Investment advisers must protect records that contain certain clients’ non-public, personal information. In efforts to safeguard client records and information, investment advisers should have in place a written information security plan. The main purpose of developing and implementing a strong written information security plan is to make sure that investment advisers have written policies and procedures in place to protect clients’ personal information. Investment advisers’ information security written policies and procedures must be reasonably designed to ensure the security and confidentiality of client records and information and to protect such records and information against any anticipated threats, hazards or unauthorized access or use.
Non-public personal information generally means any personally identifiable financial information that is not readily available to the public. According to Regulation 201 CMR 17.00 of the General Laws of Massachusetts, personal information is considered a person’s “first and last name or their first initial and last name in combination with any one or more of the following data elements that relate to such (person): (a) Social Security number: (b) driver’s license number or state issued identification card number; or (c) their financial account number or credit or debit card number with or without any required security code, access code, personal identification number or password, that would permit access to a (person’s) financial account…”
The following are some examples of safeguards investment advisers should have in place as part of a written information security plan to protect clients’ non-public, personal information:
- Client files are physically locked during non-business hours;
- Strong electronic passwords are utilized and periodically changed;
- Passwords are never provided by email or through a web page accessed through a link in an email; and
- Employees are required to shred documents when disposing of physical files containing clients’ non-public personal information.
In addition to implementing strong safeguards to protect clients’ non-public, personal information, investment advisers’ written information security plans should also include written policies and procedures on how to handle security breaches. Employees of the investment adviser should be required to report any suspicious or unauthorized use of client information. In the event of a security breach, investment advisers should identify the problem and take corrective action to control the breach and prevent further unauthorized access or use. If a client’s personal information obtained or maintained by a investment adviser has been compromised, the investment adviser firm should immediately notify the client(s) of the breach and provide notice to the U.S. Securities Exchange Commission (“SEC”) or the proper state securities regulator. Information concerning the breach, including any corrective actions taken and notifications provided should be recorded and maintained as part of a investment adviser’s books and records.
SEC registered investment advisers’ information security plans should be written to be compliant with Regulation S-P and the Gramm-Leach-Bliley Act. State registered investment advisors must also comply with the Safeguard Rules under the Gramm-Leach-Bliley Act. Additionally, some states have implemented their own regulation specific to the protection of client non-public personal information. SEC and state registered investment advisers must make sure they comply with the specific state regulations as well. For instance, on March 1, 2010 the Commonwealth of Massachusetts adopted 201 CMR 17.00 under Chapter 93H of the General Laws of Massachusetts in efforts to further safeguard client records and information. These regulations apply to any investment adviser with clients located in Massachusetts. This means that any SEC registered investment adviser with a client located in Massachusetts will be required to comply with the Massachusetts regulations in addition to complying with the U.S. Securities and Exchange Commission’s (“SEC”) Regulation S-P. Another state with its own privacy laws that apply to investment advisers is Nevada. Nevada’s privacy regulations require investment advisers with clients in Nevada to adopt encryption related measures pursuant to the Nevada Revised Statutes.
In an age of ever increasing identity theft, investment advisers have a responsibility to ensure they are implementing best practices to protect client data and personal information. If your investment adviser firm would like help, RIA Compliance Consultants can help you develop a written information security plan or review an existing plan. If you would like assistance and you are an existing client, contact your consultant. If you have not previously worked with RIA Compliance Consultants, click here to schedule a time to speak with one of our compliance consultants.