Dealing with Data Breaches: Understanding Your Firm's Liability and State and Federal Mandates
Investment adviser and broker-dealer firms cannot conduct business without gathering and maintaining customer information. The regulators are mandating strict controls and procedures to help ensure that this information does not fall into the wrong hands. Some experts have observed that the threat of identity theft has only increased in the wake of the global financial crisis. In its examinations, SEC staff focuses heightened attention on a firm’s information security or “safeguarding” controls for protecting client information.
Businesses would be well-served to heed the increasingly strict state laws setting minimum criteria for information security. Being aware of the requirements is important for broker-dealers, investment advisers, and mutual funds as well.
Although SEC Regulation S-P does not currently require notification of a breach, it also does not preempt the stricter state laws on consumer protection. By 2010, 45 states had breach-notification laws, most of which follow California's statute.
The proliferation of state data breach notification laws, substantive state information security laws (such as the Massachusetts data security standards) and FTC and private lawsuits on information security matters has led to heightened attention to information security in both IT budgets and staffing and in terms of compliance resources. With budget pressures all around (not to mention time pressures and the pressures of other duties that compliance already has), the question becomes: How can my organization lower the time and dollar costs associated with information security when there is a breach? The answer is to anticipate potential breaches of data security and have a detailed plan in place so that you can respond quickly, properly, and efficiently.
This session will discuss the basics of information security and how to map a firm’s policies and procedures to its particular risk profile. Other important topics to be addressed include:
- State-mandated data protection and breach notification requirements
- Responding to information security breaches and adopting vendor management best practices
- Implications of the new SEC Regulation S-AM and the FTC Red Flag Rules
After attending this course, attendees should be able to:
- Identify Regulation S-P requirements concerning privacy notice delivery and be able to create firm-wide policies and procedures concerning privacy practices
- Decipher the safeguarding portion of Regulation S-P
- Outline strong internal controls to identify and assess the red flags of identity theft, effective safeguards for controlling these risks, responses to information breaches and recommended steps for preventing them, and reasonable monitoring and testing of your safeguarding program.
- List areas of current SEC focus that are likely to surface during an SEC examination, and obtain guidance on how to achieve a successful examination outcome in the area of information security
- Examine the efforts on the part of the states and the FTC to impose broader and more specific requirements on firms that collect personal information.
For Whom: Chief Compliance Officers, Internal auditors, Compliance Staff at all levels, Marketing personnel, Legal counsel, Management and Information Officers
Suggested Skill Level: Intermediate
Instructional Method: Group Internet-Based
Pre-requisites for participation:
No advance preparation or prerequisites are required. However, attendees can benefit by reviewing the state data protection mandates and SEC Regulation S-P and proposed amendments to become familiar with the structure and terms.
Advance Preparation: None
Continuing Education Credits:
NRS Continuing Education Guide
Recommended CPE Credit: 2 in the Regulatory Ethics field of study