As you’ve probably seen, Facebook has recently been in the news for all the wrong reasons. Facebook’s CEO, Mark Zuckerberg, has been grilled by Congress regarding the privacy and protection of user data at the company. Facebook’s stock is plummeting and the Federal Trade Commission has stated that Facebook is under investigation.
Facebook’s Privacy Problems
Even as this post is written, more facts are coming to light on the extent of the breach of its user’s data. Most of these facts are not flattering.
At a high level, two of the main issues the media has highlighted about Facebook’s privacy practices relate to:
How this Relates to Your Business
Users' privacy concerns about Facebook as a networking service may seem different from the concerns of those participating in the private capital markets. However, there is fundamental similarity between Facebook’s social media users' data and the investor information an issuer or financial intermediary uses and maintains: privacy rights. As discussed in a previous post, privacy relates to an individual’s right to have third parties protect their information.
There are two types of third parties your company should be wary of:
These concerns matter to you, because whether you realize it or not, state breach notification laws apply to you. You have a legal duty to protect investor information and, in fact, may have 50 or more legal duties in the event of a breach. The U.S. currently lags behind the rest of the world as far as comprehensive laws and regulation at the federal level. As Congress’ reaction to Facebook highlights, that may be changing sooner than later.
Your exposure is not limited to U.S. and state laws. Internationally, each country can have its own laws to protect its citizens. For example, there are enhanced requirements, called the General Data Protection Regulation (GDPR), coming into effect in May for those who maintain data of European Union residents. Each country outside of the EU may have its own regulations. To be clear, a vendor’s data breach may trigger obligations for you.
Broker-Dealers have heightened regulatory requirements
If you have investors, you need data to simply maintain the relationship. For example, you have to know addresses to send K-1s at the end of each tax year. There is heightened risk associated with the financial and personal information transferred and stored relating to a specific investment transaction at the “point of sale.” Broker-dealers have parallel heightened security regulatory requirements for handling investor information.
At a baseline, broker-dealers must comply with Reg S-P, which provides for notice requirements and disclosure limits for PII.[1] Broker-dealers must also have procedures in place to safeguard information about investors and prospective investors, including PII.
FINRA, generally a broker-dealer’s most direct regulator for financial practices, has ramped up its interest on cybersecurity of its member firms. FINRA has noted cyber-specific areas for broker-dealers to focus on, including access management, vendor management, and data loss prevention. FINRA prescribes parameters regarding ongoing assessments for cybersecurity risks as a whole. The SEC has also recently issued cybersecurity-specific guidance for public companies.[2] States – most notably, New York – have issued cybersecurity regulations specifically applying to the financial sector.[3]
While some of these rules do not apply to all industry participants, the pervasive nature of cybersecurity is invading the operations of regulated entities – in a good way. This focus is progress in the right direction as far as protecting individual data rights. At a minimum, your financial service provider should be willing to have an open conversation about the steps they are taking to address cyber risks.
Is your investor data secure?
This article only scratches the surface of privacy issues facing Facebook privacy and cybersecurity topics overall. A company’s understanding of who has access to its data, whether intended or not, is paramount to an appropriate cybersecurity posture. This is especially important when you hold investor PII, which will apply in some form to all issuers successfully raising capital. An issuer cannot transfer this obligation for information it keeps after its sale of securities. Still, a broker-dealer cognizant of these issues should help mitigate the risk of an investor data breach during the capital raising process.
These issues are not going away. In light of the hearings on Capitol Hill, there is a renewed focus on individual privacy in the U.S. – perhaps with the most widespread societal impact since the technology and internet boom of the 1990s. While we may not adopt the relatively strict rules as in the E.U. and other parts of the world, it does feel that there will be a shift towards individual privacy protections. This means heightened scrutiny on requirements for participants in the financial industry and those raising capital, whether regulated or not. At a baseline, this warrants a deep dive into your internal policies, as well as all those outside parties with whom you entrust with your data and the data of your investors. If these basic obligations are ignored, a U.S. or even foreign government agency may soon be knocking on your door asking questions.
[1] Procedures to Safeguard Customer Records and Information; Disposal of Consumer Report Information, 17 C.F.R. 248.30.
[2] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Nos. 33-10459; 34-82746, 17 C.F.R. 229, 249 (Feb. 26, 2018).
[3] Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500.