June 27, 2022

Volume XII, Number 178


June 27, 2022

Subscribe to Latest Legal News and Analysis

Privacy in the Time of Pandemic: COVID-19 Provides Opportunity to Revisit Regulation S-P Privacy Policies

With more people working remotely than ever before in light of COVID-19, firms in the private equity and hedge fund space should review their Regulation S-P privacy and information-safeguarding policies to ensure they are compliant and ready for a prolonged period of remote work. In particular, in view of SEC guidance, firms should focus on several key areas including personal devices and personally identifiable information.

Regulation S-P (“Reg. S-P”) is the key SEC rule regarding privacy notices and safeguarding policies of registered broker-dealers, registered investment companies, and registered investment advisers. Reg. S-P does not apply to exempt reporting advisers and private funds, which are covered by the Consumer Financial Protect Bureau’s Regulation P. In the last several years, OCIE has issued several Risk Alerts (including relevant alerts in April 2019 and August 2017) providing registered advisers with guidance relating to Reg. S-P and highlighting common shortcomings and weaknesses in registered advisers’ privacy policies and procedures. Among other things, Reg. S-P requires that all registered advisers adopt written safeguarding policies and procedures that are reasonably designed to (a) ensure the security and confidentiality of customer records (which includes those of individual investors) and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Personal Devices:

The April 2019 and August 2017 OCIE Risk Alerts noted several common deficiencies with Reg. S–P compliance, including either not having policies in place or only addressing notice and opt-out provisions without mentioning safeguarding procedures. Even where firms had safeguarding policies and procedures, however, OCIE noted several common deficiencies that are highly relevant in a “work from home” world—beginning with policies governing personal electronic devices.

OCIE found that firm employees use personal electronic devices to store and maintain customer information despite a lack of clear policies and procedures on how the devices should be configured to protect this information. Employees are increasingly using their personal cellular phones and laptops for work, and now is a perfect time to make sure policies governing those devices include clear guidelines.

While Reg. S-P does not lay out specific steps to craft a robust privacy policy and guard against threats, registered advisers can take commercially available steps in the right direction. For example, registered advisers should consider:

  • Requiring all employee devices to be equipped with employer-provided security software and the latest manufacturer software updates, including updating all operating systems to ensure support by security patches prior to permitting access to any of employer’s remote systems;

  • Requiring multifactor authentication upon each login to a company portal; and

  • Ensuring that email and messaging systems remain encrypted and secured.

Personally Identifiable Information:

OCIE’s Risk Alert also warned against improper policies toward electronic communications of personally identifiable information, or “PII.” PII can include confidential financial information and other sensitive information such as Social Security numbers or dates of birth. For example, OCIE has flagged a lack of policies and procedures designed to prevent employees from sending unencrypted emails containing personal information.

PII can be transmitted through unsecured networks, such as home networks or across the Internet in unencrypted form (e.g., between different email domains). OCIE has previously flagged policies and procedures that did not prevent employees from sending personally identifiable information to unsecured networks. Firms should revisit and revise their privacy policies to provide clear guidance regulating the transmission of personally identifiable information across unsecured networks.

Another type of unsecured transmission of PII that may occur is through popular videoconferencing platforms, such as Zoom, that have replaced in-person meetings. Among other things, platforms such as Zoom have been criticized for not using true end-to-end encryption, giving the videoconference provider (or persons who gain unauthorized access to the provider’s network) the technical ability to attend, observe, and record meetings (though Zoom recently committed to implementing end-to-end encryption for all of its users). Registered advisers should consider vetting any videoconferencing service prior to committing to it as a secure replacement for in-person meetings.

Aside from transmitting information, registered advisers must also ensure that only authorized persons have access to any PII. For example, where a registered adviser furloughs or lays off employees, OCIE warns that departed employees should not retain access rights to restricted customer information post departure.

Registered advisers can take commercially available steps to protect PII. For example, registered advisers may consider:

  • Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption,

  • Prohibiting use of public WiFi,

  • Requiring the use of secure, password-protected home WiFi or hotspots, and

  • Imposing additional credentialing with respect to the ability to download certain sensitive data.

COVID-19 has precipitated a dramatic increase in employees working remotely. The current situation provides a perfect opportunity to revisit and update important privacy policies that protect employees and clients, as well as the firms themselves.

© 2022 Proskauer Rose LLP. National Law Review, Volume X, Number 182

About this Author

Lucy Wolf, Proskauer Law Firm, Boston, Litigation Attorney

Lucy Wolf is an associate in the Litigation Department and a member of the Private Funds Group.

Margaret A Dale, Commercial Litigation, Proskauer Rose Law Firm

Margaret Dale is a Partner in the Litigation Department, resident in the New York office. Her practice focuses on commercial litigation, including class action defense, as well as intellectual property, privacy and data security, corporate governance litigation, securities litigation, and regulatory and internal investigations. She also represents and counsels clients in art law matters. 

William D Dalsen, Proskauer, Private Equity Lawyer, Hedge Fund Litigation Attorney

Will Dalsen is an associate in the Litigation Department, practicing in the Patent Law, Intellectual Property, and Private Equity & Hedge Fund Litigation groups.

Will practices in the area of complex intellectual property disputes, with a primary focus on patent infringement matters. He has litigated several high-profile patent infringement cases for some of the world's leading technology companies, including Panasonic, Philips, Sony, Mitsubishi and Zenith Electronics.

His practice also includes complex commercial...

Joshua Newville, Proskauer Rose, regulatory enforcement attorney, industry compliance legal counsel, securities exchange commission lawyer

Joshua M. Newville is a partner in the Litigation Department in New York. His practice focuses on commercial litigation and regulatory investigations. Mr. Newville advises companies and individuals in securities litigation and compliance matters. He also focuses on internal investigations and enforcement matters. Prior to joining Proskauer, Josh was senior counsel in the U.S. Securities and Exchange Commission’s Division of Enforcement, where he investigated and prosecuted violations of the federal securities laws. Josh served in the Enforcement Division’s Asset...

Samuel Waldon, Proskauer Law Firm, Washington DC, Corporate Law and Litigation Attorney

Sam Waldon is a partner in the Litigation Department and a member of the Securities Litigation, White Collar Defense & Investigations and Asset Management Litigation Groups.

Sam’s practice focuses on securities litigation, enforcement and regulatory matters. He represents corporations and financial institutions, and their officers, directors and employees, in investigations, exams, internal investigations and litigation. Sam has in-depth experience in a broad range of Securities and Exchange Commission (SEC) enforcement matters, including...