Jul 3, 2008
for your information
FYI Home
Morgan Lewis Home
Investment Management
Securities Industry
March 11, 2008         Investment Management Group

SEC Proposes Amendments to Regulation S-P

PDF version  

The Securities and Exchange Commission (SEC) has proposed amendments to Regulation S-P, which sets forth privacy obligations for entities it regulates. To help prevent and address security breaches and better protect investor information, the SEC proposes to amend Regulation S-P in four principal ways. First, the proposed amendments would require more specific standards under the safeguards rule, including standards that would apply to data security-breach incidents. Second, they would amend the scope of the information covered by the safeguards and the disposal rules, and broaden the types of institutions and persons covered by the rules. Third, the proposed amendments would require institutions subject to the safeguards and the disposal rules to maintain written records of their policies and procedures and their compliance with those policies and procedures. Finally, the amendments provide a new exception from Regulation S-P’s notice and opt-out requirements to allow investors to more easily follow a representative who moves from one brokerage or advisory firm to another.

More specifically, the proposed amendments would further develop the current safeguards rule in Regulation S-P by requiring each institution subject to the safeguards rule to develop, implement, and maintain a comprehensive "information security program," including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information. The proposed amendments would also specify particular elements that a program meeting the requirements of Regulation S-P must include.

In addition, the SEC is proposing that information-security programs include procedures for responding to incidents of unauthorized access to or use of personal information. These procedures would include notice to affected individuals if misuse of sensitive personal information has occurred or if there is a reasonable possibility that it has occurred. The procedures would also include notice to the SEC (or for certain broker-dealers, their designated examining authority) under circumstances in which an unauthorized person has intentionally obtained access to or used an individual’s sensitive personal information or in which an individual whose information has been misused has suffered substantial harm or inconvenience. The data security-breach response provisions of the proposed amendments include elements intended to provide firms in the securities industry with detailed standards for responding to a breach so as to protect against unauthorized use of compromised data.

The amendments propose to broaden the scope of information covered by Regulation S-P’s safeguards and disposal rules and to better align the information covered by the two types of provisions. The SEC also proposes to extend the application of the safeguards rule to registered transfer agents—currently subject only to the disposal rule—as well as to extend the application of the disposal rule to natural persons associated with brokers, dealers, registered investment advisers, and registered transfer agents.

The SEC further proposes to amend Regulation S-P to require institutions subject to the safeguards and disposal rules to make and preserve written records of their safeguards and disposal policies and procedures, and to require that institutions document that they have complied with the elements required to develop, maintain, and implement policies and procedures for protecting and disposing of personal information, including procedures relating to incidents of unauthorized access to or misuse of personal information.

Finally, the proposed amendments would add a new exception from the notice and opt-out requirements of Regulation S-P to permit limited disclosures of investor information when a registered representative of a broker-dealer or a supervised person of a registered investment adviser moves from one brokerage or advisory firm to another. The proposed exception would permit one firm to disclose to another firm only the following information: the customer’s name, a general description of the type of account and products held by the customer, and the customer’s contact information, including address, telephone number, and email information. Broker-dealers and registered investment advisers seeking to rely on the exception would have to require their departing representatives to provide to them, not later than the representative’s separation from employment, a written record of the information that would be disclosed pursuant to the exception, and broker-dealers and registered investment advisers would be required to preserve such records consistent with the proposed recordkeeping provisions.

Investment Management FYI is a service of the Investment Management Practice of Morgan Lewis. If you have any questions concerning these important legal developments reflected herein, please contact any of the following Morgan Lewis attorneys:

Washington, D.C.
Magda El Guindi-Rosenbaum   
202.739.5778   
mer@morganlewis.com

Monica L. Parry     
202.739.5692   
mparry@morganlewis.com

Shauna R. Sappington    
202.739.5573   
ssappington@morganlewis.com

Dianne M. Sulzbach    
202.739.5470   
dsulzbach@morganlewis.com

Posted in Investment Management

Copyright © 2007-2008 by Morgan, Lewis & Bockius, LLP. All Rights Reserved.
This communication is provided as a general informational service to clients and friends of Morgan Lewis. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does it create an attorney-client relationship.
Terms of Use