ``representative'' would be defined to mean a
natural person associated with a broker or dealer registered with
the Commission, who is registered or approved in compliance with 17
CFR 240.15b7-1, or a supervised person of an investment adviser as
defined in Section 202(a)(25) of the Investment Advisers Act. See
proposed paragraph (a)(8)(iv) of Section 15.
\94\ Most firms seeking to rely on the proposed exception would
not need to revise their GLBA privacy notices because they already
state in the notices that their disclosures of information not
specifically described include disclosures permitted by law, which
would include disclosures made pursuant to the proposed exception
and the other exceptions provided in Section 15 of Regulation S-P.
---------------------------------------------------------------------------
The exception would be subject to conditions that are designed to
limit the potential that the information would result in identity theft
or other abuses. The shared information could not include any
customer's account number, Social Security number, or securities
positions.\95\ A representative would not need this type of information
to contact investors, although it would be useful to an identity thief,
and an investor probably would not expect a representative to remember
it. In addition, a representative could solicit only an institution's
customers that were the representative's clients. This condition
recognizes that an investor might expect to be contacted by a
representative with whom the investor has done business before, but not
by another person at the representative's new firm.\96\
---------------------------------------------------------------------------
\95\ See proposed paragraph (a)(8)(ii) of Section 15.
\96\ See proposed paragraph (a)(8)(i) of Section 15 (permitting
a representative to solicit customers to whom the representative
personally provided a financial product or service on behalf of the
institution).
---------------------------------------------------------------------------
As noted above, the proposed exception is designed to facilitate
the transfer of client contact information that would help broker-
dealers and registered investment advisers offer clients the choice of
following a departing representative to a new firm. At firms that
choose to rely on it, the proposed exception also should reduce
potential incentives some representatives may have to take information
with them secretly when they leave. By specifically limiting the types
of information that could be disclosed to the representative's new
firm, the proposed amendments are designed to help firms safeguard more
sensitive client information. This limitation also would clarify that a
firm may not require or expect a representative from another firm to
bring more information than necessary for the representative to solicit
former clients. Because the proposed exception is designed to promote
investor choice, provide legal certainty, and reduce potential
incentives for improper disclosures, we preliminarily believe that it
would be necessary or appropriate in the public interest, and is
consistent with the protection of investors.
The proposed exception would not limit the disclosure of additional
information to a new firm pursuant to a customer's consent or
direction.\97\ It also would not preclude the disclosure of additional
information required in connection with the transfer of a customer's
account.\98\ Depending on its business organization, its policies
regarding departing representatives and the circumstances of a
representative's departure, a firm could choose to rely on existing
exceptions rather than the proposed new exception.\99\ The proposed
exception is designed to allow firms that choose to share limited
contact information to do so. The proposed exception would not,
however, affect firm policies that prohibit the transfer of any
customer information other than at the customer's specific direction.
---------------------------------------------------------------------------
\97\ For example, if an investor chooses to move his or her
business to the representative's new firm, he or she may consent to
having the original firm disclose additional information about the
customer's account to the representative's new firm without the firm
first having to provide the customer with an opt out. See 17 CFR
248.15(a)(1).
\98\ If an investor requests or authorizes the transfer of his
or her account from the representative's old firm to the
representative's new firm, the old firm may disclose additional
information as necessary to effect the account transfer. See 17 CFR
248.14(a)(1) and 248.14(b)(2)(vi)(B). The exception also would not
preclude the disclosure of additional information about the investor
if the firm has provided the investor with a privacy notice
describing the disclosure and given the investor a reasonable
opportunity to opt out of the disclosure, and the customer has not
opted out. See 17 CFR 248.10. Thus, covered institutions that wish
to disclose an investor's nonpublic personal information to a
departing representative's new firm without relying on the proposed
new exception or without first obtaining consent from the investor
to the disclosure or to an account transfer could revise their
privacy notices to describe disclosures the firm would make in the
context of a representative's move to another broker-dealer or
registered investment adviser.
\99\ See 17 CFR 248.14, 248.15.
---------------------------------------------------------------------------
We have chosen to propose this approach as opposed to an
alternative approach that would require all firms to include specific
notice and opportunity to opt out of this information sharing in their
initial and annual privacy notices. Under this alternative, a broker-
dealer or registered investment adviser's privacy notice would have to
provide specific disclosure regarding the circumstances under which the
broker-dealer or adviser would share customer information with another
firm when a registered representative or supervised person leaves. We
have chosen this approach because, as indicated earlier, many
representatives develop close professional and personal relationships
with investors. They are likely to remember basic contact information
for their clients or have recorded it in their own personal records,
and investors would expect representatives to have this information.
This type of limited contact information is unlikely to put investors
at serious risk of identity theft. Also, we believe that a description
of disclosures to a departing representative's new firm would be
difficult to distinguish from the description of disclosures made for
the purpose of third-party marketing and would further complicate
already complex privacy notices.
Commenters are invited to discuss the proposed new
exception. Would it permit the transfer of contact information so as to
promote investor choice and convenience? Would it foreclose the
transfer of particularly sensitive information that, if misused, could
lead to identity theft? Should the transfer of customer contact
information be conditioned on the broker-dealer or registered
investment adviser receiving the information certifying to the sharing
institution that it complies with the safeguards and disposal rules?
We also invite commenters to share their views on the
likely effect of the proposed new exception on competition in
recruiting broker-dealer and investment adviser representatives. Are
there alternative approaches that would both protect investor
information and not unduly restrict the transfer of representatives
from one firm to another?
We seek comment on potential alternative approaches,
including requiring specific disclosure. Are investors, particularly
new clients to a firm, likely to understand disclosures about
information that would be given to a departing representative's new
firm in initial or annual privacy notices? \100\ Should the
availability of the proposed exemption be conditioned on providing
investors with specific disclosure regarding whether a covered
institution would disclose personal information in connection with a
representative's departure?
---------------------------------------------------------------------------
\100\ We expect that if the Banking Agencies, the FTC and the
Commission were to adopt the proposed model privacy form, see
Interagency Model Privacy Form Proposal, supra note 12, the
description of the disclosure to a nonaffiliated firm could be
included on page 2 of the proposed form in the section defining
nonaffiliates.
---------------------------------------------------------------------------
The proposed exception would permit broker-dealers and
registered investment advisers to transfer limited
[[Page 13704]]
information to other broker-dealers and registered investment advisers
without first providing notice and opt out. Should we make the proposed
exception available for information transferred to other types of
financial institutions where a departing representative may go? For
example, should we permit broker-dealers and registered investment
advisers to rely on the exception to share information with investment
advisers that are not registered with the Commission?
Commenters are invited to express their views on the
proposed exemption's condition that a departing representative of a
covered institution relying on this exemption could solicit only the
institution's customers that were the representative's clients.
III. General Request for Comments
We request comment on all aspects of the proposed amendments to
Regulation S-P. We particularly urge commenters to suggest other
provisions or changes that could enhance the ways in which securities
industry participants protect personal information. We encourage
commenters to provide empirical data, if available, to support their
views.
IV. Paperwork Reduction Act
Certain provisions of the proposed amendments contain ``collections
of information'' requirements within the meaning of the Paperwork
Reduction Act of 1995 (``PRA'').\101\ The Commission is submitting
these amendments to the Office of Management and Budget (``OMB'') for
review and approval in accordance with the PRA.\102\ The title for the
collections of information is ``Information security programs for
personal information; records of compliance.'' The safeguards and
disposal rules we propose to amend contain currently approved
collections of information under OMB Control No. 3235-0610, the title
of which is, ``Rule 248.30, Procedures to safeguard customer records
and information; disposal of consumer report information.'' \103\ The
Commission is proposing to amend Regulation S-P's safeguards and
disposal rules, 17 CFR 248.30(a) and (b), pursuant to Sections 501,
504, 505, and 504 of the GLBA,\104\ Sections 17, 17A, 23, and 36 of the
Exchange Act,\105\ Sections 31(a) and 38 of the Investment Company
Act,\106\ and Sections 204 and 211 of the Investment Advisers Act.\107\
Regulation S-P sets forth the Commission's safeguards rule for
institutions covered by the regulation. Among other things, the
safeguards rule requires covered institutions to adopt administrative,
technical, and physical information safeguards to protect customer
records and information. Regulation S-P also contains the Commission's
disposal rule, which requires institutions to properly dispose of
consumer report information possessed for a business purpose by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.
---------------------------------------------------------------------------
\101\ 44 U.S.C. 3501-3520.
\102\ 44 U.S.C. 3507(d) and 5 CFR 1320.11.
\103\ The paperwork burden imposed by Regulation S-P's notice
and opt-out requirements, 17 CFR 248.1 to 248.18, is currently
approved under a separate OMB control number, OMB Control No. 3235-
0537. The proposed amendments would not affect this collection of
information.
\104\ 15 U.S.C. 6801, 6804, 6805 and 6825.
\105\ 15 U.S.C. 78q, 78q-1, 78w, and 78mm.
\106\ 15 U.S.C. 80a-30(a), 80a-37.
\107\ 15 U.S.C. 80b-4, 80b-11.
---------------------------------------------------------------------------
The proposed amendments are designed to ensure that covered
institutions maintain a reasonable information security program that
includes safeguarding policies and procedures that are more specific
than those currently required, including policies and procedures for
responding to data security breach incidents, for notifying individuals
for whom the incidents pose a risk of identity theft, and for reporting
certain incidents to the Commission (or to a broker-dealer's designated
examining authority) on proposed Form SP-30. The amendments also would
broaden the scope of information and the types of institutions and
persons covered by the safeguards and disposal rules. Finally, the
amendments would create a new exception from Regulation S-P's notice
and opt-out requirements for disclosures of limited information in
connection with the departure of a representative of a broker-dealer or
registered investment adviser. Firms choosing to rely on the exception
would be required to keep records of the information disclosed pursuant
to it.
The hours and costs associated with these collections of
information would consist of reviewing the proposed amendments,
collecting and searching for existing policies and procedures,
conducting a risk assessment, developing and recording information
safeguards appropriate to address risks, training personnel, and
adjusting written safeguards on an ongoing basis. Institutions would
also have to respond appropriately to incidents of data security breach
as may occur on an ongoing basis. If misuse of information has occurred
or is reasonably possible, this would include notifying affected
individuals. If there is a significant risk that an individual
identified with the information might suffer substantial harm or
inconvenience, or any unauthorized person has intentionally obtained
access to or used sensitive personal information, this would also
include notifying the Commission or an appropriate designated examining
authority as soon as possible on proposed Form SP-30. Certain of these
collections of information also would require disclosure, reporting,
and recordkeeping burdens, as analyzed below.
An agency may not conduct or sponsor, and a person is not required
to respond to a collection of information unless a currently valid OMB
control number is displayed. Responses to these collections of
information would not be kept confidential.\108\ The collections of
information would be mandatory, and would have to be maintained by
broker-dealers for not less than three years, the first two years in an
easily accessible place, by registered transfer agents for a period of
not less than two years, the first year in an easily accessible place,
by investment companies for a period not less than six years, the first
two years in an easily accessible place, and registered investment
advisers would have to preserve the records for five years, the first
two years in an appropriate office of the investment adviser.
---------------------------------------------------------------------------
\108\ Information submitted to the Commission on proposed Form
SP-30 would be kept confidential to the extent permitted by law. See
supra note 55.
---------------------------------------------------------------------------
Information Security and Security Breach Response Requirements
The proposed amendments contain collections of information
requirements related to the more specific standards we are proposing
for safeguarding personal information, including standards for
responding to data security breaches. We believe these proposed
collections of information are necessary to help prevent and address
security breaches and designed to ensure that covered institutions
maintain a reasonable information security program pursuant to the
statutory requirements. Covered institutions would have to document in
writing steps they would be required to take to develop, implement, and
maintain a comprehensive information security program. We estimate that
there would be 12,432 respondents to this information collection.\109\
Of these
[[Page 13705]]
covered institutions, we estimate that 5,862 are smaller institutions
and 6,570 are larger institutions. \110\
---------------------------------------------------------------------------
\109\ This estimate includes 6,016 broker-dealers, 4,733
investment companies representing portions of 813 fund complexes, 77
business development companies, 9,860 registered investment
advisers, and 501 registered transfer agents. As discussed in more
detail in the cost-benefit analysis below, the staff estimates that
56 percent of these 17,267 institutions, or 9,670 institutions, have
one or more affiliates. The staff estimates, for purposes of this
analysis, that each of the affiliated institutions has one corporate
affiliate. The staff estimates that these affiliated institutions
are likely to bear these paperwork burdens on an organization-wide
basis, rather than being incurred by each institution. Based on
these estimates, the staff estimates there would be 12,432
respondents to this information collection. (17,267 - (9,670 / 2) =
12,432) These estimates are discussed in more detail in the cost-
benefit analysis, see infra note 149 and accompanying text.
\110\ See infra note 154 and accompanying text.
---------------------------------------------------------------------------
Based on limited inquiries of covered institutions, the staff
estimates that the amount of time smaller institutions would devote to
initial compliance with the proposed amendments would range from 2 to
80 hours with a midpoint of 41 hours.\111\ This estimate reflects the
following burden hours: 1 hour for the board of directors to designate
an information security program coordinator; 1 hour for the program
coordinator to review the amendments; 4 hours to assess risks and
review procedures; 10 hours to review, revise and implement new
safeguards (including any data breach notification procedures); 8 hours
to test the effectiveness of the safeguards controls and procedures; 7
hours to train staff; and 10 hours to review service providers'
policies and procedures and revise contracts as necessary to require
them to maintain appropriate safeguards. The staff estimates that
initially it would cost smaller institutions approximately $18,560 to
comply with the proposed amendments.\112\ Amortized over three years,
the estimated annual hourly burden would be 14 hours at a cost of
approximately $6,187.
---------------------------------------------------------------------------
\111\ The staff estimate uses the midpoint of the range of
hours, although the average number of burden hours could be higher
or lower. Our estimates are based on staff contacts with several
institutions regarding their current safeguarding and disposal
policies and procedures as well as the potential costs of the
proposed amendments. Because the staff was able to discuss these
issues with only a small number of very large institutions, and our
estimates in this analysis are based largely on this information,
our estimates may be much higher or lower than the range of actual
current costs related to compliance with Regulation S-P and the
range of potential costs associated with the proposed amendments.
\112\ This estimate is based on a cost of $2,000 for one hour of
the board of directors' time (at $2,000/hour) and $16,560 for 40
hours of a program coordinators' time (at $414/hour). Staff believes
that the program coordinator would be a senior executive of the
institution, such as a chief compliance officer of an investment
adviser. For purposes of this PRA analysis, the staff is using
salaries for New York-based employees which tend to be higher than
the salaries for comparable positions located outside of New York.
This conservative approach is intended to capture unforeseen costs
and to account for the possibility that a substantial portion of the
work would be undertaken in New York. The salary information is
derived from data compiled by the Securities Industry and Financial
Markets Association. The Commission staff has modified this
information to account for an 1,800-hour work year and multiplied by
5.35 to account for bonuses, firm size, employee benefits, and
overhead. See Securities Industry and Financial Markets Association,
Report on Management and Professional Earnings in the Securities
Industry (2007); Securities Industry and Financial Markets
Association, Report on Office Salaries in the Securities Industry
(``SIFMA Earnings Reports'').
---------------------------------------------------------------------------
The staff estimates that the amount of time larger institutions
would devote to initial compliance with the proposed amendments would
range from 40 hours to 400 hours with a midpoint of 220 hours.\113\
This estimate reflects the following burden hours: 2 hours for the
board of directors to designate an information security program
coordinator; 2 hours for the program coordinator to review the
amendments; 42 hours to assess risks and review procedures; 60 hours to
review, revise and implement new safeguards (including any data breach
notification procedures); 60 hours to test the effectiveness of the
safeguards controls and procedures; 34 hours to train staff; and 20
hours to review service providers policies and procedures and revise
contracts as necessary to require them to maintain appropriate
safeguards. The staff estimates that larger institutions would spend
approximately $172,732 to comply with the proposed amendments
initially.\114\ Amortized over three years, the estimated annual hourly
burden would be 73 hours at a cost of approximately $57,577.
---------------------------------------------------------------------------
\113\ The staff estimate uses the midpoint of the range of
hours, although the average number of burden hours could be higher
or lower.
\114\ This estimate is based on a cost of $4,000 for 2 hours of
board of directors' time (at $2,000/hour) and $168,732 for 218 hours
of a group of compliance professionals' time (at $774/hour). The
staff believes that this group of compliance professionals would
include the program coordinator at a rate of $414 per hour, an in-
house attorney at a rate of $295 per hour, and an administrative
assistant at a rate of $65 per hour. See SIFMA Earnings Reports,
supra note 112. In total, we estimate that this group of compliance
professionals would cost the larger institution $758 per hour. $414
+ $295 + $65 = $774.
---------------------------------------------------------------------------
On an annual, ongoing basis the staff estimates that the amount of
time smaller institutions would devote to ongoing compliance with the
safeguards and disposal rules, as they are proposed to be amended,
would range from 12 hours to 40 hours per year with a midpoint of 26
hours per year. This estimate reflects the following burden hour
estimates: 5 hours to regularly test or monitor the safeguards' key
controls, systems, and procedures; 3 hours to augment staff training; 3
hours to provide continued oversight of service providers; 3 hours to
evaluate and adjust safeguards; 10 hours to respond appropriately to
potential incidents of data security breach, including investigating
the breach and, as necessary, notifying affected individuals; and 2
hours to notify the Commission or a designated examining authority as
soon as possible on proposed Form SP-30, in the event there is a
significant risk that an individual identified with the information
might suffer substantial harm or inconvenience or an unauthorized
person has intentionally obtained access to or used sensitive personal
information.\115\ We believe that most institutions investigate data
security breaches as a matter of good business practice to protect
their business operations and the sensitive information they have about
employees and clients. Nevertheless, we have estimated additional
burden hours because the proposed rule specifies certain elements of
the investigation and the notice to affected individuals. We also
believe that an institution would have gathered all the information
that would have to be disclosed in Form SP-30 in the course of these
investigations of data security breaches. Thus, staff estimates for the
Form SP-30 collection of information burden reflect only the time it
would take to draft the information on the form. Staff estimates that
smaller institutions would spend an additional $10,764 per institution
per year in connection with these burdens.\116\
---------------------------------------------------------------------------
\115\ We estimate that each covered institution that has
developed and adopted and is maintaining safeguarding policies and
procedures will experience some form of breach of data security each
year. See, e.g., Deloitte & Touche LLP and Ponemon Institute LLC,
Enterprise@Risk: 2007 Privacy & Data Protection Survey (Dec. 2007),
http://www.deloitte.com/dtt/cda/doc/content/us_risk_s%26P_
2007%20Privacy10Dec2007final.pdf (last visited Dec. 19, 2007) (85%
of surveyed privacy and security professionals experienced a
reportable breach within the past 12 months). These data security
breaches may range from minor breaches (such as an individual who
accidentally sees data that he or she does not have authority to
view) to more serious breaches. Accordingly, we have estimated that
each of these institutions would experience a data security breach
that would require notice to the Commission (or a designated
examining authority) each year. We understand that the nature of
security breaches will vary widely within and among institutions,
and that this estimate may be much higher than the actual reporting
that would be required under the proposed rule.
\116\ This estimate is based on the following calculation: 26
hours per smaller institution per year x $414 per hour = $10,764.
---------------------------------------------------------------------------
The staff also estimates that the amount of time larger
institutions would
[[Page 13706]]
devote to ongoing compliance with the proposed amendments would range
from 32 hours to 100 hours with a midpoint of 66 hours per year. This
estimate reflects the following burden hour estimates: 12 hours to
regularly test or monitor the safeguards' key controls, systems, and
procedures; 9 hours to augment staff training; 9 hours to provide
continued oversight of service providers; 10 hours to evaluate and
adjust safeguards; 20 hours to respond appropriately to potential
incidents of data security breach, including investigating the breach
and, as necessary, notifying affected individuals; and 6 hours to
notify the Commission or a designated examining authority as soon as
possible on proposed Form SP-30, in the event there is a significant
risk that an individual identified with the information might suffer
substantial harm or inconvenience or an unauthorized person has
intentionally obtained access to or used sensitive personal
information.\117\ Staff believes that larger institutions are likely to
have more complex business operations and data systems and may
experience more sophisticated security attacks than smaller
institutions. As a result, staff anticipates that larger institutions
are more likely to conduct more complicated investigations that require
more detailed explanations on proposed Form SP-30. Staff estimates
therefore that larger institutions would take more time to perform
investigations and to complete the questions on proposed Form SP-
30.\118\ The staff estimates that larger institutions would spend
approximately an additional $51,084 per institution per year.\119\
---------------------------------------------------------------------------
\117\ See supra note 115.
\118\ We recognize that the time it takes to perform an
investigation of a data security breach and to complete Form SP-30
may vary significantly depending on the nature, size and complexity
of an institution's business operations as well as the nature and
size of the security breach. Accordingly, the actual time it may
take a particular institution to investigate the breach and complete
Form SP-30 may vary significantly from staff estimates.
\119\ This estimate is based on the following calculation: 66
hours x $774 = $51,084.
---------------------------------------------------------------------------
Given the estimates set forth above, we estimate that the weighted
average initial burden for each respondent would be approximately 136
hours \120\ and $100,036.\121\ We also estimate that the weighted
average ongoing burden for each respondent would be approximately 47
hours \122\ and $32,072.\123\
---------------------------------------------------------------------------
\120\ This estimate is based on the following calculation:
((5,862 smaller institutions x 41 hours) + (6,570 larger
institutions x 220 hours) / 12,432 total institutions = 135.60
hours.
\121\ This estimate is based on the following calculation:
((5,862 smaller institutions x $18,560) + (6,570 larger institutions
x $172,732)) / 12,432 total institutions = $100,036.03.
\122\ This estimate is based on the following calculation:
((5,862 smaller institutions x 26 hours) + (6,570 larger
institutions x 66 hours)) / 12,432 total institutions = 47.14 hours.
\123\ This estimate is based on the following calculation:
((5,862 smaller institutions x $10,764) + (6,570 larger institutions
x $51,084)) / 12,432 total institutions = $32,072.12.
---------------------------------------------------------------------------
Scope of the Safeguards and Disposal Rules
The amendments also would broaden the scope of information and of
the entities covered by the safeguards and disposal rules. These
amendments do not contain collections of information beyond those
related to the information security and security breach response
requirements, analyzed above.
Records of Compliance
The proposed amendments would require that written records required
under the disposal and safeguards rules be maintained and preserved by
broker-dealers for not less than three years, the first two years in an
easily accessible place, by registered transfer agents for a period of
not less than two years, the first year in an easily accessible place,
by investment companies for a period not less than six years, the first
two years in an easily accessible place, and registered investment
advisers would have to preserve the records for five years, the first
two years in an appropriate office of the investment adviser. Covered
institutions are already required pursuant to other Commission rules to
maintain and preserve similar records in the same manner, and we do not
believe that the currently approved collections of information for
these rules would change based on the proposed amendments.\124\
---------------------------------------------------------------------------
\124\ See 17 CFR 240.17a-4(b); 240.17Ad-7(b); 270.31a-2(a)(4)-
(6); 275.204-2(e)(1).
---------------------------------------------------------------------------
Exception for Limited Information Disclosure When Personnel Leave Their
Firms
The proposed amendments would create a new exception from
Regulation S-P's notice and opt out requirements that would permit
limited disclosures of investor information when a registered
representative of a broker-dealer or supervised person of a registered
investment adviser moves from one brokerage or advisory firm to
another. This exception would require that the departing representative
provide the broker, dealer, or registered investment adviser he or she
is leaving with a written record of the permissible information that
would be disclosed under this exception. Broker-dealers and registered
investment advisers also would be required to retain a record of that
information consistent with existing record retention requirements. All
broker-dealers and registered investment advisers maintain records of
their customers and clients, including relevant contact information and
type of account. Thus, we estimate that allowing a departing
representative to make a copy of this information and requiring the
broker-dealer or registered investment adviser to retain a record of
that information would not result in an additional measurable burden to
the firm.
We request comment on whether these estimates are reasonable.
Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments
in order to: (i) Evaluate whether the proposed collections of
information are necessary for the proper performance of the functions
of the Commission, including whether the information will have
practical utility; (ii) evaluate the accuracy of the Commission's
estimate of the burden of the proposed collections of information;
(iii) determine whether there are ways to enhance the quality, utility,
and clarity of the information to be collected; and (iv) minimize the
burden of the collections of information on those who are to respond,
including through the use of automated collection techniques or other
forms of information technology.
Members of the public may direct to us any comments concerning the
accuracy of these burden estimates and any suggestions for reducing
these burden hours. Persons wishing to submit comments on the
collection of information requirements of the proposed amendments
should direct them to the Office of Management and Budget, Attention
Desk Officer of the Securities and Exchange Commission, Office of
Information and Regulatory Affairs, Room 10102, New Executive Office
Building, Washington, DC 20523, and should send a copy to Nancy M.
Morris, Secretary, Securities and Exchange Commission, 100 F Street,
NE., Washington, DC 20549-1090 with reference to File No. S7-06-08. OMB
is required to make a decision concerning the collections of
information between 30 and 60 days after publication of this release;
therefore a comment to OMB is best assured of having its full effect if
OMB receives it within 30 days after the publication of this release.
Requests for materials submitted to OMB by the Commission with regard
to these collections of information should be in writing, refer to File
No. S7-06-08, and be submitted to the Securities and Exchange
Commission, Public Reference
[[Page 13707]]
Room, 100 F Street, NE., Washington, DC 20549.
V. Cost-Benefit Analysis
The Commission is sensitive to the costs and benefits imposed by
its rules. We have identified certain costs and benefits of the
proposed amendments and request comment on all aspects of this cost-
benefit analysis, including identification and assessment of any costs
and benefits not discussed in this analysis. We seek comment and data
on the value of the benefits identified. We also welcome comments on
the accuracy of the cost estimates in each section of this analysis,
and request that commenters provide data so we can improve these cost
estimates. In addition, we seek estimates and views regarding these
costs and benefits for particular covered institutions, including
registered transfer agents, as well as any other costs or benefits that
may result from the adoption of these proposed amendments.
As discussed above, the proposed rule amendments are designed to
enhance covered institutions' information security policies and
procedures as well as their ability to protect personal information.
Under Regulation S-P, covered institutions have been required to
safeguard customer records and information since 2001 and to dispose
properly of consumer report information since 2005. The proposed
amendments would modify Regulation S-P's current safeguards and
disposal rules to: (i) Require more specific standards under the
safeguards rule, including standards that would apply to data security
breach incidents; (ii) broaden the scope of information and the types
of institutions and persons covered by the rules; and (iii) require
covered institutions to maintain written records of their policies and
procedures and their compliance with those policies and procedures. The
proposed amendments also would create a new exception from Regulation
S-P's notice and opt-out requirements that would not unduly restrict
the transfer of representatives from one broker-dealer or registered
investment adviser to another while protecting customer information.
A. Costs and Benefits of More Specific Information Security and
Security Breach Standards
As noted, since 2001 broker-dealers, investment companies, and
registered investment advisers have been required to adopt policies and
procedures reasonably designed to insure the security and
confidentiality of customer records and information, protect against
anticipated threats or hazards, and protect against unauthorized access
to or use of customer records and information.\125\ The proposed rule
amendments would require more specific standards for safeguarding
personal information, including standards for responding to data
security breaches. The amendments would require covered institutions to
develop, implement, and maintain a comprehensive ``information security
program'' for protecting personal information and for responding to
unauthorized access to or use of personal information that would have
to be appropriate to the institution's size and complexity, the nature
and scope of its activities, and the sensitivity of the personal
information involved. The information security program would have to
include seven safeguarding elements, as described above in section
II.A. Our proposed amendments also would specifically require that
institutions' information security programs include procedures for
responding to incidents of unauthorized access to or use of personal
information. We believe that these proposed amendments would be
consistent with safeguarding guidance and rules issued by the Banking
Agencies and the FTC.\126\
---------------------------------------------------------------------------
\125\ See 15 U.S.C. 6801; 17 CFR 248.30(a). The Commission also
required that safeguarding policies and procedures be in writing by
July 1, 2005. See Disposal Rule Adopting Release, supra note 15.
\126\ See supra note 23 and accompanying text.
---------------------------------------------------------------------------
1. Benefits of More Specific Information Security and Security Breach
Standards
We anticipate that the proposed amendments would benefit covered
institutions and investors by providing specific standards for policies
and procedures to safeguard investor information, boosting investor
confidence and mitigating losses due to security breach incidents,
helping to ensure that information security programs are actively
managed and regularly updated, and reducing the compliance burden for
institutions in the event of a data security breach incident.
One benefit of the proposed information security and security
breach standards would be to provide firms in the securities industry
with detailed standards for the policies and procedures that a well-
designed information security program should include. As already noted,
a significant increase in reported information security breaches
involving covered institutions, including increasingly sophisticated
identity theft attacks directed at the securities industry, have
altered the risk environment and brought to our attention the
vulnerability of certain of our institutions' information security
policies and procedures.\127\ We are concerned that some Commission-
regulated institutions may not regularly reevaluate and update their
safeguarding programs to deal with these increasingly sophisticated
methods of attack. As a result, our staff has devoted increased
attention to this area.
---------------------------------------------------------------------------
\127\ See supra notes 16-19 and accompanying text.
---------------------------------------------------------------------------
The current rule's reasonable design standard has permitted
institutions flexibility to implement safeguarding policies and
procedures tailored to their own privacy policies and practices and
their varying business operations. While many institutions have
appropriate safeguards in place, some institutions, including some
smaller institutions, may have had difficulty keeping up with the
changes in the threat environment. Setting out a more specific
framework for institutions' continuing obligation to protect customer
information, may ease institutions' burden in interpreting our
expectations of safeguarding policies and procedures that are
``reasonably designed,'' while retaining much of the current rule's
flexibility.
We believe the proposed amendments would be consistent with the
Commission's initial statutory mandate under the GLBA to adopt, in
2000, final financial privacy regulations that are consistent and
comparable with those adopted by other federal financial
regulators.\128\ As noted above, after our adoption of Regulation S-P's
safeguards rule, the FTC and the Banking Agencies issued regulations
with more detailed standards applicable to the institutions they
regulate.\129\ The Banking Agencies also issued guidance for their
institutions on responding to incidents of unauthorized access to or
use of customer information.\130\ Our proposed amendments include
safeguarding elements consistent with the regulatory provisions of
these other agencies that Commission-regulated institutions would have
to address in their safeguarding policies and procedures.\131\
---------------------------------------------------------------------------
\128\ See Section 504(a) of the GLBA (15 U.S.C. 6804(a)).
\129\ See supra note 23 and accompanying text.
\130\ Id.
\131\ When the FTC adopted its safeguards rule, it stated that
an entity that demonstrated compliance with the Banking Agencies' or
NCUA's safeguarding standards also would satisfy the FTC rule. The
FTC stated, however, that it would not automatically recognize an
institution's compliance with other safeguards rules (including
Regulation S-P) as satisfying the FTC Safeguards Rule. The FTC
stated that it made this decision because ``such other rules and law
do not necessarily provide comparable protection in terms of the
safeguards mandated, data covered, and range of circumstances to
which protection apply.'' See Standards for Safeguarding Customer
Information, 67 FR 36484 (May 23, 2003), at text accompanying and
following nn.28-33. Compliance with other Regulation S-P provisions,
however, currently satisfies other FTC privacy requirements. Thus,
we expect that making the safeguarding provisions of Regulation S-P
comparable to the FTC's requirements would benefit institutions by,
for example, permitting state-registered investment advisers to
satisfy the FTC standards by complying with the Commission's
safeguards rule, which was drafted to address investment advisory
business models.
---------------------------------------------------------------------------
[[Page 13708]]
Covered institutions would benefit from having specific standards
that are consistent and comparable to those already adopted by the
Banking Agencies and the FTC in other ways. For example, covered
institutions that have banking affiliates may have already developed
policies and procedures consistent with the Banking Agencies' guidance
that are applied to all affiliates of the bank. If they do not have the
same policies and procedures, these covered institutions would be able
to apply the banking affiliate's policies and procedures to the
securities businesses with few changes. More specific safeguarding
standards also could increase investor confidence in institutions and
help mitigate losses that can result from lax safeguarding policies and
procedures. Incidents of identity theft have affected a large number of
Americans and are difficult and expensive for victims to deal with and
correct.\132\ Moreover, there is at least anecdotal evidence that the
wave of widely-reported incidents of data security breaches have played
a role in discouraging a significant number of individuals from
conducting business online.\133\ The proposed amendments could benefit
investors and increase their confidence by providing firms with
detailed standards for the processes that a well-designed information
security program should include. This could result in enhanced
protection for the privacy of investor information, and could decrease
incidents of identity theft, thereby mitigating losses due to identity
theft and other misuses of sensitive information. We also believe that
the increased protection that could result from the proposed amendments
could benefit institutions, which frequently incur the costs of
fraudulent activity.\134\ Thus, if only a small number of security
breach incidents were averted because the proposed amendments were
adopted, there still could be a significant cost savings to individuals
and institutions.\135\
---------------------------------------------------------------------------
\132\ In 2003 the FTC reported that up to 10 million Americans
had been victimized by identity theft over a 12-month period and
that these thefts cost businesses and consumers over $52 billion.
See FTC, Identity Theft Survey Report (Sept. 2003), available at
http://www.ftc.gov/os/2003/09/synovatereport.pdf.
\133\ A July 2005 study found that 48 percent of consumers
avoided making purchases on the Internet because they feared their
personal information may be stolen. See Cyber Security Industry
Alliance, Internet Voter Survey, at 9 (June 2005), https://
www.csialliance.org/publications/surveys_and_polls/CSIA_
Internet_Security_Survey_June_2005.pdf (last visited Nov. 6,
2007).
\134\ In most cases, financial institutions do not impose the
losses associated with fraudulent activity on consumers. See, e.g.,
Testimony of Oliver I. Ireland, on Behalf of the Financial Services
Coordinating Council, H.R. 3997, the ``Financial Data Protection Act
of 2005,'' Before the Subcomm. on Financial Institutions and
Consumer Credit, House Comm. on Financial Services (Nov. 9, 2005),
available at http://www.sia.com/testimony/2005/ireland11-9-05.html.
\135\ One research institution has estimated that the average
cost of a data security breach incident per institution is $1.4
million. See Ponemon Institute, LLC, 2006 Annual Study: Cost of a
Data Breach (Oct. 2006), http://download.pgp.com/pdfs/Ponemon2-
Breach-Survey--061020--F.pdf (last visited Nov. 6, 2007). In
addition, some investigations into data breach incidents have been
reported to cost as much as $5 million. See Daniel Wolfe, Security
Watch, Amer. Banker (Apr. 4, 2007).
---------------------------------------------------------------------------
As noted above, we are concerned that some institutions do not
regularly reevaluate and update their safeguarding programs. Requiring
covered institutions to designate in writing an employee or employees
to coordinate their information security programs should foster clearer
delegations of authority and responsibility, making it more likely that
an institution's programs are regularly reevaluated and updated. Having
an information security program coordinator also could contribute to an
institution's ability to meet its affirmative and continuing obligation
under the GLBA to safeguard customer information.\136\ If, for example,
elements of a covered institution's information security program were
not maintained on a consolidated basis, but were dispersed throughout
an institution, we believe having a responsible program coordinator or
coordinators should facilitate the institution's awareness of these
elements, as well as enable it to better manage and control risks and
conduct ongoing evaluations.
---------------------------------------------------------------------------
\136\ See 15 U.S.C. 6801(a).
---------------------------------------------------------------------------
We expect that the proposed framework for the initial and ongoing
oversight of institutions' information security programs--in the form
of formal risk assessments, periodic testing or monitoring of key
controls, systems, and procedures, staff training, and relevant
evaluations and adjustments--would help to ensure that information
security programs are appropriately updated along with relevant changes
in technology, new business arrangements, changes in the threat
environment, and other circumstances. Finally, the proposed amendment
that would require covered institutions to take reasonable steps to
select and retain service providers that are capable of maintaining
appropriate safeguards and would require service providers by contract
to implement and maintain appropriate safeguards should help to ensure
that sensitive personal information is protected when it leaves the
institution's custody, while still permitting institutions the
flexibility to select appropriate service providers.
The proposed requirement that information security programs include
specific procedures for responding to incidents of unauthorized access
to or use of personal information is designed to benefit investors and
institutions. The requirement would benefit investors who receive
notice of an information security breach pursuant to an institution's
incident response procedures by allowing those investors to take
precautions to the extent they believe necessary.\137\ The procedures
also would benefit institutions by establishing a national data breach
notification requirement for covered institutions.\138\ Currently at
least 39 states have enacted statutes requiring notification of
individuals in the event of a data security breach.\139\ This patchwork
of overlapping and sometimes inconsistent regulation has created a
difficult environment for financial institutions' compliance programs.
However, many of the state statutes contain exemptions for entities
regulated by federal data security breach regulations.\140\
Accordingly, the proposed amendments could benefit covered institutions
by significantly reducing the number of requirements with which covered
institutions must
[[Page 13709]]
comply.\141\ As noted, the banking regulators published similar data
breach notification guidance in 2005.\142\
---------------------------------------------------------------------------
\137\ Often victims of identity theft are unaware of the crime
until they are denied credit or employment, or are contacted by a
debt collector for payment on a debt they did not incur. See
Identity Theft Task Force, Combating Identity Theft, A Strategic
Plan, p. 3 (Apr. 2007), available at http://www.idtheft.gov/reports/
StrategicPlan.pdf.
\138\ Establishing national standards for data breach
notification requirements was a recommendation of the Identity Theft
Task Force. Id. at p. 35.
\139\ See Government Accountability Office, Personal
Information: Data Breaches Are Frequent, but Evidence of Resulting
Identity Theft Is Limited; However, the Full Extent Is Unknown (Jun.
4, 2007) at p. 2, and National Conference of State Legislatures,
State Security Breach Notification Laws (as of Dec. 1, 2007), http:/
/www.ncsl.org/programs/lis/cip/priv/breachlaws.htm (last visited
Dec. 10, 2007).
\140\ See, e.g., Crowell & Moring LLP, State Laws Governing
Security Breach Notification (last updated Apr. 2007), http://
www.crowell.com/pdf/SecurityBreachTable.pdf (last visited Dec. 10,
2007).
\141\ Under the proposed amendments, for example, using proposed
Form SP-30 would satisfy an institution's obligations to notify the
Commission or the appropriate designated examining authority.
Because many state laws have exceptions from breach notification
requirements for institutions subject to federal breach notification
requirements, this would streamline institutions' current reporting
obligations to numerous state authorities.
\142\ See Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice, 70
FR 15736 (Mar. 29, 2005), available at http://www.occ.treas.gov/
consumer/Customernoticeguidance.pdf. The guidance supplements the
Interagency Guidelines Establishing Standards for Safeguarding
Information which was renamed the Interagency Guidelines
Establishing Information Security Standards.
---------------------------------------------------------------------------
We request comment on available metrics to quantify these benefits
and any other benefits the commenter may identify. In particular, we
request comment reflecting institutions' experiences in safeguarding
customer information and addressing the security breach incidents
discussed above. Commenters are also requested to identify sources of
empirical data that could be used for the metrics they propose.
2. Costs of More Specific Information Security and Security Breach
Standards
Some institutions would likely incur additional costs in reviewing,
implementing, and maintaining more specific information security and
security breach standards. Institutions could incur additional costs in
reviewing current safeguarding policies and procedures and designing
and implementing new ones, if necessary, on an initial basis.
Institutions also could incur additional costs on an ongoing basis to
maintain up-to-date information security programs and to respond
appropriately to any data security breach incidents.
According to Commission filings, approximately 6,016 broker-
dealers, 4,733 investment companies comprising portions of 813 fund
complexes,\143\ 77 business development companies, 9,860 registered
investment advisers, and 501 registered transfer agents, or 17,267
covered institutions, would be required to comply with the proposed
amendments' more specific information security and security breach
standards.\144\ As noted, broker-dealers, investment companies, and
registered investment advisers have been required to have reasonably
designed safeguarding policies and procedures since 2001. In addition,
transfer agents have been required to have information security
safeguards since 2003, in accordance with the FTC Safeguards Rule.\145\
We estimate that 56 percent of all covered institutions, or 9,670
institutions, have one or more financial affiliates (whether these
institutions are regulated by the Commission or other federal financial
regulators).\146\ We estimate that each of the affiliated institutions
has one corporate affiliate. Based on limited inquiries of covered
institutions, we believe that these affiliated institutions are likely
to have developed safeguarding policies and procedures on an
organization-wide basis, rather than each affiliate developing policies
and procedures on its own.\147\ We also believe that the affiliate that
developed the affiliated organization's safeguarding policies and
procedures is also responsible for maintaining these policies and
procedures. We therefore estimate that one-half of the covered
affiliated institutions, or 4,835 institutions, have developed,
documented, and are maintaining safeguarding policies and procedures,
while the other half instead use the policies and procedures developed,
documented, and maintained by their affiliate.\148\ Accordingly, we
estimate that 12,432 covered institutions have developed and adopted
safeguarding policies and procedures and are maintaining these policies
and procedures in accordance with the current rule.\149\
---------------------------------------------------------------------------
\143\ Although the circumstances for every investment company
vary, we believe that in general the costs of complying with the
proposed rule amendments would be incurred on a per fund complex
basis and not on a per fund basis because almost all investment
companies are externally managed by affiliated organizations and
independent contractors, who, if the proposals are adopted, are
likely to review and implement the amended rules on behalf of all of
the investment companies they manage. See, e.g., Investment Company
Institute, A Guide to Understanding Mutual Funds, at 16, Sept. 2006,
available at http://www.ici.org/pdf/bro_understanding_mfs_p.pdf
(last visited Dec. 3, 2007). Thus, throughout this cost-benefit
analysis we estimate the costs of compliance on a per fund complex
basis.
\144\ This estimate is based on the following calculation: 6,016
+ 813 + 77 + 9,860 + 501 = 17,267.
\145\ See supra note 23.
\146\ The estimate that 56 percent of registrants have an
affiliate is based upon statistics reported as of December 3, 2007
on Form ADV, the Universal Application for Investment Adviser
Regulation, which contains specific questions regarding affiliations
between investment advisers and other persons in the financial
industry. We estimate that other institutions subject to the
safeguards rule would report a rate of affiliation similar to that
reported by registered investment advisers. The estimate that 9,670
institutions have an affiliate is based on the following
calculation: 17,267 x 0.56 = 9,669.52.
\147\ See supra note 109.
\148\ This estimate is based on the following calculation: 9,670
/ 2 = 4,835.
\149\ This estimate is based on the following calculation:
(17,267 - 9,670) + 4,835 = 12,432.
---------------------------------------------------------------------------
We expect that these institutions' current costs to maintain
safeguarding policies and procedures in compliance with the
Commission's safeguards rule vary greatly depending upon the size of
the institution, its customer base, the complexity of its business
operations, and the extent to which the institution engages in
information sharing. Thus, for example, we estimate that small
investment advisers with fewer than 10 employees require more limited
safeguarding policies and procedures to address a limited scope of
information transfer, storage, and disposal. We believe that larger
broker-dealers or fund complexes, by contrast, are more likely to have
and maintain a more extensive set of information safeguarding policies
and procedures, corresponding to these institutions' more complex
business activities and information sharing practices.
Of the covered institutions, we estimate that 7,030 registered
investment advisers have 10 or fewer employees.\150\ We estimate that
942 broker-dealers and investment company complexes are small
institutions, and are likely to have no more than 10 employees.\151\
Based on Commission filings, we also estimate that 170 transfer agents
are smaller institutions that are likely to have no more than 10
employees. We therefore estimate that 8,142 institutions, out of 17,267
covered institutions, are smaller institutions that are likely to have
no more than 10 employees.\152\ We believe that the institutions that
have developed and adopted safeguarding policies and procedures are as
likely to be smaller institutions with no more than 10 employees as the
total population of covered institutions.\153\ Therefore, of 12,432
covered institutions that we estimate have developed and adopted and
are maintaining safeguarding policies and procedures, we estimate for
purposes of this analysis that 5,862 institutions are smaller
institutions,
[[Page 13710]]
while 6,570 institutions are larger institutions.\154\
---------------------------------------------------------------------------
\150\ See Investment Adviser Association, Evolution Revolution,
A Profile of the Investment Adviser Profession (2006), available at
http://www.nrs-inc.com/ICAA/EvRev06.pdf.
\151\ As noted below, 915 broker-dealers and 238 investment
companies, representing 27 fund complexes, are small entities.
\152\ This estimate is based on the following calculation: 7,030
+ 942 + 170 = 8,142 smaller institutions.
\153\ 8,142 / 17,267 = 0.4715.
\154\ 12,432 x 0.4715 = 5,861.88; 12,432 - 5,862 = 6,570.
---------------------------------------------------------------------------
Based on conversations with representatives of covered
institutions, and information collected from limited inquiries of
covered institutions, we estimate that smaller institutions are
currently spending between $5,000 and $1,000,000 per year to comply
with the safeguards and disposal rules.\155\ We also estimate that
larger institutions are spending between $200,000 and $10,000,000 per
year to comply with the safeguards and disposal rules. These estimates
include costs for dedicated personnel, maintaining up-to-date policies
and procedures, enforcing various safeguarding requirements (such as
``clean desk'' requirements), hiring contractors to properly dispose of
sensitive information, developing and enforcing access procedures,
ongoing staff training, monitoring and reviewing compliance with
safeguarding standards, and computer encryption. These estimates also
include current spending to comply with state data security breach
statutes.\156\
---------------------------------------------------------------------------
\155\ See supra note 111.
\156\ These estimates also include transfer agents' current
spending to comply with the FTC Safeguards Rule. As noted, the
proposed amendments would apply to every broker or dealer other than
a notice-registered broker or dealer, every investment company, and
every investment adviser or transfer agent registered with the
Commission. See proposed paragraph (a)(1) of Section 30.
---------------------------------------------------------------------------
We expect that most covered institutions have information security
programs in place that would be consistent with the proposed
amendments.\157\ We do not have a reliable basis for estimating the
number of institutions that would incur additional costs or the extent
to which those institutions would have to enhance their policies and
procedures, including documentation of the information safeguard
program and its elements. Accordingly, we have estimated the range of
additional costs that individual firms could incur. We seek comment on
the number of firms that have information safeguard programs that would
satisfy the proposed amendments, the number of firms that would have to
enhance their programs, the extent of those enhancements, and the costs
of enhancement.
---------------------------------------------------------------------------
\157\ This belief is consistent with the analysis of the Office
of the Comptroller of the Currency and Office of Thrift Supervision
when they adopted the Banking Agencies Safeguard Guidelines in 2001.
At that time they stated with respect to the institutions they
regulated, that ``most if not all institutions already have
information security programs in place that are consistent with the
Banking Agencies' Security Guidelines. In such cases, little or no
modification to an institution's program will be required.'' See
Banking Agencies' Security Guidelines, supra note 23. The statement
was made in the analysis of whether the Guidelines would constitute
``a significant regulatory action'' for purposes of Executive Order
12866, which includes an action that would have an annual effect on
the economy of $100 million or more or adversely affect in a
material way the economy, a sector of the economy, productivity,
competition, jobs, the environment, public health or safety, or
State, local, or tribal governments or communities. The Board and
the FDIC did not prepare an analysis under Executive Order 12866.
---------------------------------------------------------------------------
If the proposed amendments were adopted, covered institutions could
incur costs to supplement their current information security programs
in some or all of the following ways. First, the institution would be
required to review and, as appropriate, revise its current safeguarding
policies and procedures, including their data security breach
procedures and disposal rule procedures, to comply with the more
specific requirements of the proposed amendments. Initially this would
require the institutions to: (i) Designate an employee or employees as
coordinator for the information security program; (ii) identify in
writing reasonably foreseeable security risks that could result in the
unauthorized access or compromise of personal information or personal
information systems; (iii) review existing or design new safeguards to
control these risks; (iv) train staff to implement the safeguards; and
(v) test the effectiveness of the safeguards' key controls, including
access controls, controls to detect, prevent and respond to incidents
of unauthorized access to or use of personal information. Second, an
institution also would be required to review its service providers'
information safeguards and determine whether its service providers are
capable of maintaining appropriate safeguards for personal information,
document this finding, and enter into contracts with the service
providers to implement and maintain appropriate safeguards.
Third, an institution would be required to review existing
safeguarding procedures relating to data security breach incidents.
Initially, this could include: (i) Assessing current policies and
procedures for responding to data breach incidents; and (ii) designing
and implementing written policies and procedures to assess, control,
and investigate incidents of unauthorized access or use of sensitive
personal information, as well as policies and procedures to notify
individuals and the Commission or a broker-dealer's designated
examining authority, if necessary.
Fourth, to comply with these amendments on an ongoing basis,
institutions would be required to: (i) Regularly test or monitor, and
maintain a written record of the effectiveness of their safeguards' key
controls, systems and procedures (including an assessment of personal
information system access controls, controls designed to detect,
prevent and respond to data security breach incidents, and controls
related to employee training or supervision); (ii) train staff to
implement their information security program; (iii) continue and
document their oversight of service providers; and (iv) evaluate and
adjust their information security programs in light of testing and
monitoring, and changes in technology, business operations or
arrangements, and other material circumstances.
Finally, an institution would be required to begin to respond to
any data security breach incidents as may occur on an ongoing basis.
This would include implementing and following written procedures to:
(i) Assess the nature and scope of the incident; (ii) take appropriate
steps to contain and control it, and document those steps in writing;
(iii) promptly conduct a reasonable investigation and make a written
determination of the likelihood that sensitive personal information had
been or would be misused; (iv) if misuse of information had occurred or
were reasonably likely, notify affected individuals; and (v) if an
individual identified with the information had suffered substantial
harm or inconvenience, or any unauthorized person had intentionally
obtained access to or used sensitive personal information, notify the
Commission, or the appropriate designated examining authority as soon
as possible on proposed Form SP-30.
We expect these estimated costs would vary significantly depending
on the size of the institution, the adequacy of its existing
safeguarding policies and procedures, and the nature of the
institution's operations. The ``reasonably designed'' standard for
information security programs in the proposed rule amendments is
consistent with the current safeguards and disposal rules. Thus, we
believe it should be relatively straightforward for an institution that
does not currently have policies and procedures that apply to specific
elements of the proposed amendments to incorporate these elements into
its current system of safeguarding policies and procedures. In
addition, we estimate that little or no modification to an
institution's safeguarding policies and procedures would be required in
situations where a covered institution's affiliate developed
[[Page 13711]]
its existing safeguarding policies and procedures in compliance with
the Banking Agencies' safeguarding guidance or the FTC's rules.
In addition to an institution's size, the adequacy of its
safeguards, and its operations, we expect that institutions'
information security programs would vary considerably depending on the
way in which each collects information, the number and types of
entities to which each transfers information, and the ways in which
each stores, transfers, and disposes of personal information. Based on
conversations with representatives of covered institutions and
information collected from limited inquiries of institutions, our staff
estimates that the additional initial costs that an institution could
incur to comply with the proposed amendments could range from 0 to 10
percent of its current costs of maintaining an information security
program. Our staff also estimates that the additional costs an
institution could incur for ongoing compliance with the proposed
amendments could range from 0 to 5 percent of its current costs.\158\
For purposes of the PRA, staff estimates that for a smaller
institution, the initial costs could range from between $500 and
$100,000, with an approximate cost of $18,560 per smaller
institution.\159\ Staff also estimates that for a smaller institution,
additional ongoing costs could range from between $250 and $50,000,
with an approximate cost of $10,764 per smaller institution per
year.\160\ With respect to a larger institution, again for purposes of
the PRA, staff estimates that initial costs could range from between
$20,000 and $1 million, with an approximate cost of $172,732 per larger
institution.\161\ Staff further estimates that for a larger
institution, additional ongoing costs could range from between $10,000
and $500,000 per year, with an approximate cost of $51,084 per larger
institution per year.\162\ We note that an institution that currently
incurs the highest estimated costs for its information security program
seems likely already to have a comprehensive information security
program and therefore would be less likely to require program
enhancements to comply with the rule. Accordingly, the high end of the
range of estimated costs for institutions may be excessive.
---------------------------------------------------------------------------
\158\ While we estimate that additional initial and ongoing
costs would vary significantly across wide ranges, we estimate that
the average cost per institution would be concentrated in the lower
end of those ranges because, as noted, we believe that most
institutions have already developed and adopted safeguarding and
disposal polices and procedures, and are maintaining these policies
and procedures, in accordance (or substantially in accordance) with
the proposed rule amendments.
\159\ See supra note 112 and accompanying text.
\160\ See supra note 116 and accompanying text.
\161\ See supra note 114 and accompanying text.
\162\ See supra note 119 and accompanying text.
---------------------------------------------------------------------------
We request comment on our estimated costs and our rationale
underlying them, and any aspect of the estimates or other costs that we
have not considered. We seek information about particular costs of
compliance as well as information as to any overall percentage increase
in costs that firms would likely incur as a result of the proposed
amendments. We request comment accompanied with statistical or other
quantitative information, and comment on the experiences of
institutions in addressing the circumstances addressed above.
Commenters should identify the metrics of any empirical data that
support their cost estimates.
B. Costs and Benefits of Broadened Scope of Information and of Covered
Institutions
The proposed rule amendments would broaden the scope of information
covered by the safeguards and disposal rules. From the perspective of
ease of compliance, we anticipate that institutions would benefit from
having a common set of rules that apply to both nonpublic personal
information about customers and consumer report information. We also
expect that investors would benefit from expanding the scope of
information covered by the safeguards and disposal rules because both
terms exclude some information that without protections could more
easily be used to obtain unauthorized access to investors' personal
financial information. Because we expect that this expansion of the
scope of information covered by the safeguards and disposal rules would
not require modification of institutions' current policies and
procedures, or their systems and databases for implementing these
policies and procedures, and because many firms currently protect
nonpublic personal information about customers and consumer report
information in the same way, we expect that the proposal would result
in no significant, if any, additional costs to institutions.
The amendments also would expand the scope of the safeguards rule
to include registered transfer agents, limit the scope of the
safeguards rule to exclude notice-registered broker-dealers, and extend
the disposal rule to apply to natural persons. As noted above, bringing
registered transfer agents within the scope of our safeguards rule
should benefit investors because these institutions maintain sensitive
personal information. We included registered transfer agents in our
estimate of the costs of the proposed information security and security
breach procedures above.\163\ Because transfer agents are currently
subject to the FTC Safeguards Rule, which, if the proposed amendments
were adopted, would be substantially similar to the Commission's
safeguards and disposal rules, we do not anticipate that there would be
any unique or unusual costs to transfer agents, beyond those discussed
above. Similarly, we do not anticipate any costs or benefits resulting
from the proposal to exclude notice-registered broker-dealers from
Regulation S-P because they would be subject to the CFTC's
substantially similar safeguards rules. This proposal would simply
clarify that notice-registered broker-dealers need not comply with both
Regulation S-P and the CFTC's rules.
---------------------------------------------------------------------------
\163\ See supra section V.A.2.
---------------------------------------------------------------------------
We expect that the proposal to include natural persons within the
scope of the disposal rule would benefit investors by establishing a
system designed to ensure that personal information is disposed of
properly by employees, particularly those who may work in branches far
from a covered institution's main office. We also believe that this
proposal would benefit investors by requiring compliance by natural
persons, associated with a covered institution, who are directly
responsible for properly disposing of personal information consistent
with the institution's policies. We do not expect that this proposal
would result in costs to institutions beyond those that would be
imposed by the more specific standards analyzed above in section V.A.2.
Specifically, we believe that any changes that would be required to
covered institutions' policies and procedures or training programs to
make it clear that individuals (not just firms) would have
responsibility for complying with the disposal rule are captured in our
estimates above.
We request comment on these estimates of benefits and costs and our
rationale underlying them, and any aspect of the estimates or other
benefits or costs that we have not considered. In particular, we
request comment accompanied with statistical or other quantitative
evidence, and comment on the experiences of institutions in addressing
the circumstances addressed above. Commenters should identify the
metrics and sources of any empirical data that support their cost
estimates.
C. Costs and Benefits of Maintaining Written Records
The proposed amendments would require covered institutions to
maintain
[[Page 13712]]
and preserve, in an easily accessible place, written records of the
safeguards and disposal policies and procedures. The amendments also
would require that institutions document compliance with their policies
and procedures, and that records would have to be maintained for a
period consistent with current requirements for similar records. We
expect that this proposal would benefit investors by enabling the
Commission's examination staff to evaluate whether institutions are in
compliance with the requirements of the proposed amendments to the
safeguards and disposal rules. We anticipate that institutions are
unlikely to incur significant costs in maintaining records or
documenting compliance to meet the requirements of this proposal
because we would expect to establish a date for compliance with these
amendments that would permit institutions to document and maintain
these records in the normal course of ordinary business. Thus, we do
not expect that this proposal would result in costs to institutions
beyond those that would be imposed by the more specific standards
analyzed above in section V.A.2.
We request comment on these estimates of benefits and costs and our
rationale underlying them, and any aspect of the estimates or other
benefits or costs that we have not considered. In particular, we
request comment accompanied with statistical or other quantitative
evidence, and comment on the experiences of institutions in addressing
the circumstances addressed above. Commenters should identify the
metrics and sources of any empirical data that support their cost
estimates.
D. Costs and Benefits of Proposed New Exception
Our proposed amendments would create a new exception from
Regulation S-P's notice and opt out requirements for disclosures of
limited information in connection with the departure of a
representative of a broker-dealer or investment adviser. The proposal
should enhance information security by providing a clear framework for
transferring limited information from one firm to another in this
context. At firms that choose to rely on it, the proposed exception
also should reduce potential incentives some representatives may have
to take information with them secretly when they leave. In addition,
the amendment should promote investor choice regarding whether to
follow a departing representative to another firm. Institutions that
choose to rely on the proposed exception also should benefit from the
greater legal certainty that it would provide. We expect that
institutions would incur minimal costs in retaining a written record of
the information that would be disclosed in connection with a
representative's departure, and expect that for a number of firms such
costs are incurred already in the ordinary course of business.\164\
Institutions need not provide these disclosures. Thus we anticipate
that only those that expect the potential benefits from the disclosure
would justify any associated costs would make the disclosures.
---------------------------------------------------------------------------
\164\ See supra note 91 and accompanying text.
---------------------------------------------------------------------------
We request comment on this cost estimate and our rationale
underlying it, and any aspect of the estimates or other costs that we
have not considered. In particular, we request comment accompanied with
statistical or other quantitative evidence, and the experiences of
institutions in addressing the circumstances addressed above.
Commenters should identify the metrics and sources of any empirical
data that support their cost estimates.
E. Request for Comment
We request comment on all aspects of this cost-benefit analysis,
including comment as to whether the estimates we have used in our
analysis are reasonable. We welcome comment on any aspect of our
analysis, the estimates we have made, and the assumptions we have
described. In particular, we request comment as to any costs or
benefits we may not have considered here that could result from the
adoption of the proposed amendments. We also request comment on the
numerical estimates we have made here, and request comment and specific
costs and benefits from covered institutions that have experienced any
of the situations analyzed above.
VI. Initial Regulatory Flexibility Analysis
This Initial Regulatory Flexibility Analysis (``IRFA'') has been
prepared in accordance with 5 U.S.C. 603. It relates to proposed
amendments to Regulation S-P that seek to strengthen the protections
for safeguarding and disposing of sensitive personal information and
provide a limited exception to notice and opt out requirements intended
to augment investors' ability to choose whether to follow personnel who
move from one broker-dealer or registered investment adviser to
another. The proposed amendments would: (i) Require covered
institutions to adopt more specific standards under the safeguards
rule, including standards that would apply to security breach
incidents; (ii) broaden the scope of information and the types of
institutions and persons covered by the rules; and (iii) require
covered institutions to maintain written records of the policies and
procedures and their ongoing compliance with those polices and
procedures. The proposed amendments also would require covered
institutions seeking to rely on the new exception related to departing
representatives to maintain a record of the information disclosed under
the exception to a representative's new firm.
A. Reasons for the Proposed Action
We have become concerned with the significant increase in the
number of information security breaches that have come to light in
recent years and the potential created by such breaches for misuse of
personal financial information, including identity theft. We are
concerned that some firms do not regularly reevaluate and update their
safeguarding programs to deal with increasingly sophisticated methods
of attack. To help prevent and address security breaches at covered
institutions, we propose to require more specific standards for
safeguarding personal information, including standards for responding
to data security breaches. In order to provide better protection
against unauthorized disclosure of personal financial information, we
believe that the scope of information covered by the current safeguards
and disposal rules should be broader.
We also propose a new exception to Regulation S-P's notice and opt
out requirements to permit limited disclosures of investor information
when a registered representative of a broker-dealer or a supervised
person of an investment adviser moves from one brokerage or advisory
firm to another. The proposed exception should provide legal certainty
to firms that choose to rely on it and reduce incentives some
representatives may have to take information with them secretly when
they leave. We believe this amendment also would help to augment
investors' ability to choose whether or not to follow a departing
representative to another firm.
B. Objectives of the Proposed Action
The overall objectives of the proposed amendments are to: (i)
Strengthen the protections for safeguarding and disposing of sensitive
personal information; and (ii) provide a limited exception to
Regulation S-P's notice and opt out requirements that would preserve
investors' ability to choose whether to follow personnel who move
[[Page 13713]]
from one broker-dealer or investment adviser to another. We believe
that the proposed amendments would help to:
Prevent and mitigate information security breach
incidents;
Ensure that sensitive financial information is not
disposed of improperly;
Ensure that firms regularly review and update their
safeguarding policies and procedures;
Ensure that the full range of appropriate information and
all relevant types of institutions regulated by the Commission are
covered by Regulation S-P's requirements; and
Enhance information security at firms choosing to rely on
a new exemption for disclosures of limited information when
representatives move from one firm to another by providing a clear
framework for such disclosures and promote investor choice regarding
whether or not to follow a departing representative to another firm.
C. Legal Basis
The amendments to Regulation S-P are proposed pursuant to the
authority set forth in Sections 501, 504, 505, and 525 of the GLBA,
Section 628(a)(1) of the FCRA, Sections 17, 17A, 23, and 36 of the
Exchange Act, Sections 31(a) and 38 of the Investment Company Act, and
Sections 204 and 211 of the Investment Advisers Act.\165\
---------------------------------------------------------------------------
\165\ 15 U.S.C. 6801, 6804, 6805, and 6825; 15 U.S.C.
1681w(a)(1); 15 U.S.C. 78q, 78q-1, 78w, and 78mm; 15 U.S.C. 80a-
30(a), 80a-37; and 15 U.S.C. 80b-4, 80b-11.
---------------------------------------------------------------------------
D. Small Entities Subject to the Proposed Rule Amendments
The proposed amendments to Regulation S-P would affect brokers,
dealers, registered investment advisers, investment companies, and
registered transfer agents, including entities that are considered to
be a small business or small organization (collectively, ``small
entity'') for purposes of the Regulatory Flexibility Act. For purposes
of the Regulatory Flexibility Act, under the Exchange Act a broker or
dealer is a small entity if it: (i) Had total capital of less than
$500,000 on the date in its prior fiscal year as of which its audited
financial statements were prepared or, if not required to file audited
financial statements, on the last business day of its prior fiscal
year; and (ii) is not affiliated with any person that is not a small
entity.\166\ A registered transfer agent is a small entity if it: (i)
Received less than 500 items for transfer and less than 500 items for
processing during the preceding six months; (ii) transferred items only
of issuers that are small entities; (iii) maintained master shareholder
files that in the aggregate contained less than 1,000 shareholder
accounts or was the named transfer agent for less than 1,000
shareholder accounts at all times during the preceding fiscal year; and
(iv) is not affiliated with any person that is not a small entity.\167\
Under the Investment Company Act, investment companies are considered
small entities if they, together with other funds in the same group of
related funds, have net assets of $50 million or less as of the end of
its most recent fiscal year.\168\ Under the Investment Advisers Act, a
small entity is an investment adviser that: (i) Manages less than $25
million in assets; (ii) has total assets of less than $5 million on the
last day of its most recent fiscal year; and (iii) does not control, is
not controlled by, and is not under common control with another
investment adviser that manages $25 million or more in assets, or any
person that has had total assets of $5 million or more on the last day
of the most recent fiscal year.\169\
---------------------------------------------------------------------------
\166\ 17 CFR 240.0-10.
\167\ Id.
\168\ 17 CFR 270.0-10.
\169\ 17 CFR 275.0-7.
---------------------------------------------------------------------------
Based on Commission filings, we estimate that 894 broker-dealers,
153 registered transfer agents, 203 investment companies, and 760
registered investment advisers may be considered small entities.
E. Reporting, Recordkeeping, and Other Compliance Requirements
The proposed amendments to Regulation S-P would require more
specific compliance requirements and create new reporting requirements
for institutions that experience a breach of information security. The
proposed amendments also would introduce new mandatory recordkeeping
requirements.
Under the proposed amendments to Regulation S-P, covered
institutions would have to develop, implement, and maintain a
comprehensive ``information security program'' for protecting personal
information and responding to unauthorized access to or use of personal
information. We expect that some covered institutions, including
covered institutions that are small entities, would be required to
supplement their current costs by the costs involved in reviewing and,
as appropriate, revising their current safeguarding policies and
procedures, including their data security breach response procedures
and disposal rule procedures, to comply with the more specific
requirements of the proposed amendments. Initially this would require
institutions to: (i) Designate an employee or employees as coordinator
for their information security program; (ii) identify in writing
reasonably foreseeable security risks that could result in the
unauthorized or compromise of personal information or personal
information systems; (iii) create a written record of their design and
implementation of their safeguards to control identified risks; (iv)
train staff to implement their information security program; and (v)
oversee service providers and document that oversight in writing.
Institutions also would have to review existing safeguarding
procedures relating to data security breach incidents. This would
include: (i) Assessing current policies and procedures for responding
to data breach incidents; and (ii) designing and implementing written
policies and procedures to assess, control, and investigate incidents
of unauthorized access or use of sensitive personal information, as
well as policies and procedures for, under certain conditions,
notifying individuals and the Commission or, in the case of a broker-
dealer, the appropriate designated examining authority.
To comply with these amendments on an ongoing basis, institutions
would have to implement procedures to: (i) Regularly test or monitor,
and maintain a written record of the effectiveness of their safeguards'
key controls, systems and procedures (including access controls,
controls related to data security breach incidents, and controls
related to employee training and supervision); (ii) augment staff
training as necessary; (iii) provide continued oversight of service
providers; and (iv) regularly evaluate and adjust their information
security program in light of their regular testing and monitoring,
changes in technology, their business operations or arrangements, and
other material circumstances.
Institutions also would have to respond appropriately to incidents
of data security breach as may occur on an ongoing basis. This would
include following their written procedures to: (i) Assess the nature
and scope of the incident; (ii) take appropriate steps to contain and
control the incident; (iii) promptly conduct a reasonable investigation
and make a written determination of the likelihood that sensitive
personal information has been or will be misused; (iv) if misuse of
information has occurred or is reasonably likely, notify affected
individuals as soon as possible; and (v) if an individual identified
with the information has suffered substantial
[[Page 13714]]
harm or inconvenience, or any unauthorized person has intentionally
obtained access to or used sensitive personal information, notify the
Commission or an appropriate designated examining authority as soon as
possible on proposed Form SP-30.
Overall, we expect there would be incremental costs associated with
the proposed amendments to Regulation S-P. Some proportion of large or
small institutions would be likely to experience some increase in costs
to comply with the proposed amendments if they are adopted.
More specifically, we estimate that with respect to the more
specific safeguarding elements, covered institutions would incur one-
time costs that could include the costs of assessment and revision of
safeguarding standards, staff training, and reviewing and entering into
contracts with service providers.\170\ We also estimate that the
ongoing, long-term costs associated with the proposed amendments could
include costs of regularly testing or monitoring the safeguards,
augmenting staff training, providing continued oversight of service
providers, evaluating and adjusting safeguards, and responding
appropriately to incidents of data security breach.\171\
---------------------------------------------------------------------------
\170\ See supra section IV.A.3.
\171\ Id.
---------------------------------------------------------------------------
We encourage written comments regarding this analysis. We solicit
comments as to whether the proposed amendments could have an effect
that we have not considered. We also request that commenters describe
the nature of any impact on small entities and provide empirical data
to support the extent of the impact.
F. Duplicative, Overlapping, or Conflicting Federal Rules
As discussed above, the proposed amendments would impose
requirements that covered institutions maintain and document a written
information security program. The proposed amendments also would
require reporting to individuals and appropriate regulators after
certain serious data breach incidents. Covered institutions are subject
to requirements elsewhere under the federal securities laws and rules
of the self-regulatory organizations that require them to adopt written
policies and procedures that may relate to some similar issues.\172\
The proposed amendments to Regulation S-P, however, would not require
covered institutions to maintain duplicate copies of records covered by
the rule, and an institution's information security program would not
have to be maintained in a single location. Moreover, although the
proposed amendments would require covered institutions to keep certain
records that may be required under existing recordkeeping rules, the
purposes of the requirements are different, and institutions need not
maintain duplicates of the records themselves.\173\ We believe,
therefore, that any duplication of regulatory requirements would be
limited and would not impose significant additional costs on covered
institutions including small entities. We believe there are no other
federal rules that duplicate, overlap, or conflict with the proposed
reporting requirements.
---------------------------------------------------------------------------
\172\ See, e.g., 15 U.S.C. 80b-4a (requiring each adviser
registered with the Commission to have written policies and
procedures reasonably designed to prevent misuse of material non-
public information by the adviser or persons associated with the
adviser); and NASD Rule 3010 (requiring each broker-dealer to
establish and maintain written procedures to supervise the types of
business it is engaged in and to supervise the activities of
registered representatives and associated persons, which could
include registered investment advisers).
\173\ See, e.g., 17 CFR 240.17a-3 (requiring broker-dealers to
make and keep, among other things, blotters or other records of
original entry, securities position records, and order tickets) and
17 CFR 270.31a-1(b)(11) (requiring investment companies to maintain,
among other things, minute books of directors' meetings and ``files
of all advisory material received from the investment adviser'').
---------------------------------------------------------------------------
G. Significant Alternatives
The Regulatory Flexibility Act directs us to consider significant
alternatives that would accomplish the stated objectives, while
minimizing any significant adverse impact on small entities. In
connection with the proposed amendments, we considered the following
alternatives:
(i) Establishing different compliance or reporting standards that
take into account the resources available to small entities;
(ii) The clarification, consolidation, or simplification of the
reporting and compliance requirements under the rule for small
entities;
(iii) Use of performance rather than design standards; and
(iv) Exempting small entities from coverage of the rule, or any
part of the rule.
With regard to the first alternative, we have proposed amendments
to Regulation S-P that would continue to permit institutions
substantial flexibility to design safeguarding policies and procedures
appropriate for their size and complexity, the nature and scope of
their activities, and the sensitivity of the personal information at
issue. We nevertheless believe it necessary to provide a more specific
framework of elements that every institution should consider and
address, regardless of its size. The proposed amendments to Regulation
S-P arise from our concern with the increasing number of information
security breaches that have come to light in recent years, particularly
those involving institutions regulated by the Commission. Establishing
different compliance or reporting requirements for small entities could
lead to less favorable protections for these entities' customers and
compromise the effectiveness of the proposed amendments.
With regard to the second alternative, we believe that the proposed
amendments should, by their operation, simplify reporting and
compliance requirements for small entities. Small covered institutions
are likely to maintain personal information on fewer individuals than
large covered institutions, and they are likely to have relatively
simple personal information systems. Under proposed paragraph (a)(1) of
Section 30, the information security programs that would be required by
the proposed amendments would have to be appropriate to a covered
institution's size and complexity, and the nature and scope of its
activities. Accordingly, we believe that the requirements of the
proposed amendment already would be simplified for small entities. We
also believe that the requirements of the proposed amendments could not
be further simplified, or clarified or consolidated, without
compromising the investor protection objectives the proposed amendments
are designed to achieve.
With regard to the third alternative, the proposed amendments are
for the most part performance based. Rather than specifying the types
of policies and procedures or the technologies that an institution
would be required to use to safeguard personal information, the
proposed amendments would require the institution to assess the types
of risks that it is likely to face and to address those in the manner
the institution believes most appropriate. With respect to the specific
requirements regarding notifications in the event of a data security
breach, we have proposed that institutions provide only the information
that seems most relevant for the Commission, a self-regulatory
organization, or a consumer to know in order to adequately assess the
potential damage that could result from the breach and to develop an
appropriate response.
Finally, with regard to alternative four, we believe that an
exemption for small entities would not be appropriate.
[[Page 13715]]
Small entities are as vulnerable as large ones to the types of data
security breach incidents we are trying to address. We believe that the
specific elements we have proposed must be considered and incorporated
into the policies and procedures of all covered institutions,
regardless of their size, to mitigate the potential for fraud or other
substantial harm or inconvenience to investors. Exempting small
entities from coverage of the proposed amendments or any part of the
proposed amendments could compromise the effectiveness of the proposed
amendments and harm investors by lowering standards for safeguarding
investor information maintained by small covered institutions.
Excluding small entities from requirements that would be applicable to
larger covered institutions also could create competitive disparities
between large and small entities, for example by undermining investor
confidence in the security of information maintained by small covered
institutions.
We request comment on whether it is feasible or necessary for small
entities to have special requirements or timetables for, or exemptions
from, compliance with the proposed amendments. In particular, could any
of the proposed amendments be altered in order to ease the regulatory
burden on small entities, without sacrificing the effectiveness of the
proposed amendments?
H. Request for Comments
We encourage the submission of comments with respect to any aspect
of this IRFA. In particular, we request comments regarding: (i) The
number of small entities that may be affected by the proposed
amendments; (ii) the existence or nature of the potential impact of the
proposed amendments on small entities discussed in the analysis; and
(iii) how to quantify the impact of the proposed amendments. Commenters
are asked to describe the nature of any impact and provide empirical
data supporting the extent of the impact. Such comments will be
considered in the preparation of the Final Regulatory Flexibility
Analysis, if the proposed amendments are adopted, and will be placed in
the same public file as comments on the proposed amendments. Comments
should be submitted to the Commission at the addresses previously
indicated.
VII. Consideration of Burden on Competition and Promotion of
Efficiency, Competition and Capital Formation
Exchange Act Section 23(a)(2) requires us, when adopting rules
under the Exchange Act, to consider the impact any new rule would have
on competition.\174\ In addition, Section 23(a)(2) prohibits us from
adopting any rule that would impose a burden on competition not
necessary or appropriate in furtherance of the purposes of Title I of
the Exchange Act. The proposed amendments to Regulation S-P would: (i)
Require more specific standards under the safeguards rule, including
standards that would apply to data security breach incidents; (ii)
broaden the scope of information and the types of institutions and
persons covered by the safeguards and disposal rules; and (iii) require
covered institutions to maintain written records of their policies and
procedures and their compliance with those policies and procedures. The
proposed amendments also would create a new exception from Regulation
S-P's notice and opt-out requirements for firms to transfer limited
investor information regarding clients of departing representatives to
those representatives' new firms.
---------------------------------------------------------------------------
\174\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------
Other financial institutions are currently subject to substantially
similar safeguarding and data breach response requirements under rules
adopted by the Banking Agencies and the FTC. Under the proposed
amendments, all financial institutions would have to bear similar costs
in implementing substantially similar rules thus enhancing competition.
We expect that the proposed amendment to create the new exception for
firms to transfer limited investor information regarding clients of
departing representatives to those representatives' new firms would not
limit and might promote competition in the securities industry by
providing legal certainty for firms that choose to rely on it and by
facilitating the transition for customers who choose to follow a
departing representative to a new firm.
In addition, Exchange Act Section 3(f), Investment Company Act
Section 2(c), and Investment Advisers Act Section 202(c) require us,
when engaging in rulemaking where we are required to consider or
determine whether an action is necessary or appropriate in the public
interest, to consider, in addition to the protection of investors,
whether the action will promote efficiency, competition, and capital
formation.\175\ Our analysis on competition is discussed above. As
discussed above, the proposed amendments could result in additional
costs for covered institutions, which could affect the efficiency of
these institutions. On the other hand, the amendments could promote
investor confidence and bring new investors to these institutions. In
the long term, the proposed amendments also could help reduce covered
institutions' costs by mitigating the frequency and consequences of
information security breaches. We do not believe the proposed
amendments would have a significant effect on capital formation,
although if the proposals lead to better information security practices
at covered institutions, potential investors could feel more
comfortable investing money in the capital markets. As a result, we
expect that the potential additional expense of compliance with these
proposed rule amendments would have little, if any, adverse effect on
efficiency, competition, and capital formation.
---------------------------------------------------------------------------
\175\ 15 U.S.C. 78c(f); 15 U.S.C. 80a-2(c); and 15 U.S.C. 80b-
2(c).
---------------------------------------------------------------------------
We request comment as to whether our estimates of the burdens the
proposed amendments would have on covered institutions are reasonable.
We welcome comment on any aspect of this analysis, and specifically
request comment on any effect the proposed amendments might have on the
promotion of efficiency, competition, and capital formation that we
have not considered. Would the proposed amendments or their resulting
costs affect the efficiency, competition, and capital formation of
covered institutions and their businesses? Commenters are requested to
provide empirical data and other factual support for their views to the
extent possible.
VIII. Small Business Regulatory Enforcement Fairness Act
For purposes of the Small Business Regulatory Enforcement Fairness
Act of 1996, or ``SBREFA,'' \176\ we must advise OMB as to whether the
proposed regulation constitutes a ``major'' rule. Under SBREFA, a rule
is considered ``major'' if, upon adoption, it results or is likely to
result in:
---------------------------------------------------------------------------
\176\ Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996)
(codified in various sections of titles 5 and 15 of the United
States Code, and as a note to 5 U.S.C. 601).
---------------------------------------------------------------------------
An annual effect on the economy of $100 million or more
(either in the form of an increase or a decrease);
A major increase in costs or prices for consumers or
individual industries; or
Significant adverse effect on competition, investment or
innovation.
If a rule is ``major,'' its effectiveness will generally be delayed
for 60 days pending Congressional review. We
[[Page 13716]]
request comment on the potential impact of the proposed regulation on
the economy on an annual basis. Commenters are requested to provide
empirical data and other factual support for their view to the extent
possible.
IX. Statutory Authority
The Commission is proposing to amend Regulation S-P pursuant to
authority set forth in Sections 501, 504, 505 and 525 of the GLBA (15
U.S.C. 6801, 6804, 6805 and 6825), Section 628(a)(1) of the FCRA (15
U.S.C. 1681w(a)(1)), Sections 17, 17A, 23, and 36 of the Exchange Act
(15 U.S.C. 78q, 78q-1, 78w, and 78mm), Sections 31(a) and 38 of the
Investment Company Act (15 U.S.C. 80a-30(a) and 80a-37), and Sections
204 and 211 of the Investment Advisers Act (15 U.S.C. 80b-4 and 80b-
11).
X. Text of Proposed Rules and Rule Amendments
List of Subjects in 17 CFR Part 248
Brokers, Dealers, Investment advisers, Investment companies,
Privacy, Reporting and recordkeeping requirements, Transfer agents.
For the reasons set out in the preamble, the Commission proposes to
amend 17 CFR part 248 as follows.
1. Revise the heading of part 248 to read as follows:
PART 248--REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION
AND SAFEGUARDING PERSONAL INFORMATION
2. Revise the authority citation for part 248 to read as follows:
Authority: 15 U.S.C. 78q, 78q-1, 78w, 78mm, 80a-30(a), 80a-37,
80b-4, 80b-11, 1681w(a)(1), 6801-6809, and 6825.
3. Section 248.1(b) is amended by removing ``(b)'' from the
reference to ``Sec. 248.30(b)'' in the first sentence of the
paragraph.
4. Section 248.2(b) is amended by removing ``(b)'' from the
reference to ``Sec. 248.30(b)'' in the first sentence.
5. Section 248.3(u) is amended by:
a. Removing ``or'' at the end of paragraph (u)(1)(ii);
b. Removing the period at the end of paragraph (u)(1)(iii) and in
its place adding ``; or''; and
d. Adding paragraph (u)(1)(iv) to read as follows:
Sec. 248.3 Definitions.
* * * * *
(u) * * *
(1) * * *
(iv) Handled or maintained by you or on your behalf that is
identified with any consumer, or with any employee, investor, or
securityholder who is a natural person.
* * * * *
6. Remove the heading of subpart A of part 248 and add in its place
the following undesignated center heading: ``Privacy and Opt Out
Notices''.
7. Remove the heading of subpart B of part 248 and add in its place
the following undesignated center heading: ``Limits on Disclosures''.
8. Remove the heading of subpart C of part 248 and add in its place
the following undesignated center heading: ``Exceptions''.
9. Section 248.15 is amended by:
a. Removing the word ``or'' at the end of paragraph (a)(6);
b. Removing the period at the end of paragraph (a)(7)(iii) and in
its place adding ``; or''; and
c. Adding paragraph (a)(8).
The addition reads as follows:
Sec. 248.15 Other exceptions to notice and opt out requirements.
(a) * * *
(8) To a broker, dealer, or investment adviser registered with the
Commission in order to allow one of your representatives who leaves you
to become the representative of another broker, dealer, or registered
investment adviser to solicit customers to whom the representative
personally provided a financial product or service on your behalf,
provided:
(i) The information is limited to a customer's name, a general
description of the type of account and products held by the customer,
and the customer's contact information, including the customer's
address, telephone number, and email information;
(ii) The information does not include any customer's account
number, Social Security number, or securities positions; and
(iii) You require your departing representative to provide to you,
not later than the representative's separation from employment with
you, a written record of the information that will be disclosed
pursuant to this exception, and you maintain and preserve such records
under Sec. 248.30(c).
(iv) For purposes of this section, representative means:
(A) A natural person associated with a broker or dealer registered
with the Commission, who is registered or approved in compliance with
Sec. 240.15b7-1 of this chapter; or
(B) A supervised person of an investment adviser as defined in
section 202(a)(25) of the Investment Advisers Act of 1940 (15 U.S.C.
80b-2(a)(25)).
10. Remove the heading of subpart D of part 248 and add in its
place the following undesignated center heading: ``Relation to Other
Laws; Effective Date''.
11. Amend part 248 by adding the undesignated center heading,
``Information Security Programs'' before Sec. 248.30, and revising
Sec. 248.30 to read as follows:
INFORMATION SECURITY PROGRAMS
Sec. 248.30 Information security programs for personal information;
records of compliance.
(a) Information security programs.--(1) General requirements. Every
broker or dealer other than a notice-registered broker or dealer, every
investment company, and every investment adviser or transfer agent
registered with the Commission, must develop, implement, and maintain a
comprehensive information security program. Your program must include
written policies and procedures that provide administrative, technical,
and physical safeguards for protecting personal information, and for
responding to unauthorized access to or use of personal information.
Your program also must be appropriate to your size and complexity, the
nature and scope of your activities, and the sensitivity of any
personal information at issue.
(2) Objectives. Your information security program must be
reasonably designed to:
(i) Ensure the security and confidentiality of personal
information;
(ii) Protect against any anticipated threats or hazards to the
security or integrity of personal information; and
(iii) Protect against unauthorized access to or use of personal
information that could result in substantial harm or inconvenience to
any consumer, employee, investor or securityholder who is a natural
person.
(3) Safeguards. In order to develop, implement, and maintain your
information security program, you must:
(i) Designate in writing an employee or employees to coordinate
your information security program;
(ii) Identify in writing reasonably foreseeable internal and
external risks to the security, confidentiality, and integrity of
personal information and personal information systems that could result
in the unauthorized disclosure, misuse, alteration, destruction or
other compromise of such information or systems;
(iii) Design and implement safeguards to control the risks you
identify, and maintain a written record of your design;
(iv) Regularly test or otherwise monitor, and maintain a written
record
[[Page 13717]]
of the effectiveness of the safeguards' key controls, systems, and
procedures, including the effectiveness of:
(A) Access controls on personal information systems;
(B) Controls to detect, prevent and respond to incidents of
unauthorized access to or use of personal information; and
(C) Employee training and supervision relating to your information
security program.
(v) Train staff to implement your information security program;
(vi) Oversee service providers, and document in writing that in
your oversight you are:
(A) Taking reasonable steps to select and retain service providers
that are capable of maintaining appropriate safeguards for the personal
information at issue; and
(B) Requiring your service providers by contract to implement and
maintain appropriate safeguards; and
(vii) Evaluate and adjust your information security program
accordingly in light of:
(A) The results of the testing and monitoring required by paragraph
(a)(3)(iv) of this section;
(B) Relevant changes in technology;
(C) Any material changes to your operations or business
arrangements; and
(D) Any other circumstances that you know or reasonably believe may
have a material impact on your information security program.
(4) Procedures for responding to unauthorized access or use. At a
minimum, your information security program must include written
procedures to:
(i) Assess the nature and scope of any incident involving
unauthorized access to or use of personal information, and maintain a
written record of the personal information systems and types of
personal information that may have been accessed or misused;
(ii) Take appropriate steps to contain and control the incident to
prevent further unauthorized access to or use of personal information
and maintain a written record of the steps you take;
(iii) After becoming aware of an incident of unauthorized access to
sensitive personal information, promptly conduct a reasonable
investigation, determine the likelihood that the information has been
or will be misused, and maintain a written record of your
determination;
(iv) If you determine that misuse of the information has occurred
or is reasonably possible, notify each individual with whom the
information is identified as soon as possible in accordance with
paragraph (a)(5) of this section and maintain a written record that you
provided notification; provided however that if an appropriate law
enforcement agency determines that notification will interfere with a
criminal investigation and requests in writing that you delay
notification, you may delay notification until it no longer interferes
with the criminal investigation; and
(v) If you are a broker or dealer other than a notice-registered
broker or dealer, provide written notice on Form SP-30 to your
designated examining authority (see 17 CFR 240.17d-1), and, if you are
an investment company or an investment adviser or transfer agent
registered with the Commission, provide written notice on Form SP-30 to
the principal office of the Commission, as soon as possible after you
become aware of any incident of unauthorized access to or use of
personal information in which:
(A) There is a significant risk that an individual identified with
the information might suffer substantial harm or inconvenience; or
(B) An unauthorized person has intentionally obtained access to or
used sensitive personal information.
(5) Notifying individuals of unauthorized access or use. If you
determine that an unauthorized person has obtained access to or used
sensitive personal information, and you determine that misuse of the
information has occurred or is reasonably possible, you must notify
each individual with whom the information is identified in a clear and
conspicuous manner and by a means designed to ensure that the
individual can reasonably be expected to receive it. The notice must:
(i) Describe in general terms the incident and the type of
sensitive personal information that was the subject of unauthorized
access or use;
(ii) Describe what you have done to protect the individual's
information from further unauthorized access or use;
(iii) Include a toll-free telephone number to call, or if you do
not have any toll-free number, include a telephone number to call and
the address and the name of a specific office to write for further
information and assistance;
(iv) If the individual has an account with you, recommend that the
individual review account statements and immediately report any
suspicious activity to you; and
(v) Include information about the availability of online guidance
from the FTC regarding steps an individual can take to protect against
identity theft, a statement encouraging the individual to report any
incidents of identity theft to the FTC, and the FTC's Web site address
and toll-free telephone number that individuals may use to obtain the
identity theft guidance and report suspected incidents of identity
theft.
(b) Disposal of personal information.--(1) Standard. Every broker
or dealer other than a notice-registered broker or dealer, every
investment company, every investment adviser or transfer agent
registered with the Commission, and every natural person who is an
associated person of a broker or dealer, a supervised person of an
investment adviser registered with the Commission, or an associated
person of a transfer agent registered with the Commission, that
maintains or otherwise possesses personal information for a business
purpose must properly dispose of the information by taking reasonable
measures to protect against unauthorized access to or use of the
information in connection with its disposal.
(2) Written policies, procedures and records. Every broker or
dealer, other than a notice-registered broker or dealer, every
investment company, and every investment adviser and transfer agent
registered with the Commission must:
(i) Adopt written policies and procedures that address the proper
disposal of personal information according to the requirements of
paragraph (b)(1) of this section; and
(ii) Document in writing its proper disposal of personal
information in compliance with paragraph (b)(1) of this section.
(3) Relation to other laws. Nothing in this paragraph (b) shall be
construed:
(i) To require any broker, dealer, investment company, investment
adviser, transfer agent, associated person of a broker or dealer,
supervised person of an investment adviser, or associated person of a
transfer agent, to maintain or destroy any record pertaining to an
individual that is not imposed under other law; or
(ii) To alter or affect any requirement imposed under any other
provision of law to maintain or destroy records.
(c) Recordkeeping. (1) Every broker or dealer other than a notice-
registered broker or dealer, every investment company, and every
investment adviser or transfer agent registered with the Commission,
must make and maintain the records and written policies and procedures
required under paragraphs (a) and (b)(2) of this section. Every broker
or dealer other than a notice-registered broker or dealer, and every
investment adviser registered with the Commission seeking to rely on
the
[[Page 13718]]
exception in Sec. 248.15(a)(8) must make and maintain the records
required by Sec. 248.15(a)(8)(iii).
(2) Starting from when the record was made, or from when the
written policy or procedure was last modified, the records and written
policies and procedures required under paragraphs (a) and (b)(2) of
this section, and the records made pursuant to Sec. 248.15(a)(8)(iii),
must be preserved in accordance with:
(i) 17 CFR 240.17a-4(b) by a broker or dealer other than a notice-
registered broker or dealer;
(ii) 240.17Ad-7(b) by a transfer agent registered with the
Commission;
(iii) 270.31a-2(a)(4)-(6) by an investment company; and
(iv) 275.204-2(e)(1) by an investment adviser registered with the
Commission.
(d) Definitions. As used in this Sec. 248.30, unless the context
otherwise requires:
(1) Associated person of a broker or dealer has the same meaning as
in section 3(a)(18) of the Securities Exchange Act of 1934 (15 U.S.C.
78c(a)(18)).
(2) Associated person of a transfer agent has the same meaning as
in section 3(a)(49) of the Securities Exchange Act of 1934 (15 U.S.C.
78c(a)(49)).
(3) Consumer report has the same meaning as in section 603(d) of
the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
(4) Consumer report information means any record about an
individual, whether in paper, electronic or other form, that is a
consumer report or is derived from a consumer report. Consumer report
information also means a compilation of such records. Consumer report
information does not include information that does not identify
individuals, such as aggregate information or blind data.
(5) Disposal means:
(i) The discarding or abandonment of personal information; or
(ii) The sale, donation, or transfer of any medium, including
computer equipment, on which personal information is stored.
(6) Information security program means the administrative,
technical, or physical safeguards you use to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or
otherwise handle personal information.
(7) Notice-registered broker or dealer means a broker or dealer
registered by notice with the Commission under section 15(b)(11) of the
Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
(8) Personal information means any record containing consumer
report information, or nonpublic personal information as defined in
Sec. 248.3(t), that is identified with any consumer, or with any
employee, investor, or securityholder who is a natural person, whether
in paper, electronic, or other form, that is handled or maintained by
you or on your behalf.
(9) Personal information system means any method used to access,
collect, store, use, transmit, protect, or dispose of personal
information.
(10) Sensitive personal information means personal information, or
any combination of components of personal information, that would allow
an unauthorized person to use, log into, or access an individual's
account, or to establish a new account using the individual's
identifying information, including the individual's:
(i) Social Security number; or
(ii) Name, telephone number, street address, e-mail address, or
online user name, in combination with the individual's account number,
credit or debit card number, driver's license number, credit card
expiration date or security code, mother's maiden name, password,
personal identification number, biometric record, or other
authenticating information.
(11) Service provider means any person or entity that receives,
maintains, processes, or otherwise is permitted access to personal
information through its provision of services directly to a broker,
dealer, investment company, or investment adviser or transfer agent
registered with the Commission.
(12) (i) Substantial harm or inconvenience means personal injury,
or more than trivial financial loss, expenditure of effort or loss of
time, including theft, fraud, harassment, impersonation, intimidation,
damaged reputation, impaired eligibility for credit, or the
unauthorized use of information identified with an individual to obtain
a financial product or service, or to access, log into, effect a
transaction in, or otherwise use the individual's account.
(ii) Substantial harm or inconvenience does not include
unintentional access to personal information by an unauthorized person
that results only in trivial financial loss, expenditure of effort or
loss of time, such as if use of the information results only in your
deciding to change the individual's account number or password.
(13) Supervised person of an investment adviser has the same
meaning as in section 202(a)(25) of the Investment Advisers Act of 1940
(15 U.S.C. 80b-2(a)(25)).
(14) Transfer agent has the same meaning as in section 3(a)(25) of
the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
12. Redesignate Appendix A to part 248 as Appendix B to part 248,
and revise its heading to read as follows:
Appendix B to part 248--Sample Clauses
13. Add new Appendix A to part 248 to read as follows:
Appendix A to Part 248--Forms
(1) Availability of Forms. Any person may obtain a copy of Form
S-P or Form SP-30 prescribed for use in this part by written request
to the Securities and Exchange Commission, 100 F Street, NE.,
Washington, DC 20549. Any person also may view the forms on the
Commission Web site as follows:
(a) Form S-P at: [Web site URL];
(b) Form SP-30 at: [Web site URL].
(2) Form S-P. Use of Form S-P by brokers, dealers, and
investment companies, and by investment advisers registered with the
Commission, constitutes compliance with the notice content
requirements of Sec. Sec. 248.6 and 248.7.
(3) Form SP-30. Form SP-30 must be used pursuant to Sec.
248.30(a)(4)(v) as the notice of an incident of unauthorized access
to or use of personal information to be filed with the appropriate
designated examining authority by brokers or dealers other than
notice-registered brokers or dealers, and to be filed with the
Commission by investment companies, and by investment advisers and
transfer agents registered with the Commission.
14. Add Form SP-30 (referenced in paragraph (3) of Appendix A to
part 248) to read as follows:
Note: The text of Form SP-30 does not, and this amendment will
not, appear in the Code of Federal Regulations.
UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Washington, DC 20549
FORM SP-30
SECURITY INCIDENT REPORTING FORM
(Pursuant to Sec. 248.30(a)(4)(v) of Regulation S-P (17 CFR
248.30(a)(4)(v)))
1. Provide identifying information (IARD/CRD number, CIK,*
business name, principal business and mailing addresses, and
telephone number).
* CIK stands for ``Central Index Key,'' which is the unique
number the Commission assigns to each entity that submits filings to
it.
2. Provide contact employee (name, title, address, and telephone
number).
3. Type of Institution:
----Broker-Dealer
----Investment Adviser
----Investment Adviser/Broker-Dealer (Dual Registrant)
----Investment Company
----Transfer Agent
[[Page 13719]]
4. Describe the security incident (e.g., unauthorized use of
your customers' online trading accounts, unauthorized use of your
employee's password to access sensitive personal information
maintained on one of your databases, or unauthorized access to your
files on an investment company's shareholders):
(a) Provide the date(s) of the incident;
(b) List Registrant's offices, divisions or branches involved;
(c) Describe personal information system(s) compromised;
(d) Describe the incident and identify anyone you reasonably
believe accessed or used personal information without authorization
or compromised the personal information system(s).
5. Provide information on third-party service provider(s)
involved:
(a) Identify any third-party service provider involved;
(b) Describe the services provided;
(c) If the service provider is an affiliate, describe the
affiliation;
(d) Describe the involvement of the service provider(s) in the
incident.
6. Describe steps taken or that you plan to take to assess the
incident.
7. Provide the number of individuals whose information appears
to have been compromised:----------
8. Describe steps you have taken or plan to take to prevent
improper use of any personal information that was or may be
compromised by the incident.
9. Do you intend to notify affected individuals?
(a) If yes, when?
(b) If no, why not?
10. Describe any steps you have taken or any plan to review your
policies and procedures in light of this incident.
11. Describe Customer account losses (to the extent known).
(a) Number of Customer Accounts Accessed: ----------
(b) Unauthorized Money Transfers
(i) Initial Customer Losses from Actual or Attempted
Unauthorized Transfers: $----------
(ii) Mitigation of Customer Losses from Firm's Efforts
(A) Surveillance/Investigative Intervention: $----------
(B) Recoveries from Receiving Parties: $----------
(C) Firm Compensation to Customers: $----------
(iii) Net Customer Losses: $----------
(c) Unauthorized Changes to Securities Portfolio (e.g., Pump and
Dump Schemes)
(i) Initial Customer Losses from Actual or Attempted
Unauthorized Trading
(A) Value of Accounts Before the Unauthorized Trading: $--------
--
(B) Value of Accounts After the Unauthorized Trading: $--------
--
(C) Initial Customer Losses/Gains: $----------
(ii) Did the firm return the affected customer accounts to their
positions before the unauthorized trading? Yes/No
(iii) Net Customer Losses/Gains: $----------
Dated: March 4, 2008.
By the Commission.
Nancy M. Morris,
Secretary.
[FR Doc. E8-4612 Filed 3-12-08; 8:45 am]
BILLING CODE 8011-01-P