Securities Group News: A Refresher (and update) On Data Privacy Requirements for Investment Advisors in the Commonwealth
Did you know that as an investment advisor you may "own" your clients’ personal data? That’s right; for purposes of Massachusetts’ data privacy regulations, any person or entity that receives, stores, maintains, processes, or otherwise has access to its client’s personal information is considered to be an "owner" of such personal information, thereby required to adhere to Massachusetts regulations and develop written policies and procedures to ensure adequate protection of a client’s personal information. Personal information is generally defined as a Massachusetts resident’s name plus some other identifier (e.g. social security number or financial account number). What’s more, in the event that personal information of a Massachusetts resident is obtained by an unauthorized person or is the subject of a data breach (be it electronic or otherwise), a state registered investment advisor, just like a big retail chain, faces onerous reporting requirements (namely to the Attorney General, the Office of Consumer Affairs and Business Regulation, and the affected individuals), not to mention possible reputational harm.
While Massachusetts already had some of the most stringent data privacy laws on the books, recently, on January 10, 2019, Governor Charlie Baker signed into law further requirements that regulated entities must follow as of April 11, 2019, in the event of a data breach. In particular, the amended law requires entities, such as state-registered investment advisors, to provide credit monitoring services1, to mandate increased reporting requirements2, and to contain a prohibition on the waiver of private rights of action3, among other changes.
In the past, the Massachusetts Securities Division ("MSD") has advised investment professionals to comply with Massachusetts (and federal) data privacy laws. While data privacy requirements are not directly regulated by the MSD4, the MSD has gone as far as integrating a review of an advisor’s compliance with data privacy laws and regulations into its examination program. Further, both the Office of Compliance Inspections and Examinations of the Securities and Exchange Commission in its stated 2019 examination priorities and the MSD in prior examination literature has indicated a continued emphasis on ensuring investment advisor compliance with data privacy and cybersecurity.
State registered investment advisors are in a particularly difficult position given the typical disparity between the size of the investment advisor and the amount of personal data "owned" by the investment advisor. Moreover, a significant portion of investment advisors in the Commonwealth are sole proprietors, serving as chief investment professional, chief compliance officer, clerk, and secretary. Nevertheless, with Governor Baker signing into law new data privacy requirements and securities regulators continuing to focus on cybersecurity, if you haven’t already, in 2019, add "comprehensive information security officer" to the list.
1 2017 Massachusetts House Bill No. 4806, The 190th General Court of the Commonwealth of Massachusetts.
2 "The notice to be provided to the attorney general and said director, and consumer reporting agencies or state agencies if any, shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use; (ii) the number of residents of the Commonwealth affected by such incident at the time of notification; (iii) the name and address of the person or agency that experienced the breach of security; (iv) name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security; (v) the type of person or agency reporting the breach of security; (vi) the person responsible for the breach of security, if known; (vii) the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data; (viii) whether the person or agency maintains a written information security program; and (ix) any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program. A person who experienced a breach of security shall file a report with the attorney general and the director of consumer affairs and business regulation certifying their credit monitoring services [are in compliance]." Id.
4 Although it would not be completely outside of the realm of possibility for the MSD to argue that the Massachusetts Securities Act contains privacy protection requirements through 950 Code Mass. Regs. 12.205(9)(c)(13) which states that it is a dishonest and unethical business practice for an investment advisor to "[disclose] the identity, affairs, or investments of any client to any third party . . . ."