Set Boundaries That Deal With Difficult Employee employee data

[Sumaiya Khatun]

Because the new Massachusetts rules are a good indication employee data of the direction of privacy-related regulation on the federal level, its impact is not limited solely to those investment advisers with Massachusetts clients. The similarities between the new Massachusetts data security employee data laws and the proposed amendments to Regulation S-P affords advisers an excellent preview of their future compliance obligations as well as useful guidance when constructing their current data security and protection programs. All investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the employee data basis for updating their information security policies and procedures in advance of changes to Regulation S-P.

This article provides an overview of both the proposed employee data amendments to Regulation S-P and the new Massachusetts data storage and protection law and suggests ways that investment advisers can use the new Massachusetts rules to better prepare for the realities of a employee data more exacting Regulation S-P. Proposed Amendments to Regulation S-P The SEC's proposed amendments to Regulation S-P set forth more specific requirements for safeguarding personal information against unauthorized disclosure employee data and for responding to information security breaches.

These amendments would bring Regulation S-P more in-line with employee data the Federal Trade Commission's Final Rule: Standards for Safeguarding Customer Information, currently applicable to state-registered advisers (the "Safeguards Rule") and, as will be detailed below, with the new Massachusetts regulations. Information Security Program Requirements Under the current rule, investment advisers are employee data required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments take this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive "information security program," including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for employee data responding to unauthorized access to or use of personal information.