75 FR 193 pgs. 61793-61795 - Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Order Approving Proposed Rule Change to Amend FINRA Rule 8210 to Require Information Provided via Portable Media Device be Encrypted
Type: NOTICEVolume: 75Number: 193Pages: 61793 - 61795
Docket number: [Release No. 34-63016; File No. SR-FINRA-2010-021]
FR document: [FR Doc. 2010-25067 Filed 10-5-10; 8:45 am]
Agency: Securities and Exchange Commission
Official PDF Version: PDF Version
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-63016; File No. SR-FINRA-2010-021]
Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Order Approving Proposed Rule Change to Amend FINRA Rule 8210 to Require Information Provided via Portable Media Device be Encrypted
September 29, 2010.
I. Introduction
On June 2, 2010, the Financial Industry Regulatory Authority, Inc. ("FINRA") filed with the Securities and Exchange Commission (the "Commission" or "SEC"), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the "Exchange Act" or "Act")1and Rule 19b-4 thereunder,2a proposed rule change to amend FINRA Rule 8210 to require that information provided via portable media device to FINRA in response to a request under the rule be encrypted. The proposed rule change was published for comment in the Federal Register on June 25, 2010.3
Footnotes:
1 15 U.S.C. 78s(b)(1).
2 17 CFR 240.19b-4.
3 See Securities Exchange Act Release No. 62318 (June 17, 2010), 75 FR 36461 ("Notice").
The Commission received eleven comment letters on the proposal.4FINRA responded to these comment letters in a letter dated September 14, 2010.5This order approves the proposed rule change.
Footnotes:
4 See letter from David M. Sobel, Esq., EVP/CCO, Abel/Noser Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 6, 2010 ("Abel/Noser Letter"); letter from Larry Taunt, Chief Executive Officer, Regal Financial Group, to Elizabeth M. Murphy, Secretary, Commission, dated July 7, 2010 ("Regal Letter"); letter from Lisa Roth, NAIBD Member Advocacy Committee Chair, CEO/CCO, National Association of Independent Broker-Dealers, Inc., to Elizabeth M. Murphy, Secretary, Commission, dated July 9, 2010 ("NAIBD Letter"); letter from Chris Charles, President, Wulff, Hansen, & Co., to Elizabeth M. Murphy, Secretary, Commission, dated July 13, 2010 ("Wulff Hansen Letter"); letter from Tamara K. Salmon, Senior Associate Counsel, Investment Company Institute, to Elizabeth M. Murphy, Secretary, Commission, dated July 14, 2010 ("ICI Letter"); letter from Byron "Pat" Treat, President/CEO, Great Nation Investment Corporation, to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 ("Great Nation Letter"); letter from Eric Segall, Sr. V.P., Manager, Business Conduct, and Edward W. Wedbush, President, Wedbush Securities, Inc., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 ("Wedbush Letter"); letter from Raymond C. Holland, Vice-Chairman, Triad Securites Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 ("Triad Letter I"); letter from Sis DeMarco, Director of Compliance, Triad Securities Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 ("Triad Letter II"); letter from S. Kendrick Dunn, Assistant Vice President, Pacific Select Distributors, Inc. to Elizabeth M. Murphy, Secretary, Commission, dated July 16, 2010 ("PSD Letter"); and letter from Howard Spindel, Senior Managing Director, Integrated Management Solutions, to Elizabeth M. Murphy, Secretary, Commission, dated July 16, 2010 ("IMS Letter").
5 See letter from Stan Macel, Assistant General Counsel, FINRA, to Elizabeth M. Murphy, Secretary, Commission, dated September 14, 2010 ("FINRA Letter").
II. Background and Description of Proposal
FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) confers on FINRA staff the authority to compel a member, person associated with a member, or other person over whom FINRA has jurisdiction, to produce documents, provide testimony, or supply written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding. The rule applies to all members, associated persons, and other persons over whom FINRA has jurisdiction, including former associated persons subject to FINRA's jurisdiction as described in the FINRA By-Laws.6FINRA Rule 8210(c) provides that a member's or person's failure to provide information or testimony or to permit an inspection and copying of books, records, or accounts is a violation of the rule.
Footnotes:
6 See FINRA By-Laws, Article V, Section 4(a) (Retention of Jurisdiction).
FINRA is proposing to amend FINRA Rule 8210 to require that information provided via a portable media device pursuant to a request under the rule be encrypted, as discussed further below. Requiring such information to be encrypted will help ensure that such information, which in many instances includes individuals' personal information, is protected from unauthorized or improper use.7
Footnotes:
7 FINRA has emphasized that its members have an obligation under existing laws to protect confidential customer records and information pursuant to the requirements of SEC Regulation S-P. See, e.g., Notice to Members 05-49 (Safeguarding Confidential Customer Information).
According to FINRA, frequently, members and persons who respond to requests pursuant to FINRA Rule 8210 provide information in electronic format. Because of the size of the electronic files, persons often provide information in electronic format using a portable media device such as a CD-ROM, DVD or portable hard drive.8In many instances, the response contains personal information that, if accessed by an unauthorized person, could be used inappropriately. For example, a response may include a person's first and last name, or first initial and last name, in combination with that person's: (1) Social security number; (2) driver's license, passport or government-issued identification number; or (3) financial account number (including but not limited to the number of a brokerage account, debit card, credit card, checking account, or savings account). If such personal information were to be intercepted by an unauthorized third party, it could be used improperly.
Footnotes:
8 The proposed rule change defines "portable media device" as a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette, or any other portable device for storing and transporting electronic information.
Additionally, according to FINRA, data security issues regarding personal information have become increasingly important in recent years.9In this regard, FINRA believes that requiring persons to encrypt information on portable media devices provided to FINRA in response to FINRA Rule 8210 requests will help ensure that personal information is protected from improper use by unauthorized third parties.
Footnotes:
9 In its Notice, FINRA represents, for example, that some jurisdictions, including Massachusetts and Nevada, have recently enacted legislation that establishes minimum standards to safeguard personal information in electronic records. See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), effective March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability), effective January 1, 2010. As stated in the Notice, these laws contain penalties that can be imposed on persons and entities for failures to adequately safeguard electronic records containing personal information.
The proposed rule change would require that information provided via a portable media device be "encrypted," i.e., the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device would be required: (1) To use an encryption method that meets industry standards for strong encryption; and (2) to provide FINRA staff with the confidential process or key regarding the encryption in a communication separate from the encrypted information itself ( e.g., a separate e-mail, fax or letter).
III. Discussion of Comment Letters and Commission Findings
The Commission received eleven comment letters on the proposed rule change and FINRA responded to these comments.10One commenter supported the proposal, but recommended that FINRA's rules be amended to add information security rules for itself and notify registrants when their non-public information has been accessed.11Two commenters questioned the need for the encryption requirement and suggested that FINRA, and not its members, should undertake the responsibility of establishing data protection12and controls.13Another commenter believed that the proposed rule change did not address FINRA's responsibility to maintain the confidentiality of the information it obtains and proposed that members be allowed to redact sensitive information.14FINRA responded that these comments do not address the purpose of the proposal which is to safeguard information being delivered to FINRA via portable media device and noted that it has a "robust and current information security policy."15
Footnotes:
10 See supra notes 4 and 5.
11 See ICI Letter.
12 See NAIBD Letter (endorsed by Triad I Letter and Triad II Letter), and PSD Letter.
13 See NAIBD Letter.
14 See Wedbush Letter.
15 See FINRA Letter.
Five commenters indicated that the application of the proposed rule to electronic media and not paper documents is too narrow or misplaced.16One commenter noted that the proposed rule change did not cover "hard data transfers" and was "inconsistent," therefore "adding an unnecessary layer of cost and inconvenience to the normal process of business."17Another commenter believed that the proposed rule was "form over function" and suggested that overnight delivery of the electronic files could accomplish the goals of the proposal.18One commenter noted that FINRA wishes to remove the discretion of members to encrypt data and yet the proposal does not cover hard-copy, email and voluntary transmissions of information.19This commenter stated that the proposed rule change "was a poor solution" and suggested that FINRA allow members discretion to determine encryption methods and apply them to all transmissions to FINRA.20FINRA responded to these comments by stating that it believes that encryption is a useful method to protect electronic data and notes that it is not technically possible to encrypt information in paper form.21FINRA suggested that it might accept only electronic submissions of information in the future, but currently must accept the limitations of paper delivery.22FINRA also stated that it will explore encryption of other communication methods such as email.23FINRA states that "the argument that the difficulty of the perfect encryption of all information irrespective of media is a reason not to protect that information which can be encrypted could be used to negate all iterative protections to investors and should not be credited as a matter of public policy."24
Footnotes:
16 See Abel/Noser Letter, IMS Letter, NAIBD Letter, PSD Letter, and Regal Letter, and Abel/Noser Letter.
17 See Regal Letter.
18 See Abel/Noser Letter.
19 See IMS Letter.
20 Id.
21 See FINRA Letter.
22 Id.
23 Id.
24 Id.
Three commenters indicated that requiring encryption of all information sent via portable media devices is overbroad and suggested lesser content encryption.25FINRA responded that it "believes it is simpler, more efficient and safer to require encryption of all information provided via portable media device pursuant to a request under the rule."26FINRA stated that the requirement "obviates the need for FINRA to circumscribe and monitor, and for members to determine, the types of information that should or should not be encrypted under the rule."27FINRA believes that the suggested alternatives would be more costly than the proposal and believes the proposal "further supports compliance with the laws in some jurisdictions."28
Footnotes:
25 See Great Nation Letter, IMS Letter, and PSD Letter.
26 See FINRA Letter.
27 Id.
28 Id.
Seven commenters believed that the proposal was difficult or costly to implement.29For example, some commenters believe that small firms lack the technical experience to implement the proposal and may have to hire third parties.30One commenter suggested an exception when information is provided directly to FINRA staff or on the FINRA premises.31FINRA questioned the burden on members "given the availability of web-based encryption solutions currently available at low- or no-cost."32FINRA noted that "members may be subject to various data protection laws that are in part the impetus" of the proposal.33FINRA stated that it would "help educate its members about the process of encryption" and would "endeavor to provide information regarding various options for encrypting data, including low- or no-cost web-based encryption software."34
Footnotes:
29 See Abel/Noser Letter, Great Nation Letter, NAIBD Letter, PSE Letter, Triad Letter I, Triad Letter II, and Wulff Hansen Letter.
30 See, e.g., Great Nation Letter, NAIBD Letter, and PSE Letter.
31 See Wulff Hansen Letter.
32 See FINRA Letter.
33 Id.
34 Id.
Three commenters suggested that the proposed requirement to use an encryption method that "meets industry standards for strong encryption" is too vague and suggested alternatives such as providing members with the specific method of encryption.35FINRA acknowledged that, as proposed, the rule does not mandate a specific method of encryption.36However, FINRA believes that this standard, which it stated is "identical to that employed by Massachusettes and Nevada," is necessary to "adapt to changing technology regarding encryption."37FINRA stated that it does not believe that it is "appropriate at this time to dictate a `one size fits all' approach" to encryption.38As designed, this requirement will allow each member to choose an appropriate method of encryption that works for it.39
Footnotes:
35 See NAIBD Letter, PSE Letter, and Great Nation Letter.
36 See FINRA Letter.
37 Id.
38 Id.
39 Id.
The Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to a national securities association.40In particular, the Commission finds that the proposed rule change is consistent with the provisions of Section 15A(b)(6) of the Act,41which requires, among other things, that FINRA rules be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest.
Footnotes:
40 In approving this proposal, the Commission has considered the proposed rule's impact on efficiency, competition and capital formation. See 15 U.S.C. 78c(f).
41 15 U.S.C. 78 o -3(b)(6).
The Commission believes that the proposed rule change is reasonably designed to ensure that information provided to FINRA on a portable media device in response to Rule 8210 is secure. FINRA has represented that this requirement is necessary to address laws in some jurisdictions that establish safeguards for personal information and records. The Commission also notes FINRA's representation that there are low- or no-cost ways to encrypt files and that it will help educate its members about the process of encryption and meeting their obligations under the rule. Although the Commission recognizes that the proposed rule change does not mandate a specific encryption method, the Commission believes that some flexibility is appropriate to allow for changes in technology and for members to choose encryption methods that meet their needs. Finally, theCommission believes that the fact that information produced to it in other forms, such as paper-based forms, for which there is no comparable means of protecting the information from unwanted disclosure, should not preclude the protection of information that can be protected.
IV. Conclusion
It is therefore ordered, pursuant to Section 19b(2) of the Act,42that the proposed rule change (SR-FINRA-2010-021) be, and hereby is, approved.
Footnotes:
42 15 U.S.C. 78s(b)(2).
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.43
Footnotes:
43 17 CFR 200.30-3(a)(12).
Florence E. Harmon,
Deputy Secretary.
[FR Doc. 2010-25067 Filed 10-5-10; 8:45 am]
BILLING CODE 8011-01-P