With more people working remotely than ever before in light of COVID-19, firms in the private equity and hedge fund space should review their Regulation S-P privacy and information-safeguarding policies to ensure they are compliant and ready for a prolonged period of remote work. In particular, in view of SEC guidance, firms should focus on several key areas including personal devices and personally identifiable information.

Regulation S-P (“Reg. S-P”) is the key SEC rule regarding privacy notices and safeguarding policies of registered broker-dealers, registered investment companies, and registered investment advisers. Reg. S-P does not apply to exempt reporting advisers and private funds, which are covered by the Consumer Financial Protect Bureau’s Regulation P. In the last several years, OCIE has issued several Risk Alerts (including relevant alerts in April 2019 and August 2017) providing registered advisers with guidance relating to Reg. S-P and highlighting common shortcomings and weaknesses in registered advisers’ privacy policies and procedures. Among other things, Reg. S-P requires that all registered advisers adopt written safeguarding policies and procedures that are reasonably designed to (a) ensure the security and confidentiality of customer records (which includes those of individual investors) and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Personal Devices:

The April 2019 and August 2017 OCIE Risk Alerts noted several common deficiencies with Reg. S–P compliance, including either not having policies in place or only addressing notice and opt-out provisions without mentioning safeguarding procedures. Even where firms had safeguarding policies and procedures, however, OCIE noted several common deficiencies that are highly relevant in a “work from home” world—beginning with policies governing personal electronic devices.

OCIE found that firm employees use personal electronic devices to store and maintain customer information despite a lack of clear policies and procedures on how the devices should be configured to protect this information. Employees are increasingly using their personal cellular phones and laptops for work, and now is a perfect time to make sure policies governing those devices include clear guidelines.

While Reg. S-P does not lay out specific steps to craft a robust privacy policy and guard against threats, registered advisers can take commercially available steps in the right direction. For example, registered advisers should consider:

  • Requiring all employee devices to be equipped with employer-provided security software and the latest manufacturer software updates, including updating all operating systems to ensure support by security patches prior to permitting access to any of employer’s remote systems;
  • Requiring multifactor authentication upon each login to a company portal; and
  • Ensuring that email and messaging systems remain encrypted and secured.

Personally Identifiable Information:

OCIE’s Risk Alert also warned against improper policies toward electronic communications of personally identifiable information, or “PII.” PII can include confidential financial information and other sensitive information such as Social Security numbers or dates of birth. For example, OCIE has flagged a lack of policies and procedures designed to prevent employees from sending unencrypted emails containing personal information.

PII can be transmitted through unsecured networks, such as home networks or across the Internet in unencrypted form (e.g., between different email domains). OCIE has previously flagged policies and procedures that did not prevent employees from sending personally identifiable information to unsecured networks. Firms should revisit and revise their privacy policies to provide clear guidance regulating the transmission of personally identifiable information across unsecured networks.

Another type of unsecured transmission of PII that may occur is through popular videoconferencing platforms, such as Zoom, that have replaced in-person meetings. Among other things, platforms such as Zoom have been criticized for not using true end-to-end encryption, giving the videoconference provider (or persons who gain unauthorized access to the provider’s network) the technical ability to attend, observe, and record meetings (though Zoom recently committed to implementing end-to-end encryption for all of its users). Registered advisers should consider vetting any videoconferencing service prior to committing to it as a secure replacement for in-person meetings.

Aside from transmitting information, registered advisers must also ensure that only authorized persons have access to any PII. For example, where a registered adviser furloughs or lays off employees, OCIE warns that departed employees should not retain access rights to restricted customer information post departure.

Registered advisers can take commercially available steps to protect PII. For example, registered advisers may consider:

  • Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption,
  • Prohibiting use of public WiFi,
  • Requiring the use of secure, password-protected home WiFi or hotspots, and
  • Imposing additional credentialing with respect to the ability to download certain sensitive data.

COVID-19 has precipitated a dramatic increase in employees working remotely. The current situation provides a perfect opportunity to revisit and update important privacy policies that protect employees and clients, as well as the firms themselves.

*      *      *

Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Margaret A. Dale Margaret A. Dale

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and…

Margaret Dale is a trial lawyer and first-chair litigator handling complex business disputes across a wide variety of industries, including: consumer products, media and entertainment, financial services, telecommunications and technology, and higher education. She is a former vice-chair of the Litigation Department, and heads the Department’s Data Privacy and Cybersecurity Practice Group. Margaret has been recognized since 2017 in Benchmark Litigation’s Top 250 Women in Litigation.

Margaret’s practice covers the spectrum of complex commercial disputes, including privacy and data security matters, as well as disputes involving M&A, intellectual property, bankruptcy and insolvency, securities, corporate governance, and asset management.

Margaret regularly counsels clients before litigation commences to assess risk, adopt strategies to minimize or deflect disputes, and resolve matters without going to court.

Margaret is a frequent writer, including authoring a regular column on corporate and securities law in the New York Law Journal. She also serves as the lead editor of Proskauer’s blog on commercial litigation, Minding Your BusinessShe also authored the chapter titled “Privileges” in the treatise Commercial Litigation in New York State Courts (Haig, 5th ed.), as well as the chapter titled “Data Breach Litigation” in PLI’s Proskauer on Privacy.

Margaret maintains an active pro bono practice advocating on issues relating to women, children and veterans. She serves on the Board of Directors of CFR (Center for Family Representation), VLA (Volunteer Lawyers for the Arts), JALBC (Judges and Lawyers Breast Cancer Alert), and the City Bar Fund.

Photo of William D. Dalsen William D. Dalsen

Will Dalsen is a senior counsel in the Litigation Department. His practice focuses on complex commercial litigation, with a particular emphasis on private credit, private equity, venture capital and hedge funds. Will is highly regarded for his deep knowledge of the private credit…

Will Dalsen is a senior counsel in the Litigation Department. His practice focuses on complex commercial litigation, with a particular emphasis on private credit, private equity, venture capital and hedge funds. Will is highly regarded for his deep knowledge of the private credit fund industry and ability to resolve disputes for both sponsors and portfolio companies. He provides counseling regarding creditor rights, lender liability, sponsor liability, operating company disputes, control rights and regulatory compliance and investigations.

He advises funds, fund sponsors, investment advisers, and institutional and individual investors. In addition, he has represented public and private corporations in contractual disputes, business tort cases, and government investigations.

Will leads all phases of the litigation process, including pre-suit investigations, negotiating discovery disputes and arguing discovery motions, managing expert discovery, preparing and arguing dispositive motions, and preparing witnesses for trial. He has elicited deposition testimony from numerous witnesses on topics ranging from corporate finances to document preservation.

Prior to joining Proskauer, Will served for two years as a law clerk to Judge Susan Phillips Read of the New York State Court of Appeals, drafting bench memoranda and assisting with opinions in a variety of civil and criminal matters. In law school, Will was Editor in Chief of the Wisconsin Law Review and served as a judicial intern to the Honorable Shirley S. Abrahamson, Chief Justice of the Wisconsin Supreme Court.

Photo of Joshua M. Newville Joshua M. Newville

Joshua M. Newville is a partner in the Litigation Department and a member of Proskauer’s White Collar Defense & Investigations Group and the Asset Management Litigation team.

Josh handles securities litigation, enforcement and regulatory matters, representing corporations and senior executives in civil and…

Joshua M. Newville is a partner in the Litigation Department and a member of Proskauer’s White Collar Defense & Investigations Group and the Asset Management Litigation team.

Josh handles securities litigation, enforcement and regulatory matters, representing corporations and senior executives in civil and criminal investigations. In addition, Josh advises registered investment advisers and private fund managers on regulatory compliance, SEC exams, MNPI/insider trading and related risks.

Before joining Proskauer, Josh was senior counsel in the U.S. Securities and Exchange Commission’s Division of Enforcement, where he investigated and prosecuted violations of the federal securities laws. Josh served in the Enforcement Division’s Asset Management Unit, a specialized unit focusing on investment advisers and the asset management industry. His prior experience with the SEC provides a unique perspective to help asset managers manage risk and handle regulatory issues.