Regulatory Compliance Consulting

 If you do business online, you need to pay close attention to the requirements of the Children’s Online Privacy Protection Act (COPPA or the Act). Enacted in 1998, the COPPA requires the Federal Trade Commission (FTC) to enforce rules that regulate how website operators collect, use, and distribute personal information from children online. The FTC’s COPPA Rule spells out the specifics of the Act.
 
It is worthwhile to familiarize yourself with the requirements of the COPPA - if you have not already done so. Here is a quick rundown of the key issues to get you started.
 
Does the COPPA apply to your business?
 
The answer is YES, if your business involves any of the following:

• Commercial websites or online services that target children under the age of 13, and collect personal information from children;
• Websites intended for a general audience, but knowingly collect personal information from children under the age of 13;
• Websites intended for a general audience, but have separate areas for children and collect personal information from children.

What does compliance with the COPPA entail?
 
If the COPPA applies to your business, you are required to write and implement a COPPA-compliant privacy policy. It is worthwhile to take the time to review the guide developed by the FTC to help online businesses comply. The guide covers issues relating to the location, content and style of a compliant policy. Check it out at the FTC website.
 
Being COPPA-compliant means your online business must meet a number of requirements including:
 
1.    Post a privacy policy on your homepage and link to it everywhere personal information about children is collected.
2.    Provide notice to parents about your online information collection practices.
3.    Obtain verifiable parental consent before collecting personal information from children.
4.    Give parents the choice to consent to the collection and use of their children’s personal information.
5.    Provide parents with access to their children’s information, and the opportunity to delete the information and opt-out from future information collection and use.
6.    Maintain the confidentiality and security of the personal information collected from children.
 
Why is COPPA compliance important?
 
The simple answer is it is the law. However, the important consideration is how non-compliance could affect your business. The penalties of non-compliance are often stiff. Having spent the time and money to develop a viable online business, it makes sense to go the extra mile to ensure that you are operating on the right side of applicable regulations.
 
Learning from the Expensive Mistakes of Others
 
In many respects, the requirements of the COPPA appear clear enough. It is therefore ironic that even some high profile companies miss the mark.

In 2008, the FTC charged the operators of a social networking site that targets children with violation of the COPPA. According to the FTC’s complaints, the online business allowed children to create accounts by submitting personal information prior to providing notice to parents or obtaining parental consent. The company agreed to a settlement, which included a civil penalty of $130,000, an order that prohibits the company from violating the COPPA Rule, and a requirement for the deletion of all personal information collected in violation of the Rule.
 
Also in 2008, a major online music company found out the high cost of what the FTC referred to as “falling down on its COPPA obligations”. The FTC charged that the company violated COPPA by failing to provide sufficient notice on its websites about the information it collects, how it uses the information, and its disclosure practices. In the settlement, the company agreed to pay a civil penalty of $1 million as well as commit to orders to ensure future compliance.
 
The Web is a great medium for business. However, it is not without its regulatory controls. The COPPA is there for a purpose, and the FTC is actively enforcing it. It is good business to ensure that your online privacy policy is COPPA-compliant both in intent and in practice.

Have you received a Penalty Charge Notice for a violation of any of the millions of Statutes, Rules and Regulations that our dear Government are foisting upon us?

Most common ones are for Parking Violations, Driving faster than the speed they have declared is right, paying something after their deadline, or not providing them with something they demand. The truth is that we have all been deceived to believe that The Government and all it’s departments stand above us in the law. That they have authority over Us. Remember the old rule: “We are all equal before the law”.

That still stands. The fact is that You are actually above the Government - because you are a living thinking flesh and blood human being, which a government is not. A government is just an idea expressed on paper - a corporation, a legal fiction, even if a large one. It itself does not exist in the Real World as such - the employees, land and buildings of it does, but the government does not. You can sign an agreement - the government can’t. How can an idea expressed on paper pick up a pen?? Only a human being authorized to sign for the government can. And that man or woman is your equal before the law.

What does this all have to do with dealing with a Penalty Charge Notice, I hear you say. Well, it has everything to do with that. If you understood where you stand in relation to the law you would not be where you are today. Did you know that your car is not yours? Look at the Registration Certificate - you are only listed as the “keeper”. You signed it over to the state when you signed the registration papers. That is why they can take it and crush it if you do not pay the “keepers fee” (tax). That is why they can demand that you keep it insured (it is their property and they do not want to be liable for what you do with it).

I am not saying that you need to study the millions of Statutes expressed in various Acts issued by the Government. You need to learn Who and What you are in the eyes of the law and what law applies to You. This can be done in a relatively short time.

If you are given an “On the Spot” fine by a police officer, he might want you to sign it and will keep the Original for himself and give you a Copy. But that “Ticket” is actually a “Bill of Exchange” and as such you have the right to ask for the Original. Do not refuse to sign it, that will put you in dispute (they want this, so they can take you to Court to settle the dispute), instead say: “I recognise that as a Bill of Exchange. I accept your Bill of Exchange - please give me the original which I have a right to ask for”. Most likely it will be swapped for a “Warning”.

Fortunately for us, there are people who have put in a lot of time in understanding how the laws and the legal system works, in order to give us a way out of this system and stand up for our rights. If you search on subjects related to this article you are likely to stumble upon these modern freedom fighters.

A word of warning though: Our adversaries will try to fight back and bluff you, so you need to do some study before you put it into action, and as with anything in life there are no guarantees. But many have used this successfully. Me included. If you do not receive the template automatically in the first days, just reply to an e-mail from me and I will attach it to my reply.

There is a free e-book, anyone can download, by a woman who was in despair about debt, and her journey from there to where she had her debts cancelled, where she gained some access to a secret account the Government had created in Her name (we all have one), and where she realized she did not have to pay Income Tax and walked out of the Tax office laughing. She now lawfully drives a car that is truly hers for which she pays no Tax or normal insurance. She even gave up her Drivers Licence and now uses one she made on her own computer. All this without breaking the law. Her name is Mary Croft.

What she did anyone can do - if they want. You can be a lot more Free. It is your choice. But don’t take my word for it, check it out for yourself.

While the Security and Exchange Commission’s (SEC) proposed amendments to Regulation S-P await final rule status, the Commonwealth of Massachusetts has enacted sweeping new data security and identity theft legislation. At present, approximately 45 states have enacted some form of data security laws, but before Massachusetts passed its new legislation, only California had a statute that required all businesses to adopt a written information security program. Unlike California’s rather vague rules, however, the Massachusetts information security mandate is quite detailed as to what is required and carries with it the promise of aggressive enforcement and attendant monetary penalties for violations.

Because the new Massachusetts rules are a good indication of the direction of privacy-related regulation on the federal level, its impact is not limited solely to those investment advisers with Massachusetts clients. The similarities between the new Massachusetts data security laws and the proposed amendments to Regulation S-P affords advisers an excellent preview of their future compliance obligations as well as useful guidance when constructing their current data security and protection programs. All investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the basis for updating their information security policies and procedures in advance of changes to Regulation S-P. This article provides an overview of both the proposed amendments to Regulation S-P and the new Massachusetts data storage and protection law and suggests ways that investment advisers can use the new Massachusetts rules to better prepare for the realities of a more exacting Regulation S-P.

Proposed Amendments to Regulation S-P

The SEC’s proposed amendments to Regulation S-P set forth more specific requirements for safeguarding personal information against unauthorized disclosure and for responding to information security breaches. These amendments would bring Regulation S-P more in-line with the Federal Trade Commission’s Final Rule: Standards for Safeguarding Customer Information, currently applicable to state-registered advisers (the “Safeguards Rule”) and, as will be detailed below, with the new Massachusetts regulations.

Information Security Program Requirements

Under the current rule, investment advisers are required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments take this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.

The information security program must be appropriate to the adviser’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue. The information security program should be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or security holder who is a natural person. “Substantial harm or inconvenience” would include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of the information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise use the individual’s account.

Elements of Information Security Plan

As part of their information security plan, advisers must:

• Designate in writing an employee or employees to coordinate the information security program;

• Identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information;

• Design and document in writing and implement information safeguards to control the identified risks;

• Regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;

• Train staff to implement the information security program;

• Oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing); and

• Evaluate and adjust their programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact on the program.

Data Security Breach Responses

An adviser’s information security program must also include procedures for responding to incidents of unauthorized access to or use of personal information. Such procedures should include notice to affected individuals if misuse of sensitive personal information has occurred or is reasonably possible. Procedures must also include notice to the SEC in circumstances in which an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.

The New Massachusetts Regulations

Effective January 1, 2010, Massachusetts will require businesses that store or use “personal information” about Massachusetts residents to implement comprehensive information security programs. Therefore, any investment adviser, whether state or federally registered and wherever located, that has just one client who is a Massachusetts resident must develop and implement information security measures. Similar to the requirements set forth in the proposed amendments to Regulation S-P, these measures must (i) be commensurate with the size and scope of their advisory business and (ii) contain administrative, technical and physical safeguards to ensure the security of such personal information.

As discussed further below, the Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or transmittal of personal information. These dual requirements recognize the challenge of conducting business in a digital world and reflect the manner in which most investment advisers presently conduct their advisory business.

Standards for Protecting Personal Information

The Massachusetts regulations are quite specific as to what measures are required when developing and implementing an information security plan. Such measures include, but are not limited to:

• Identifying and assessing internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing personal information;

• Evaluating and improving, where necessary, current safeguards for minimizing risks;

• Developing security policies for employees who telecommute;

• Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such information;

• Obtaining from third-party service providers a written certification that such service provider has a written, comprehensive information security program;

• Inventorying paper, electronic and other records, computing systems and storage media, including laptops and portable devices used to store personal information to identify those records containing personal information;

• Regularly monitoring and auditing employee access to personal information in order to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information;

• Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; and

• Documenting responsive actions and mandatory post-incident review.

The requirement to first identify and assess risks should be, by now, a familiar one to all SEC-registered investment advisers. The SEC made it abundantly clear in the “Compliance Rule” release that they expect advisers to conduct a risk assessment prior to drafting their compliance manual and to implement policies and procedures to specifically address those risks. The Massachusetts regulations provide an excellent framework for both the risk assessment and risk mitigation process by alerting advisers to five key areas to be addressed: (i) ongoing employee training; (ii) monitoring employee compliance with policies and procedures; (iii) upgrading information systems; (iv) storing records and data; and (v) improving means for detecting, preventing and responding to security failures.

That section of the Massachusetts regulations requiring businesses to retain only those service providers capable of maintaining adequate data safeguards should also be familiar to SEC-registered advisers. However, the additional requirement that a business obtain written certification that the service provider has a written, comprehensive information security program would be a new and valuable addition to an adviser’s information security procedures. Since the lack of compliance documentation is a common deficiency cited during SEC examinations, obtaining written certification from the service provider is an effective method by which an adviser can at once satisfy its compliance obligations and memorialize the compliance process.

One unique aspect of the new Massachusetts regulations is the recognition that a significant number of employees now spend at least some part of their working life telecommuting. This recognition should, in turn, translate into an awareness by advisers that their information security plan may be deficient if it does not adequately address this issue. The amount of personal information that can be stored (and lost) on the many portable electronic devices available to employees - be they laptops, smart phones or the next new gadget - should be enough to keep chief compliance officers awake at night. As mandated in the Massachusetts regulations, any proper telecommuting policy must first begin with a determination of whether and how an employee that telecommutes should be allowed to keep, access and transport data comprising personal information. Once these initial determinations have been made, advisers can develop appropriate policies and implement procedures to protect client information from ending up on the family computer with an unsecure wireless connection or on the laptop computer left in the back seat of a rental car.

Computer System Security Requirements

128-bit encryption. Secure user authentication protocols. Biometrics. Unique identifications plus passwords. To some advisers these terms and concepts are as familiar as mutual funds, financial plans and assets under management. To a great many other advisers, however, they represent an unknown and unknowable universe - as alien to the conduct of their advisory business as is day-trading to the “buy and hold” practitioner. Unfortunately for the technologically challenged, it will be necessary to become somewhat conversant with these concepts once the amendments to Regulation S-P are enacted.

The new Massachusetts regulations require that an information security program include security procedures that cover a company’s computer systems. These requirements are far more detailed and restrictive than anything in Regulation S-P, either in its current iteration or as proposed to be amended. Pursuant to the new Massachusetts law, any business that uses computers to store personal information about Massachusetts residents must, at a minimum, have the following elements in its information security program:

• Secure user authentication protocols including (i) control of user IDs and other identifiers;( (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;( (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;( (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

• Secure access control measures that (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and((ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

• To the extent technically feasible, encrypt all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly;

• Reasonably monitor systems for unauthorized use of or access to personal information;

• Encrypt all personal information stored on laptops or other portable devices;

• For files containing personal information on a system that is connected to the Internet, install reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information;

• Install reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;

• Educate and train employees on the proper use of the computer security system and the importance of personal information security; and

• Restrict physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted.

As can be seen from the above list, what the Massachusetts regulations have generously provided to advisers is, in effect, a “shopping list” that they can take to their nearest computer consultant. Any investment adviser that read this litany of computer system security requirements and had an immediate adverse reaction would be well-advised to turn each of the above listed elements into a computer security checklist, find a reputable computer specialist and outsource the project to those people who have the expertise to equip your computer system with the requisite security capabilities.

Best Practices

The Massachusetts regulations may be viewed as setting forth “best practices” in the area of information storage, data protection and computer security. As most advisers already know, industry “best practices” have an unpleasant habit of quickly morphing into SEC expectations. Advisers should take advantage of the unique opportunity afforded by the Massachusetts regulations, as rarely do they receive such detailed guidance as to what “best practices” are in a given area of regulation. Nor are they often provided with such a clear picture of what the regulatory landscape will look like in their profession in the very near future. Therefore, it would be advantageous for advisers to compare their existing information security programs to the standards set forth in the new Massachusetts regulations and determine where their programs might benefit from incorporating one or more of these standards. While it may not be feasible for all advisers to invest in state-of-the-art computer security, all advisers could certainly benefit from understanding what updates can be made to improve their current information security policies and procedures.