Release No. 34-57427 Release No. IC-28178 Release No. IA-2712 File No. S7-06-08 RIN 3235-AK08 Part 248 Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal InformationAGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission ("Commission") is proposing amendments to Regulation S-P, which implements certain provisions of the Gramm-Leach-Bliley Act ("GLBA") and the Fair Credit Reporting Act ("FCRA") for entities regulated by the Commission. The proposed amendments would set forth more specific requirements for safeguarding information and responding to information security breaches, and broaden the scope of the information covered by Regulation S-Ps safeguarding and disposal provisions. They also would extend the application of the disposal provisions to natural persons associated with brokers, dealers, investment advisers registered with the Commission ("registered investment advisers") and transfer agents registered with the Commission ("registered transfer agents"), and would extend the application of the safeguarding provisions to registered transfer agents. Finally, the proposed amendments would permit a limited transfer of information to a nonaffiliated third party without the required notice and opt out when personnel move from one broker-dealer or registered investment adviser to another. DATES: Comments must be received on or before May 12, 2008. ADDRESSES: Comments may be submitted by any of the following methods: Electronic Comments:
Paper Comments:
All submissions should refer to File Number S7-06-08. This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commissions Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments are also available for public inspection and copying in the Commissions Public Reference Room, 100 F Street, NE, Washington, DC 20549, on official business days between the hours of 10:00 am and 3:00 pm. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. FOR FURTHER INFORMATION CONTACT: Catherine McGuire, Chief Counsel, or Brice Prince, Special Counsel, Office of the Chief Counsel, Division of Trading and Markets, (202) 551-5550; or Penelope Saltzman, Acting Assistant Director, or Vincent Meehan, Senior Counsel, Office of Regulatory Policy, Division of Investment Management, (202) 551-6792, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549. SUPPLEMENTARY INFORMATION: The Commission today is proposing amendments to Regulation S-P1 under Title V of the GLBA,2 the FCRA,3 the Securities Exchange Act of 1934 (the "Exchange Act"),4 the Investment Company Act of 1940 (the "Investment Company Act"),5 and the Investment Advisers Act of 1940 (the "Investment Advisers Act").6
I. BACKGROUNDA. Statutory Requirements and Current Regulation S-P MandatesSubtitle A of Title V of the GLBA requires every financial institution to inform its customers about its privacy policies and practices, and limits the circumstances in which a financial institution may disclose nonpublic personal information about a consumer to a nonaffiliated third party without first giving the consumer an opportunity to opt out of the disclosure.7 In enacting the legislation, Congress also specifically directed the Commission and other federal financial regulators to establish and implement information safeguarding standards requiring financial institutions subject to their jurisdiction to adopt administrative, technical and physical information safeguards.8 The GLBA specified that these standards were to "insure the security and confidentiality of customer records and information," "protect against any anticipated threats or hazards to the security or integrity" of those records, and protect against unauthorized access to or use of those records or information, which "could result in substantial harm or inconvenience to any customer."9 In response to these directives, we adopted Regulation S-P in 2000.10 Section 30(a) of Regulation S-P (the "safeguards rule") requires institutions to safeguard customer records and information,11 while other sections of the regulation implement the notice and opt out provisions of the GLBA.12 The safeguards rule currently requires institutions to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information. The safeguards must be reasonably designed to meet the GLBAs objectives.13 This approach provides flexibility for institutions to safeguard customer records and information in accordance with their own privacy policies and practices and business models. The safeguards rule and the notice and opt out provisions currently apply to brokers, dealers, registered investment advisers, and investment companies.14 Pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), the Commission amended Regulation S-P in 2004 to protect against the improper disposal of consumer report information.15 Section 30(b) of Regulation S-P (the "disposal rule") currently applies to the institutions subject to the other provisions of Regulation S-P, except that it excludes notice-registered broker-dealers and includes registered transfer agents. B. Challenges Posed by Information Security BreachesIn recent years, we have become concerned with the increasing number of information security breaches that have come to light and the potential for identity theft and other misuse of personal financial information. Once seemingly confined mainly to commercial banks and retailers, this problem has spread throughout the business community, including the securities industry.16 In the last two years, we have seen a significant increase in information security breaches involving institutions we regulate. Perhaps most disturbing is the increase in incidents involving the takeover of online brokerage accounts, including the use of the accounts by foreign nationals as part of "pump-and-dump" schemes.17 The financial services sector also is a popular target for online targeted attacks, and "phishing" attacks in which fraudsters set up an Internet site designed to mimic a legitimate site and induce random Internet users to disclose personal information.18 In other recent incidents, registered representatives of broker-dealers disposed of information and records about clients or prospective clients in accessible areas, from which journalists were able to remove them. Sensitive securities-related data also has been lost or stolen as a result of other incidents.19 Many firms in the securities industry are aware of these problems and have appropriate safeguards in place to address them.20 We are concerned, however, that some firms do not regularly reevaluate and update their safeguarding programs to deal with these increasingly sophisticated methods of attack.21 For this reason, and in light of the increase in reported security breaches and the potential for identity theft among the institutions we regulate, we believe that our previous approach, requiring safeguards that must be reasonably designed to meet the GLBAs objectives, merits revisiting.22 We also are concerned that while the information protected under the safeguards rule and the disposal rule includes certain personal information, it does not include other information that could be used to access investors financial information if obtained by an unauthorized user. Finally we want to address other issues under Regulation S-P that have come to our attention, including the application of the regulation to situations in which a representative of one brokerdealer or registered investment adviser moves to another firm. Accordingly, today we are proposing amendments to the safeguards and disposal rules that are designed to address these concerns. II. DISCUSSIONTo help prevent and address security breaches in the securities industry and thereby better protect investor information, we propose to amend Regulation S-P in four principal ways. First, we propose to require more specific standards under the safeguards rule, including standards that would apply to data security breach incidents. Second, we propose to amend the scope of the information covered by the safeguards and disposal rules and to broaden the types of institutions and persons covered by the rules. Third, we propose to require institutions subject to the safeguards and disposal rules to maintain written records of their policies and procedures and their compliance with those policies and procedures. Finally, we are taking this opportunity to propose a new exception from Regulation S-Ps notice and opt-out requirements to allow investors more easily to follow a representative who moves from one brokerage or advisory firm to another. A. Information Security and Security Breach Response RequirementsTo help prevent and address security breaches at the institutions we regulate, we propose to require more specific standards for safeguarding personal information, including standards for responding to data security breaches. When we adopted Regulation S-P in 2001, the safeguards rule simply required institutions to adopt policies and procedures to address the safeguarding objectives stated in the GLBA. Following our adoption of the rule, the FTC and the Banking Agencies issued regulations with more detailed standards for safeguarding customer records and information applicable to the institutions they regulate.23 We believe these standards include necessary elements that institutions should address when adopting and implementing safeguarding policies and procedures. We have therefore looked to the other agencies standards in developing our proposal and tailored them, where appropriate, to develop proposed standards for the institutions we regulate. 1. Revised safeguarding policies and proceduresAs noted above, the safeguards rule requires institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments would further develop this requirement by requiring each institution subject to the safeguards rule to develop, implement, and maintain a comprehensive "information security program," including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.24 This program would have to be appropriate to the institutions size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue.25 Consistent with current requirements for safeguarding policies and procedures, the information security program also would have to be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or securityholder who is a natural person.26 Although the term "substantial harm or inconvenience" is currently used in the safeguards rule, it is not defined. We propose to define the term to mean "personal injury, or more than trivial financial loss, expenditure of effort or loss of time."27 This definition is intended to include harms other than identity theft that may result from failure to safeguard sensitive information about an individual. For example, a hacker could use confidential information about an individual for extortion by threatening to make the information public unless the individual agrees to the hackers demands. "Substantial harm or inconvenience" would not include "unintentional access to personal information by an unauthorized person that results only in trivial financial loss, expenditure of effort or loss of time," such as if use of the information results in an institution deciding to change the individuals account number or password.28 The rule would provide an example of what would not constitute harm or inconvenience that rises to the level of "substantial," which should help clarify the scope of what would constitute "substantial harm or inconvenience." The proposed amendments also would specify particular elements that a program meeting the requirements of Regulation S-P must include.29 These elements are intended to provide firms in the securities industry with detailed standards for the policies and procedures that a well-designed information security program should include to address recent identity theft-related incidents such as firms in the securities industry losing data tapes and laptop computers and failing to dispose properly of sensitive personal information, and hackers hijacking online brokerage accounts.30 These elements also are intended to maintain consistency with information safeguarding guidelines and rules adopted by the Banking Agencies and FTC.31 In addition, these elements are consistent with policies and procedures we understand many institutions in the securities industry have already adopted. We understand that large and complex organizations generally have written policies that address information safeguarding procedures at several layers, from an organization-wide policy statement to detailed procedures that address particular controls.32 Institutions subject to the rule would be required to: (i) designate in writing an employee or employees to coordinate the information security program;33 (ii) identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems;34 (iii) design and document in writing and implement information safeguards to control the identified risks;35 (iv) regularly test or otherwise monitor and document in writing the effectiveness of the safeguards key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;36 (v) train staff to implement the information security program;37 (vi) oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing);38 and (vii) evaluate and adjust their information security programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact on the program.39 The term "service provider" would mean any person or entity that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person subject to the rule.40 We understand that in large financial complexes, a particular affiliate may be responsible for providing a particular service for all affiliates in the complex. In that circumstance, each financial institution subject to Regulation S-P would be responsible for taking reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards and of overseeing the service providers implementation, maintenance, evaluation, and modifications of appropriate safeguards for the institutions personal information. Under the proposed amendments, we anticipate that a covered institutions reasonable steps to evaluate the information safeguards of service providers could include the use of a third-party review of those safeguards such as a Statement of Auditing Standards No. 70 ("SAS 70") report, a SysTrust report, or a WebTrust report.41 We request comment on the proposed specific standards for safeguarding personal information.
2. Data security breach responseBecause of the potential for harm or inconvenience to individuals when a data security breach occurs, we are proposing that information security programs include procedures for responding to incidents of unauthorized access to or use of personal information. These procedures would include notice to affected individuals if misuse of sensitive personal information has occurred or is reasonably possible. The procedures would also include notice to the Commission (or for certain broker-dealers, their designated examining authority44) under circumstances in which an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information. The proposed rules that would require prompt notice of information security breach incidents to individuals, as well as the Commission or designated examining authorities, are intended to facilitate swift and appropriate action to minimize the impact of the security breach. The data security breach response provisions of the proposed amendments include elements intended to provide firms in the securities industry with detailed standards for responding to a breach so as to protect against unauthorized use of compromised data. The proposed standards would specify procedures a covered institutions information security program would need to include. These procedures would be required to be written to provide clarity for firm personnel and to facilitate Commission and SRO examination and inspection. The proposed standards are intended to ensure that covered institutions adopt plans for responding to an information security breach incident so as to minimize the risk of identity theft or other significant investor harm or inconvenience from the incident. These proposed procedures also are intended to consistent with security breach notification guidelines adopted by the Banking Agencies.45 Under the proposed amendments, institutions subject to the rule would be required to have written procedures to: (i) assess any incident involving unauthorized access or use, and identify in writing what personal information systems and what types of personal information may have been compromised;46 (ii) take steps to contain and control the incident to prevent further unauthorized access or use and document all such steps taken in writing;47 (iii) promptly conduct a reasonable investigation and determine in writing the likelihood that the information has been or will be misused after the institution becomes aware of any unauthorized access to sensitive personal information;48 and (iv) notify individuals with whom the information is identified as soon as possible (and document the provision of such notification in writing) if the institution determines that misuse of the information has occurred or is reasonably possible.49 We propose to define the term, "sensitive personal information," to mean "any personal information, or any combination of components of personal information, that would allow an unauthorized person to use, log into, or access an individuals account, or to establish a new account using the individuals identifying information," including the individuals Social Security number, or any one of the individuals name, telephone number, street address, e-mail address, or online user name, in combination with any one of the individuals account number, credit or debit card number, drivers license number, credit card expiration date or security code, mothers maiden name, password, personal identification number, biometric authentication record, or other authenticating information.50 This definition is intended to cover the types of information that would be most useful to an identity thief, and to which unauthorized access would create a reasonable possibility of substantial harm or inconvenience to an affected individual. The amendments also would require an institution to provide notice to the Commission as soon as possible after the institution becomes aware of any incident of unauthorized access to or use of personal information in which there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information.51 This requirement would allow Commission and SRO investigators or examiners to review the notices to determine if an immediate investigative or examination response would be appropriate. In this regard, it is crucial that institutions respond promptly to any follow-up requests for records or information from our staff or the staff of the designated examining authority.52 Under the proposed amendments, a prompt response in accordance with existing Commission guidance on the timely production of records would be particularly important in circumstances involving ongoing misuse of sensitive personal information. The regulatory notification requirement in the Banking Agencies guidance requires a report to the appropriate regulator as soon as possible after the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.53 Our proposed notice requirement differs from the Banking Agencies approach in that it would require notice to the Commission (or a designated examining authority) when an incident of unauthorized access to or use of personal information poses a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information. The proposed notice requirement is intended to avoid notice to the Commission in every case of unauthorized access, and to focus scrutiny on information security breaches that present a greater potential likelihood for harm. We believe that this approach would help conserve institutions, as well as the Commissions, administrative resources by allowing minor incidents to be addressed in a way that is commensurate with the risk they present. The information to be included in the notice would allow the Commission or a broker-dealers designated examining authority to evaluate whether any legal action against a would-be identity thief or other action is warranted in light of the circumstances. A broker-dealer, other than a notice-registered broker dealer, would be required to notify the appropriate designated examining authority on proposed Form SP-30. An investment company or registered investment adviser or transfer agent would be required to notify the Commission on proposed Form SP-30.54 Proposed Form SP-30 would require the institution to disclose information that the Commission (or the designated examining authority) needs to understand the nature of the unauthorized access or misuse of personal information and the institutions intended response to the incident.55 Accordingly, in addition to identifying and contact information for the covered institution, the form would request a description of the incident, when it occurred and what offices or parts of the registrants business were affected. The form also would require disclosure of any third-party service providers that were involved, the type of services provided and, if the service provider is an affiliate, the nature of the affiliation. This information would help examiners to assess the information security policies and procedures of the service provider. In addition, the form would require a description of any customer account losses. Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information.56 The proposed requirements for notices to individuals are intended to give investors information that would help them protect themselves against identity theft. They also are intended to be consistent with similar requirements in the Banking Agencies Incident Response Guidance.57 The notices to affected individuals that would be required by the proposed amendments would have to: (i) describe the incident and the type of information that was compromised, and what was done to protect the individuals information from further unauthorized access or use;58 (ii) include a toll-free telephone number or other contact information for further information and assistance from the institution;59 (iii) recommend that the individual review account statements and immediately report any suspicious activity to the institution;60 and (iv) include information about FTC guidance regarding the steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC, and the FTCs Web site address and toll-free telephone number for obtaining identity theft guidance and reporting suspected incidents of identity theft.61 We request comment on the proposed specific standards relating to incidents of unauthorized access to or misuse of personal information.
B. Scope of the Safeguards and Disposal Rules1. Information covered by the safeguards and disposal rules The Commission adopted the safeguards and disposal rules at different times under different statutes respectively, the GLBA and the FACT Act that differ in the scope of information they cover. As noted above, Regulation S-P implements the GLBA privacy provisions governing requirements for notice and opt out before an institution can share certain information with nonaffiliates and for safeguarding information. The regulations notice and opt out provisions limit institutions from sharing "nonpublic personal information" about consumers and customers as defined in the GLBA and in Regulation S-P, with nonaffiliated third parties.62 As required under the GLBA, the safeguards rule requires covered institutions to maintain written policies and procedures to protect "customer records and information,"63 which is not defined in the GLBA or in Regulation S-P. The disposal rule requires institutions to properly dispose of "consumer report information," a third term, which Regulation S-P defines consistent with the FACT Act provisions.64 Each of these terms includes a different set of information, although the terms include some of the same information.65 Each term also does not include some information that, if obtained by an unauthorized user, could permit access to personal financial information about an institutions customers. We preliminarily believe that in order to provide better protection against the unauthorized disclosure of this personal financial information, the scope of information protected by both the safeguards rule and the disposal rule should be broader. Broadening the scope of information covered by the safeguards and disposal rules would more appropriately implement Section 525 of the GLBA. Section 525 directs the Commission to revise its regulations as necessary to ensure that covered institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of "customer financial information." Section 521 of Title V of the GLBA prohibits persons from obtaining or requesting a person to obtain, customer information by making false or fraudulent statements to an officer, employee, agent, or customer of a financial institution.66 In furtherance of these prohibitions, the GLBA directs the Commission and the other federal financial regulators to review their regulations and to revise them as necessary to ensure that financial institutions have policies, procedures and controls in place to prevent the unauthorized disclosure of "customer financial information" and to deter and detect the activity described in Section 521.67 Applying both the safeguards and disposal rules to a consistent set of information also could reduce any burden that may have been created by the application of the safeguards and disposal rules to different information.68Accordingly, we propose to amend the safeguards and disposal rules so that both protect "personal information," and to define that term to encompass any record containing either "nonpublic personal information" or "consumer report information."69 As noted above, each of these terms is defined in Regulation S-P.70 The term "consumer report information" would continue to mean any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report, as well as a compilation of such records, but not including information that does not identify individuals, such as aggregate information or blind data.71 The proposed amendments would leave the meaning of the term "consumer report" unchanged from the definition set forth in Section 603(d) of the FCRA.72 Section 603(d) defines "consumer report" in general as encompassing communications of information by a consumer reporting agency bearing on a consumers creditworthiness, credit standing, reputation or particular other factors used in connection with establishing the consumers eligibility for credit or insurance, or for employment purposes or other authorized purposes, subject to certain exclusions.73 In addition to nonpublic personal information and consumer report information, "personal information" also would include information identified with any consumer, or with any employee, investor, or securityholder who is a natural person,74 in paper, electronic or other form, that is handled by the institution or maintained on the institutions behalf.75 Thus, for example, the definition would include records of employee user names and passwords maintained by a brokerage firm, and records about securityholders maintained by a transfer agent. We believe safeguarding employee user names and passwords promotes information security because unauthorized access to this information could facilitate unauthorized access to a firms network and its clients personal information.76 Safeguarding information about investors and securityholders, such as maintained by registered transfer agents, is necessary to protect investors who may, directly or indirectly, do business with the Commissions regulated entities even though they may not be "consumers" or "customers" of those entities as those terms are defined for purposes of Regulation S-P.77 We also propose to make a conforming change to the definition of "personally identifiable financial information" by including within the definition information that is handled or maintained by a covered institution or on its behalf, and that is identified with any consumer, or with any employee, investor, or securityholder who is a natural person.78 We preliminarily believe that this change would be appropriate in the public interest and for the protection of investors because it would help protect information identified with an investor who may not be a "consumer" or "customer" of a covered institution. To better protect investors and securityholders information from unauthorized disclosure, the proposed amendments would apply the safeguards and disposal rules to nonpublic personal information or consumer report information that is identified with any individual consumer, employee, investor or securityholder and handled or maintained by or on behalf of the institution. The proposal to include personal information and consumer report information about employees of covered institutions is intended to reduce the risk that a would-be identity thief could access investor information by impersonating an employee or employing "social engineering" techniques or bribery. Including consumer report information within the definition of "personal information" (to which the safeguards rule would apply) would be consistent with the congressional intent behind making consumer report information subject to the disposal requirements set forth in the FACT Act.79 Furthermore, the proposed scope of protection appears to be consistent with the practices of many covered institutions that currently protect employee information, consumer report information, and nonpublic personal information about consumers and customers in the same manner.80 We invite comment on the proposed definition of "personal information."
2. Institutions covered by the safeguards ruleAs discussed above, the safeguards rule currently applies to brokers, dealers, registered investment advisers, and investment companies. The disposal rule currently applies to those entities as well as to registered transfer agents. We propose to extend the safeguards rule to apply to registered transfer agents.81 These institutions, like those currently subject to both the safeguards and disposal rules, may maintain personal information such as Social Security numbers, account numbers, passwords, account balances, and records of securities transactions and positions. Unauthorized access to or misuse of such information could result in substantial harm and inconvenience to the individuals identified with the information. The proposed amendments thus would require that covered institutions that may receive personal information in the course of effecting, processing or otherwise supporting securities transactions must protect that information by maintaining appropriate safeguards in addition to taking measures to properly dispose of the information.82 Registered transfer agents may maintain sensitive personal information about investors, the unauthorized access to or use of which could cause investors substantial inconvenience or harm. Therefore, we preliminarily believe that extending the safeguards rule to registered transfer agents would be appropriate in the public interest and for the protection of investors.83 The proposed amendments also would limit the scope of broker-dealers covered by the safeguards rule to brokers or dealers other than those registered by notice with the Commission under Section 15(b)(11) of the Exchange Act.84 Notice-registered broker-dealers must comply with the privacy rules, including rules requiring the safeguarding of customer records and information, adopted by the CFTC.85 Excluding notice-registered broker-dealers from the scope of the Commissions safeguards rule would clarify that both sets of rules do not apply to notice-registered broker-dealers, and that the CFTC would have primary responsibility for oversight of those broker-dealers in this area. We seek comment on the proposed scope of the safeguards rule.
3. Persons covered by the disposal ruleAs noted above, the disposal rule currently applies to broker-dealers, investment companies, registered investment advisers and registered transfer agents. We propose to extend the disposal rule to apply to natural persons who are associated persons of a broker or dealer, supervised persons of a registered investment adviser, and associated persons of a registered transfer agent.87 As noted above, we have become concerned that some of these persons, who may work in branches far from the registered entitys main office, may not dispose of sensitive personal financial information consistent with the registered entitys disposal policies. The proposal is intended to make persons associated with a covered institution directly responsible for properly disposing of personal information consistent with the institutions policies.
C. Records of ComplianceWe further propose to amend Regulation S-P to require institutions subject to the safeguards and disposal rules to make and preserve written records of their safeguards and disposal policies and procedures. We also propose to require that institutions document that they have complied with the elements required to develop, maintain and implement these policies and procedures for protecting and disposing of personal information, including procedures relating to incidents of unauthorized access to or misuse of personal information. These records would help institutions assess their policies and procedures internally, and help examiners to monitor compliance with the requirements of the amended rules. The periods of time for which the records would have to be preserved would vary by institution, because the requirements would be consistent with existing recordkeeping rules, beginning with when the records were made, and, for records of written policies and procedures, after any change in the policies or procedures they document.88 Broker-dealers would have to preserve the records for a period of not less than three years, the first two years in an easily accessible place. Registered transfer agents would have to preserve the records for a period of not less than two years, the first year in an easily accessible place. Investment companies would have to preserve the records for a period not less than six years, the first two years in an easily accessible place. Registered investment advisers would have to preserve the records for five years, the first two years in an appropriate office of the investment adviser. We believe that these proposed recordkeeping provisions, while varying among covered institutions, would all result in the maintenance of the proposed records for sufficiently long periods of time and in locations in which they would be useful to examiners. Moreover, we do not believe that shorter or longer maintenance periods would be warranted by any difference between the proposed records and other records that covered institutions currently must maintain for these lengths of time. We also believe that conforming the proposed retention periods to existing requirements would allow covered institutions to minimize their compliance costs by integrating the proposed requirements into their existing recordkeeping systems.89 We request comment on the proposed requirements for making and retaining records.
D. Exception for Limited Information Disclosure When Personnel Leave Their FirmsFinally, we propose to amend Regulation S-P to add a new exception from the notice and opt out requirements to permit limited disclosures of investor information when a registered representative of a broker-dealer or a supervised person of a registered investment adviser moves from one brokerage or advisory firm to another. The proposed exception is intended to allow firms with departing representatives to share limited customer information with the representatives new firms that could be used to contact clients and offer them a choice about whether to follow a representative to the new firm. At many firms, representatives develop close professional and personal relationships with investors over time. Representatives at such firms likely remember the basic contact information for their clients or have recorded it in their own personal records. Some firms discourage departing representatives from soliciting clients to move to another firm, while others do not. At any firm, departing representatives may have a strong incentive to transfer as much customer information as possible to their new firms, and it has been brought to our attention that, at some firms, information may have been transferred without adequate supervision, in contradiction of privacy notices provided to customers, or potentially in violation of Regulation S-P.90 The proposed exception is designed to provide an orderly framework under which firms with departing representatives could share certain limited customer contact information and could supervise the information transfer.91 The proposed exception would permit one firm to disclose to another only the following information: the customers name, a general description of the type of account and products held by the customer, and contact information, including address, telephone number and e-mail information.92 We propose to include this particular information as it would be useful for a representative seeking to maintain contact with investors, but appears unlikely to put an investor at serious risk of identity theft. It also is the type of information an investor would expect a representative to remember. Broker-dealers and registered investment advisers seeking to rely on the exception would have to require their departing representatives to provide to them, not later than the representatives separation from employment, a written record of the information that would be disclosed pursuant to the exception, and broker-dealers and registered investment advisers would be required to preserve such records consistent with the proposed recordkeeping provisions of Section 30.93 This condition is intended to help ensure that firms relying on the exception are appropriately accounting for the information they are disclosing in connection with departures of their representatives.94 The exception would be subject to conditions that are designed to limit the potential that the information would result in identity theft or other abuses. The shared information could not include any customers account number, Social Security number, or securities positions.95 A representative would not need this type of information to contact investors, although it would be useful to an identity thief, and an investor probably would not expect a representative to remember it. In addition, a representative could solicit only an institutions customers that were the representatives clients. This condition recognizes that an investor might expect to be contacted by a representative with whom the investor has done business before, but not by another person at the representatives new firm.96 As noted above, the proposed exception is designed to facilitate the transfer of client contact information that would help broker-dealers and registered investment advisers offer clients the choice of following a departing representative to a new firm. At firms that choose to rely on it, the proposed exception also should reduce potential incentives some representatives may have to take information with them secretly when they leave. By specifically limiting the types of information that could be disclosed to the representatives new firm, the proposed amendments are designed to help firms safeguard more sensitive client information. This limitation also would clarify that a firm may not require or expect a representative from another firm to bring more information than necessary for the representative to solicit former clients. Because the proposed exception is designed to promote investor choice, provide legal certainty, and reduce potential incentives for improper disclosures, we preliminarily believe that it would be necessary or appropriate in the public interest, and is consistent with the protection of investors. The proposed exception would not limit the disclosure of additional information to a new firm pursuant to a customers consent or direction.97 It also would not preclude the disclosure of additional information required in connection with the transfer of a customers account.98 Depending on its business organization, its policies regarding departing representatives and the circumstances of a representatives departure, a firm could choose to rely on existing exceptions rather than the proposed new exception.99 The proposed exception is designed to allow firms that choose to share limited contact information to do so. The proposed exception would not, however, affect firm policies that prohibit the transfer of any customer information other than at the customers specific direction. We have chosen to propose this approach as opposed to an alternative approach that would require all firms to include specific notice and opportunity to opt out of this information sharing in their initial and annual privacy notices. Under this alternative, a broker-dealer or registered investment advisers privacy notice would have to provide specific disclosure regarding the circumstances under which the broker-dealer or adviser would share customer information with another firm when a registered representative or supervised person leaves. We have chosen this approach because, as indicated earlier, many representatives develop close professional and personal relationships with investors. They are likely to remember basic contact information for their clients or have recorded it in their own personal records, and investors would expect representatives to have this information. This type of limited contact information is unlikely to put investors at serious risk of identity theft. Also, we believe that a description of disclosures to a departing representatives new firm would be difficult to distinguish from the description of disclosures made for the purpose of third-party marketing and would further complicate already complex privacy notices.
III. GENERAL REQUEST FOR COMMENTSWe request comment on all aspects of the proposed amendments to Regulation S-P. We particularly urge commenters to suggest other provisions or changes that could enhance the ways in which securities industry participants protect personal information. We encourage commenters to provide empirical data, if available, to support their views. IV. PAPERWORK REDUCTION ACTCertain provisions of the proposed amendments contain "collections of information" requirements within the meaning of the Paperwork Reduction Act of 1995 ("PRA").101 The Commission is submitting these amendments to the Office of Management and Budget ("OMB") for review and approval in accordance with the PRA.102 The title for the collections of information is "Information security programs for personal information; records of compliance." The safeguards and disposal rules we propose to amend contain currently approved collections of information under OMB Control No. 3235-0610, the title of which is, "Rule 248.30, Procedures to safeguard customer records and information; disposal of consumer report information."103 The Commission is proposing to amend Regulation S-Ps safeguards and disposal rules, 17 CFR 248.30(a) and (b), pursuant to Sections 501, 504, 505, and 504 of the GLBA,104 Sections 17, 17A, 23, and 36 of the Exchange Act,105 Sections 31(a) and 38 of the Investment Company Act,106 and Sections 204 and 211 of the Investment Advisers Act.107 Regulation S-P sets forth the Commissions safeguards rule for institutions covered by the regulation. Among other things, the safeguards rule requires covered institutions to adopt administrative, technical and physical information safeguards to protect customer records and information. Regulation S-P also contains the Commissions disposal rule, which requires institutions to properly dispose of consumer report information possessed for a business purpose by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The proposed amendments are designed to ensure that covered institutions maintain a reasonable information security program that includes safeguarding policies and procedures that are more specific than those currently required, including policies and procedures for responding to data security breach incidents, for notifying individuals for whom the incidents pose a risk of identity theft, and for reporting certain incidents to the Commission (or to a broker-dealers designated examining authority) on proposed Form SP-30. The amendments also would broaden the scope of information and the types of institutions and persons covered by the safeguards and disposal rules. Finally, the amendments would create a new exception from Regulation S-Ps notice and opt out requirements for disclosures of limited information in connection with the departure of a representative of a broker-dealer or registered investment adviser. Firms choosing to rely on the exception would be required to keep records of the information disclosed pursuant to it. The hours and costs associated with these collections of information would consist of reviewing the proposed amendments, collecting and searching for existing policies and procedures, conducting a risk assessment, developing and recording information safeguards appropriate to address risks, training personnel, and adjusting written safeguards on an ongoing basis. Institutions would also have to respond appropriately to incidents of data security breach as may occur on an ongoing basis. If misuse of information has occurred or is reasonably possible, this would include notifying affected individuals. If there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or any unauthorized person has intentionally obtained access to or used sensitive personal information, this would also include notifying the Commission or an appropriate designated examining authority as soon as possible on proposed Form SP-30. Certain of these collections of information also would require disclosure, reporting, and recordkeeping burdens, as analyzed below. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless a currently valid OMB control number is displayed. Responses to these collections of information would not be kept confidential.108 The collections of information would be mandatory, and would have to be maintained by broker-dealers for not less than three years, the first two years in an easily accessible place, by registered transfer agents for a period of not less than two years, the first year in an easily accessible place, by investment companies for a period not less than six years, the first two years in an easily accessible place, and registered investment advisers would have to preserve the records for five years, the first two years in an appropriate office of the investment adviser. Information security and security breach response requirements The proposed amendments contain collections of information requirements related to the more specific standards we are proposing for safeguarding personal information, including standards for responding to data security breaches. We believe these proposed collections of information are necessary to help prevent and address security breaches and designed to ensure that covered institutions maintain a reasonable information security program pursuant to the statutory requirements. Covered institutions would have to document in writing steps they would be required to take to develop, implement, and maintain a comprehensive information security program. We estimate that there would be 12,432 respondents to this information collection.109 Of these covered institutions, we estimate that 5,862 are smaller institutions and 6,570 are larger institutions.110 Based on limited inquiries of covered institutions, the staff estimates that the amount of time smaller institutions would devote to initial compliance with the proposed amendments would range from 2 to 80 hours with a midpoint of 41 hours.111 This estimate reflects the following burden hours: 1 hour for the board of directors to designate an information security program coordinator; 1 hour for the program coordinator to review the amendments; 4 hours to assess risks and review procedures; 10 hours to review, revise and implement new safeguards (including any data breach notification procedures); 8 hours to test the effectiveness of the safeguards controls and procedures; 7 hours to train staff; and 10 hours to review service providers policies and procedures and revise contracts as necessary to require them to maintain appropriate safeguards. The staff estimates that initially it would cost smaller institutions approximately $18,560 to comply with the proposed amendments.112 Amortized over three years, the estimated annual hourly burden would be 14 hours at a cost of approximately $6,187. The staff estimates that the amount of time larger institutions would devote to initial compliance with the proposed amendments would range from 40 hours to 400 hours with a midpoint of 220 hours.113 This estimate reflects the following burden hours: 2 hours for the board of directors to designate an information security program coordinator; 2 hours for the program coordinator to review the amendments; 42 hours to assess risks and review procedures; 60 hours to review, revise and implement new safeguards (including any data breach notification procedures); 60 hours to test the effectiveness of the safeguards controls and procedures; 34 hours to train staff; and 20 hours to review service providers policies and procedures and revise contracts as necessary to require them to maintain appropriate safeguards. The staff estimates that larger institutions would spend approximately $172,732 to comply with the proposed amendments initially.114 Amortized over three years, the estimated annual hourly burden would be 73 hours at a cost of approximately $57,577. On an annual, ongoing basis the staff estimates that the amount of time smaller institutions would devote to ongoing compliance with the safeguards and disposal rules, as they are proposed to be amended, would range from 12 hours to 40 hours per year with a midpoint of 26 hours per year. This estimate reflects the following burden hour estimates: 5 hours to regularly test or monitor the safeguards key controls, systems, and procedures; 3 hours to augment staff training; 3 hours to provide continued oversight of service providers; 3 hours to evaluate and adjust safeguards; 10 hours to respond appropriately to potential incidents of data security breach, including investigating the breach and, as necessary, notifying affected individuals; and 2 hours to notify the Commission or a designated examining authority as soon as possible on proposed Form SP-30, in the event there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.115 We believe that most institutions investigate data security breaches as a matter of good business practice to protect their business operations and the sensitive information they have about employees and clients. Nevertheless, we have estimated additional burden hours because the proposed rule specifies certain elements of the investigation and the notice to affected individuals. We also believe that an institution would have gathered all the information that would have to be disclosed in Form SP-30 in the course of these investigations of data security breaches. Thus, staff estimates for the Form SP-30 collection of information burden reflect only the time it would take to draft the information on the form. Staff estimates that smaller institutions would spend an additional $10,764 per institution per year in connection with these burdens.116 The staff also estimates that the amount of time larger institutions would devote to ongoing compliance with the proposed amendments would range from 32 hours to 100 hours with a midpoint of 66 hours per year. This estimate reflects the following burden hour estimates: 12 hours to regularly test or monitor the safeguards key controls, systems, and procedures; 9 hours to augment staff training; 9 hours to provide continued oversight of service providers; 10 hours to evaluate and adjust safeguards; 20 hours to respond appropriately to potential incidents of data security breach, including investigating the breach and, as necessary, notifying affected individuals; and 6 hours to notify the Commission or a designated examining authority as soon as possible on proposed Form SP-30, in the event there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.117 Staff believes that larger institutions are likely to have more complex business operations and data systems and may experience more sophisticated security attacks than smaller institutions. As a result, staff anticipates that larger institutions are more likely to conduct more complicated investigations that require more detailed explanations on proposed Form SP-30. Staff estimates therefore that larger institutions would take more time to perform investigations and to complete the questions on proposed Form SP-30.118 The staff estimates that larger institutions would spend approximately an additional $51,084 per institution per year.119 Given the estimates set forth above, we estimate that the weighted average initial burden for each respondent would be approximately 136 hours120 and $100,036.121 We also estimate that the weighted average ongoing burden for each respondent would be approximately 47 hours122 and $32,072.123 Scope of the safeguards and disposal rules The amendments also would broaden the scope of information and of the entities covered by the safeguards and disposal rules. These amendments do not contain collections of information beyond those related to the information security and security breach response requirements, analyzed above. Records of compliance The proposed amendments would require that written records required under the disposal and safeguards rules be maintained and preserved by broker-dealers for not less than three years, the first two years in an easily accessible place, by registered transfer agents for a period of not less than two years, the first year in an easily accessible place, by investment companies for a period not less than six years, the first two years in an easily accessible place, and registered investment advisers would have to preserve the records for five years, the first two years in an appropriate office of the investment adviser. Covered institutions are already required pursuant to other Commission rules to maintain and preserve similar records in the same manner, and we do not believe that the currently approved collections of information for these rules would change based on the proposed amendments.124 Exception for limited information disclosure when personnel leave their firms The proposed amendments would create a new exception from Regulation S-Ps notice and opt out requirements that would permit limited disclosures of investor information when a registered representative of a broker-dealer or supervised person of a registered investment adviser moves from one brokerage or advisory firm to another. This exception would require that the departing representative provide the broker, dealer, or registered investment adviser he or she is leaving with a written record of the permissible information that would be disclosed under this exception. Broker-dealers and registered investment advisers also would be required to retain a record of that information consistent with existing record retention requirements. All broker-dealers and registered investment advisers maintain records of their customers and clients, including relevant contact information and type of account. Thus, we estimate that allowing a departing representative to make a copy of this information and requiring the broker-dealer or registered investment adviser to retain a record of that information would not result in an additional measurable burden to the firm. We request comment on whether these estimates are reasonable. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (i) evaluate whether the proposed collections of information are necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (ii) evaluate the accuracy of the Commissions estimate of the burden of the proposed collections of information; (iii) determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; and (iv) minimize the burden of the collections of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology. Members of the public may direct to us any comments concerning the accuracy of these burden estimates and any suggestions for reducing these burden hours. Persons wishing to submit comments on the collection of information requirements of the proposed amendments should direct them to the Office of Management and Budget, Attention Desk Officer of the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Room 10102, New Executive Office Building, Washington, DC 20523, and should send a copy to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090 with reference to File No. S7-06-08. OMB is required to make a decision concerning the collections of information between 30 and 60 days after publication of this release; therefore a comment to OMB is best assured of having its full effect if OMB receives it within 30 days after the publication of this release. Requests for materials submitted to OMB by the Commission with regard to these collections of information should be in writing, refer to File No. S7-06-08, and be submitted to the Securities and Exchange Commission, Public Reference Room, 100 F Street, NE, Washington, DC 20549. V. COST-BENEFIT ANALYSISThe Commission is sensitive to the costs and benefits imposed by its rules. We have identified certain costs and benefits of the proposed amendments and request comment on all aspects of this cost-benefit analysis, including identification and assessment of any costs and benefits not discussed in this analysis. We seek comment and data on the value of the benefits identified. We also welcome comments on the accuracy of the cost estimates in each section of this analysis, and request that commenters provide data so we can improve these cost estimates. In addition, we seek estimates and views regarding these costs and benefits for particular covered institutions, including registered transfer agents, as well as any other costs or benefits that may result from the adoption of these proposed amendments. As discussed above, the proposed rule amendments are designed to enhance covered institutions information security policies and procedures as well as their ability to protect personal information. Under Regulation S-P, covered institutions have been required to safeguard customer records and information since 2001 and to dispose properly of consumer report information since 2005. The proposed amendments would modify Regulation S-Ps current safeguards and disposal rules to: (i) require more specific standards under the safeguards rule, including standards that would apply to data security breach incidents; (ii) broaden the scope of information and the types of institutions and persons covered by the rules; and (iii) require covered institutions to maintain written records of their policies and procedures and their compliance with those policies and procedures. The proposed amendments also would create a new exception from Regulation S-Ps notice and opt-out requirements that would not unduly restrict the transfer of representatives from one broker-dealer or registered investment adviser to another while protecting customer information. A. Costs and Benefits of More Specific Information Security and Security Breach StandardsAs noted, since 2001 broker-dealers, investment companies, and registered investment advisers have been required to adopt policies and procedures reasonably designed to insure the security and confidentiality of customer records and information, protect against anticipated threats or hazards, and protect against unauthorized access to or use of customer records and information.125 The proposed rule amendments would require more specific standards for safeguarding personal information, including standards for responding to data security breaches. The amendments would require covered institutions to develop, implement, and maintain a comprehensive "information security program" for protecting personal information and for responding to unauthorized access to or use of personal information that would have to be appropriate to the institutions size and complexity, the nature and scope of its activities, and the sensitivity of the personal information involved. The information security program would have to include seven safeguarding elements, as described above in section II.A. Our proposed amendments also would specifically require that institutions information security programs include procedures for responding to incidents of unauthorized access to or use of personal information. We believe that these proposed amendments would be consistent with safeguarding guidance and rules issued by the Banking Agencies and the FTC.126 1. Benefits of More Specific Information Security and Security Breach StandardsWe anticipate that the proposed amendments would benefit covered institutions and investors by providing specific standards for policies and procedures to safeguard investor information, boosting investor confidence and mitigating losses due to security breach incidents, helping to ensure that information security programs are actively managed and regularly updated, and reducing the compliance burden for institutions in the event of a data security breach incident. One benefit of the proposed information security and security breach standards would be to provide firms in the securities industry with detailed standards for the policies and procedures that a well-designed information security program should include. As already noted, a significant increase in reported information security breaches involving covered institutions, including increasingly sophisticated identity theft attacks directed at the securities industry, have altered the risk environment and brought to our attention the vulnerability of certain of our institutions information security policies and procedures.127 We are concerned that some Commission-regulated institutions may not regularly reevaluate and update their safeguarding programs to deal with these increasingly sophisticated methods of attack. As a result, our staff has devoted increased attention to this area. The current rules reasonable design standard has permitted institutions flexibility to implement safeguarding policies and procedures tailored to their own privacy policies and practices and their varying business operations. While many institutions have appropriate safeguards in place, some institutions, including some smaller institutions, may have had difficulty keeping up with the changes in the threat environment. Setting out a more specific framework for institutions continuing obligation to protect customer information, may ease institutions burden in interpreting our expectations of safeguarding policies and procedures that are "reasonably designed," while retaining much of the current rules flexibility. We believe the proposed amendments would be consistent with the Commissions initial statutory mandate under the GLBA to adopt, in 2000, final financial privacy regulations that are consistent and comparable with those adopted by other federal financial regulators.128 As noted above, after our adoption of Regulation S-Ps safeguards rule, the FTC and the Banking Agencies issued regulations with more detailed standards applicable to the institutions they regulate.129 The Banking Agencies also issued guidance for their institutions on responding to incidents of unauthorized access to or use of customer information.130 Our proposed amendments include safeguarding elements consistent with the regulatory provisions of these other agencies that Commission-regulated institutions would have to address in their safeguarding policies and procedures.131 Covered institutions would benefit from having specific standards that are consistent and comparable to those already adopted by the Banking Agencies and the FTC in other ways. For example, covered institutions that have banking affiliates may have already developed policies and procedures consistent with the Banking Agencies guidance that are applied to all affiliates of the bank. If they do not have the same policies and procedures, these covered institutions would be able to apply the banking affiliates policies and procedures to the securities businesses with few changes. More specific safeguarding standards also could increase investor confidence in institutions and help mitigate losses that can result from lax safeguarding policies and procedures. Incidents of identity theft have affected a large number of Americans and are difficult and expensive for victims to deal with and correct.132 Moreover, there is at least anecdotal evidence that the wave of widely-reported incidents of data security breaches have played a role in discouraging a significant number of individuals from conducting business online.133 The proposed amendments could benefit investors and increase their confidence by providing firms with detailed standards for the processes that a well-designed information security program should include. This could result in enhanced protection for the privacy of investor information, and could decrease incidents of identity theft, thereby mitigating losses due to identity theft and other misuses of sensitive information. We also believe that the increased protection that could result from the proposed amendments could benefit institutions, which frequently incur the costs of fraudulent activity.134 Thus, if only a small number of security breach incidents were averted because the proposed amendments were adopted, there still could be a significant cost savings to individuals and institutions.135 As noted above, we are concerned that some institutions do not regularly reevaluate and update their safeguarding programs. Requiring covered institutions to designate in writing an employee or employees to coordinate their information security programs should foster clearer delegations of authority and responsibility, making it more likely that an institutions programs are regularly reevaluated and updated. Having an information security program coordinator also could contribute to an institutions ability to meet its affirmative and continuing obligation under the GLBA to safeguard customer information.136 If, for example, elements of a covered institutions information security program were not maintained on a consolidated basis, but were dispersed throughout an institution, we believe having a responsible program coordinator or coordinators should facilitate the institutions awareness of these elements, as well as enable it to better manage and control risks and conduct ongoing evaluations. We expect that the proposed framework for the initial and ongoing oversight of institutions information security programs in the form of formal risk assessments, periodic testing or monitoring of key controls, systems, and procedures, staff training, and relevant evaluations and adjustments would help to ensure that information security programs are appropriately updated along with relevant changes in technology, new business arrangements, changes in the threat environment, and other circumstances. Finally, the proposed amendment that would require covered institutions to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards and would require service providers by contract to implement and maintain appropriate safeguards should help to ensure that sensitive personal information is protected when it leaves the institutions custody, while still permitting institutions the flexibility to select appropriate service providers. The proposed requirement that information security programs include specific procedures for responding to incidents of unauthorized access to or use of personal information is designed to benefit investors and institutions. The requirement would benefit investors who receive notice of an information security breach pursuant to an institutions incident response procedures by allowing those investors to take precautions to the extent they believe necessary.137 The procedures also would benefit institutions by establishing a national data breach notification requirement for covered institutions.138 Currently at least 39 states have enacted statutes requiring notification of individuals in the event of a data security breach.139 This patchwork of overlapping and sometimes inconsistent regulation has created a difficult environment for financial institutions compliance programs. However, many of the state statutes contain exemptions for entities regulated by federal data security breach regulations.140 Accordingly, the proposed amendments could benefit covered institutions by significantly reducing the number of requirements with which covered institutions must comply.141 As noted, the banking regulators published similar data breach notification guidance in 2005.142 We request comment on available metrics to quantify these benefits and any other benefits the commenter may identify. In particular, we request comment reflecting institutions experiences in safeguarding customer information and addressing the security breach incidents discussed above. Commenters are also requested to identify sources of empirical data that could be used for the metrics they propose. 2. Costs of More Specific Information Security and Security Breach StandardsSome institutions would likely incur additional costs in reviewing, implementing, and maintaining more specific information security and security breach standards. Institutions could incur additional costs in reviewing current safeguarding policies and procedures and designing and implementing new ones, if necessary, on an initial basis. Institutions also could incur additional costs on an ongoing basis to maintain up-to-date information security programs and to respond appropriately to any data security breach incidents. According to Commission filings, approximately 6,016 broker-dealers, 4,733 investment companies comprising portions of 813 fund complexes,143 77 business development companies, 9,860 registered investment advisers, and 501 registered transfer agents, or 17,267 covered institutions, would be required to comply with the proposed amendments more specific information security and security breach standards.144 As noted, broker-dealers, investment companies, and registered investment advisers have been required to have reasonably designed safeguarding policies and procedures since 2001. In addition, transfer agents have been required to have information security safeguards since 2003, in accordance with the FTC Safeguards Rule.145 We estimate that 56 percent of all covered institutions, or 9,670 institutions, have one or more financial affiliates (whether these institutions are regulated by the Commission or other federal financial regulators).146 We estimate that each of the affiliated institutions has one corporate affiliate. Based on limited inquiries of covered institutions, we believe that these affiliated institutions are likely to have developed safeguarding policies and procedures on an organization-wide basis, rather than each affiliate developing policies and procedures on its own.147 We also believe that the affiliate that developed the affiliated organizations safeguarding policies and procedures is also responsible for maintaining these policies and procedures. We therefore estimate that one-half of the covered affiliated institutions, or 4,835 institutions, have developed, documented, and are maintaining safeguarding policies and procedures, while the other half instead use the policies and procedures developed, documented, and maintained by their affiliate.148 Accordingly, we estimate that 12,432 covered institutions have developed and adopted safeguarding policies and procedures and are maintaining these policies and procedures in accordance with the current rule.149 We expect that these institutions current costs to maintain safeguarding policies and procedures in compliance with the Commissions safeguards rule vary greatly depending upon the size of the institution, its customer base, the complexity of its business operations, and the extent to which the institution engages in information sharing. Thus, for example, we estimate that small investment advisers with fewer than 10 employees require more limited safeguarding policies and procedures to address a limited scope of information transfer, storage, and disposal. We believe that larger broker-dealers or fund complexes, by contrast, are more likely to have and maintain a more extensive set of information safeguarding policies and procedures, corresponding to these institutions more complex business activities and information sharing practices. Of the covered institutions, we estimate that 7,030 registered investment advisers have 10 or fewer employees.150 We estimate that 942 broker-dealers and investment company complexes are small institutions, and are likely to have no more than 10 employees.151 Based on Commission filings, we also estimate that 170 transfer agents are smaller institutions that are likely to have no more than 10 employees. We therefore estimate that 8,142 institutions, out of 17,267 covered institutions, are smaller institutions that are likely to have no more than 10 employees.152 We believe that the institutions that have developed and adopted safeguarding policies and procedures are as likely to be smaller institutions with no more than 10 employees as the total population of covered institutions.153 Therefore, of 12,432 covered institutions that we estimate have developed and adopted and are maintaining safeguarding policies and procedures, we estimate for purposes of this analysis that 5,862 institutions are smaller institutions, while 6,570 institutions are larger institutions.154 Based on conversations with representatives of covered institutions, and information collected from limited inquiries of covered institutions, we estimate that smaller institutions are currently spending between $5,000 and $1,000,000 per year to comply with the safeguards and disposal rules.155 We also estimate that larger institutions are spending between $200,000 and $10,000,000 per year to comply with the safeguards and disposal rules. These estimates include costs for dedicated personnel, maintaining up-to-date policies and procedures, enforcing various safeguarding requirements (such as "clean desk" requirements), hiring contractors to properly dispose of sensitive information, developing and enforcing access procedures, ongoing staff training, monitoring and reviewing compliance with safeguarding standards, and computer encryption. These estimates also include current spending to comply with state data security breach statutes.156 We expect that most covered institutions have information security programs in place that would be consistent with the proposed amendments.157 We do not have a reliable basis for estimating the number of institutions that would incur additional costs or the extent to which those institutions would have to enhance their policies and procedures, including documentation of the information safeguard program and its elements. Accordingly, we have estimated the range of additional costs that individual firms could incur. We seek comment on the number of firms that have information safeguard programs that would satisfy the proposed amendments, the number of firms that would have to enhance their programs, the extent of those enhancements, and the costs of enhancement. If the proposed amendments were adopted, covered institutions could incur costs to supplement their current information security programs in some or all of the following ways. First, the institution would be required to review and, as appropriate, revise its current safeguarding policies and procedures, including their data security breach procedures and disposal rule procedures, to comply with the more specific requirements of the proposed amendments. Initially this would require the institutions to: (i) designate an employee or employees as coordinator for the information security program; (ii) identify in writing reasonably foreseeable security risks that could result in the unauthorized or compromise of personal information or personal information systems; (iii) review existing or design new safeguards to control these risks; (iv) train staff to implement the safeguards; and (v) test the effectiveness of the safeguards key controls, including access controls, controls to detect, prevent and respond to incidents of unauthorized access to or use of personal information. Second, an institution also would be required to review its service providers information safeguards and determine whether its service providers are capable of maintaining appropriate safeguards for personal information, document this finding, and enter into contracts with the service providers to implement and maintain appropriate safeguards. Third, an institution would be required to review existing safeguarding procedures relating to data security breach incidents. Initially, this could include: (i) assessing current policies and procedures for responding to data breach incidents; and (ii) designing and implementing written policies and procedures to assess, control, and investigate incidents of unauthorized access or use of sensitive personal information, as well as policies and procedures to notify individuals and the Commission or a broker-dealers designated examining authority, if necessary. Fourth, to comply with these amendments on an ongoing basis, institutions would be required to: (i) regularly test or monitor, and maintain a written record of the effectiveness of their safeguards key controls, systems and procedures (including an assessment of personal information system access controls, controls designed to detect, prevent and respond to data security breach incidents, and controls related to employee training or supervision); (ii) train staff to implement their information security program; (iii) continue and document their oversight of service providers; and (iv) evaluate and adjust their information security programs in light of testing and monitoring, and changes in technology, business operations or arrangements, and other material circumstances. Finally, an institution would be required to begin to respond to any data security breach incidents as may occur on an ongoing basis. This would include implementing and following written procedures to: (i) assess the nature and scope of the incident; (ii) take appropriate steps to contain and control it, and document those steps in writing; (iii) promptly conduct a reasonable investigation and make a written determination of the likelihood that sensitive personal information had been or would be misused; (iv) if misuse of information had occurred or were reasonably likely, notify affected individuals; and (v) if an individual identified with the information had suffered substantial harm or inconvenience, or any unauthorized person had intentionally obtained access to or used sensitive personal information, notify the Commission, or the appropriate designated examining authority as soon as possible on proposed Form SP-30. We expect these estimated costs would vary significantly depending on the size of the institution, the adequacy of its existing safeguarding policies and procedures, and the nature of the institutions operations. The "reasonably designed" standard for information security programs in the proposed rule amendments is consistent with the current safeguards and disposal rules. Thus, we believe it should be relatively straightforward for an institution that does not currently have policies and procedures that apply to specific elements of the proposed amendments to incorporate these elements into its current system of safeguarding policies and procedures. In addition, we estimate that little or no modification to an institutions safeguarding policies and procedures would be required in situations where a covered institutions affiliate developed its existing safeguarding policies and procedures in compliance with the Banking Agencies safeguarding guidance or the FTCs rules. In addition to an institutions size, the adequacy of its safeguards, and its operations, we expect that institutions information security programs would vary considerably depending on the way in which each collects information, the number and types of entities to which each transfers information, and the ways in which each stores, transfers, and disposes of personal information. Based on conversations with representatives of covered institutions and information collected from limited inquiries of institutions, our staff estimates that the additional initial costs that an institution could incur to comply with the proposed amendments could range from 0 to 10 percent of its current costs of maintaining an information security program. Our staff also estimates that the additional costs an institution could incur for ongoing compliance with the proposed amendments could range from 0 to 5 percent of its current costs.158 For purposes of the PRA, staff estimates that for a smaller institution, the initial costs could range from between $500 and $100,000, with an approximate cost of $18,560 per smaller institution.159 Staff also estimates that for a smaller institution, additional ongoing costs could range from between $250 and $50,000, with an approximate cost of $10,764 per smaller institution per year.160 With respect to a larger institution, again for purposes of the PRA, staff estimates that initial costs could range from between $20,000 and $1 million, with an approximate cost of $172,732 per larger institution.161 Staff further estimates that for a larger institution, additional ongoing costs could range from between $10,000 and $500,000 per year, with an approximate cost of $51,084 per larger institution per year.162 We note that an institution that currently incurs the highest estimated costs for its information security program seems likely already to have a comprehensive information security program and therefore would be less likely to require program enhancements to comply with the rule. Accordingly, the high end of the range of estimated costs for institutions may be excessive. We request comment on our estimated costs and our rationale underlying them, and any aspect of the estimates or other costs that we have not considered. We seek information about particular costs of compliance as well as information as to any overall percentage increase in costs that firms would likely incur as a result of the proposed amendments. We request comment accompanied with statistical or other quantitative information, and comment on the experiences of institutions in addressing the circumstances addressed above. Commenters should identify the metrics of any empirical data that support their cost estimates. B. Costs and Benefits of Broadened Scope of Information and of Covered InstitutionsThe proposed rule amendments would broaden the scope of information covered by the safeguards and disposal rules. From the perspective of ease of compliance, we anticipate that institutions would benefit from having a common set of rules that apply to both nonpublic personal information about customers and consumer report information. We also expect that investors would benefit from expanding the scope of information covered by the safeguards and disposal rules because both terms exc |
|
|
|
Table of Contents