By law, US federal agencies are required to ensure the protection of the personally identifiable information (PII) they collect, store and transmit. In light of the current digital environment, government agencies are collecting more and more personal information. Highly publicized events of abuse, misuse and inadvertent errors in agency management of PII has fueled public concern about the government’s ability to protect private or sensitive information. This has resulted in increasing scrutiny and compliance expectations regarding federal privacy laws and regulations, which affects federal employees at all levels.
This article takes a look at how the US Securities and Exchange Commission (SEC) handles privacy issues.
PIAs at the SEC
The e-Government Act of 2002 (Sec. 208) requires federal agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections. The following outlines why PIAs are conducted and how personally identifiable information is managed in information systems within the SEC.
A PIA should be completed when any of the following activities take place:
- Developing or procuring any new technologies or systems that handle or collect personal information.
- Developing system revisions.
- Imitating a new electronic collection of information in identifiable form for 10 or more persons, consistent with the Paperwork Reduction Act.
- Issuing a new or updated rulemaking that affects personal information.
- Categorizing System Security Controls as “high-major,” or “moderate-major.”
A PIA is not required in the following instances:
- For government-run websites, IT systems, or collections of information that do not collect or maintain information in identifiable form about members of the general public, government employees, contractors, or consultants.
- For government-run public websites where the user is given the option of contacting the site operator for the limited purpose of asking questions or providing comments.
- For national security systems.
- When all elements of a PIA are addressed in a data matching or comparison agreement governed by the computer matching provisions of the Privacy Act.
- When all elements of a PIA are addressed in an interagency agreement permitting the merging of data for strictly statistical purposes and where the resulting data are protected from improper disclosure and use under Title V of the e-Government Act.
- When developing IT systems or collecting non-identifiable information for a discrete purposes that does not involve matching with or retrieval from other databases that generate individual or business identifiable information.
- For minor changes to an IT system or collection that do not create new privacy risks.
When completing a PIA for the SEC, the system owner is required to respond to privacy-related questions regarding:
- Data in the system (e.g. what data is collected and why it is collected)
- Attributes of the data (e.g. use, accuracy)
- Sharing practices
- Notice of individuals to consent/decline use (e.g. SORN)
- Access to data (i.e. administrative and technological controls)
Section 504 Privacy Rules
In November 2000, the Securities and Exchange Commission announced their adoption of Regulation S-P, which included privacy rules promulgated under section 504 of the Gramm-Leach-Bliley Act (GLBA). Section 504 requires the SEC and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about customers.
Under the GLBA, a financial institution must provide its customers with a notice of its privacy policies and practices. The institution is prohibited from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. The GLBA also requires the SEC to establish appropriate standards for financial institutions to protect customer information. The final rules implement these requirements of the GLBA, with respect to investment advisers registered with the SEC, brokers, dealers and investment companies, which are all considered financial institutions subject to the SEC’s jurisdiction under the GLBA.
Penalties for Privacy Violations
In April 2011, the SEC announced a settlement involving three former brokerage firm executives who were charged with “failing to protect confidential information about their customers.” This represented the first time the SEC assessed financial penalties against individuals charged solely with violations of Regulation S-P, introduced in the section above.
Essentially, the president of the brokerage firm took information from over 16,000 customers without notifying them or providing an opportunity to opt-out. Information included names, addresses, account numbers and asset values. The SEC also found that the firm’s information security procedures were inadequate, even after numerous security breaches which involved stolen company laptop computers and unlawful access to company emails. As a result of the settlement, the firms former president and national sales manager were required to pay $20,000 each, and the former chief compliance officer was fined $15,000.
US federal agencies are required to protect personally identifiable information (PII). This article takes a look at how the US Securities and Exchange Commission (SEC) handles privacy issues, ranging from filing a privacy impact assessment (PIA), to implementing and enforcing Regulation S-P of the Gramm-Leach-Bliley Act (GLBA).
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- US agencies regulating workplace privacy issues – Securities and Exchange Commission (IV.A.b.vi.)