FTC Issues Safeguards Rule to Further Protect Customer Privacy - 08/22/02
Under the Gramm-Leach-Bliley Act (?GLB Act?), financial institutions that are located in the U.S. and are subject to the Federal Trade Commission?s (?FTC?) jurisdiction are required to undertake measures to protect the nonpublic personal information (?NPI?), (e.g. name, address, income, social security number) of customers (e.g. investors) who are U.S. and non-U.S. natural persons. As part of its implementation of the GLB Act, on May 17, 2002, the FTC issued final rules implementing Section 501(b) of the GLB Act (the ?Safeguards Rule?). The purpose of the Safeguards Rule is to establish standards relating to administrative, technical and physical information safeguards as required by Section 501(b) of the GLB Act. Such standards are intended to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records on information that could result in substantial harm to a customer.
With respect to privacy, the FTC has jurisdiction over financial institutions that are not otherwise regulated by another U.S. federal regulatory body. As such, operators of hedge funds that are not otherwise regulated by the SEC and/or the CFTC/NFA will have to comply with the Safeguards Rule.
Pursuant to the Safeguards Rule, a financial institution must adopt a written information security program (?ISP?). With respect to its ISP, a financial institution must cover the following five elements:
1. Designate an employee or employees to coordinate the ISP;
2. Conduct risk assessment to identify internal and external risks to security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction of such information. Moreover, the FTC considers three areas to be the ?most relevant? when conducting risk assessment: (i) employee training; (ii) information systems design, processing, storage, transmission and retrieval; and (iii) preventing, detecting and responding to attacks, intrusions or system failures;
3. Design an ISP and detail the plans to monitor the ISP;
4. Require third-party service providers that a financial institution has retained, by contract, to implement and maintain information safeguards; and
5. Evaluate and adjust the ISP in light of changes to a financial institution?s business operations or the results of its monitoring and security tests.
A provision which will likely impact the hedge fund industry is the requirement that a financial institution ensure that its third-party service provider comply with the Safeguards Rule. In general, for most hedge funds, an administrator handles the subscription process which entails receiving, processing and accessing an investor?s personal and financial information. As such, the administrator is in the position of being a recipient of an investor?s NPI. Accordingly, pursuant to the Safeguards Rule, a financial institution must require its service provider, by contract, to implement and maintain information safeguards. Therefore, a hedge fund operator will have to review an administrator?s information operations and then negotiate and enter into a contract that obligates an administrator to adopt the same provisions under the Safeguards Rule. How administrators will react to this regulatory burden and whether administration fees will rise remain to be seen.
Financial institutions must implement their ISPs by May 23, 2003. As such, hedge fund operators have the next nine months to evaluate their operations and to develop an ISP. Furthermore, there is a transition rule for contracts entered into by June 23, 2002 between financial institutions and third-party service providers. This transition rule gives financial institutions two years to require its service providers, by contract, to implement an ISP. Accordingly, hedge fund operators have until May 23, 2004 to bring service contracts with administrators into compliance with the Safeguards Rule. To assist financial institutions in complying with the Safeguards Rule, the FTC will issue guidance on how to implement and monitor an ISP and on how to oversee a third-party service provider in the near future.