Encryption and protection of client data, SEC, Finra, Massachusetts and Nevada

It is a good time for advisers to review their responsibilities when it comes to keeping their clients’ personal data safe.
In this week’s print issue we ran a story on a breach that occurred when an LPL adviser’s portable hard drive was stolen from his car (see Data theft puts LPL clients at risk) and I made the use of encryption the focus of this week’s Tech Update (Encryption is key to keeping client data safe from thieves).
I thought I would post directly here on the blog some of the feedback I got during reporting for those two stories along with links (bolding for emphasis is mine as are additional notes in brackets) .

From the SEC:

“Reg S-P is the Commission regulation most relevant to a broker-dealer’s protection of client data by securing premises and computer equipment. The relevant portion is below:
a. Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
1. Insure the security and confidentiality of customer records and information;
2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The regulation does not specifically require encryption, although it does require a broker-dealer to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information, which must be reasonably designed to insure the security and confidentiality of customer records and information, protect against anticipated threats to the security or integrity of those records and information, and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
The Commission has proposed amending Regulation S-P to, among other things, set forth more specific requirements for safeguarding information and responding to information security breaches. See: 17 CFR Part 248—Regulation S–P: Privacy of Consumer Financial Information and Safeguarding Personal Information; Proposed Rule, The Commission received hundreds of comments on the proposal, and it is still pending. [Note that the proposed rule was put forth/published in the Federal Register on Thursday, March 13, 2008 yet remains “pending” and not in effect].
Regulation S-P does not preempt state privacy laws that provide protection for consumers. See: Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth.
[Also see Nevada’s law as well: 2009 Statutes of Nevada and NRS 597.970 Restrictions on transfer of personal information through electronic transmission.]
FINRA has provided broker-dealers with information about their obligations to protect customer account information and links to resources to help them meet those obligations. See Customer Information Protection.”
Finra suggested this classic from 2005 and provided a link:
Notice to Members; Safeguarding Confidential Customer Information [don’t be confused by it not being updated to reflect NASD’s merger and name change to Finra in 2007].