Privacy best practices given final regs

The GLBA shield offers advisors that fall under the CCPA no protection regarding data breaches, though. Penalties can sting.

If you have clients in California, take action.

Final regulations have come out governing compliance with the Golden State’s Consumer Privacy Act, as previously reported by sister title Regulatory Compliance Watch at the time. They largely contain good news for investment advisors that already must comply with the Security and Exchange Commission’s Reg S-P. Consumer data permitted under the Gramm-Leach-Bliley Act, which inspired Reg S-P, is generally exempt under the California regs.

“Entities that are covered by the GLBA are in a much better situation” than others, said David Stauss, partner with Husch Blackwell in Denver.

The news grows even brighter for firms that don’t sell their client’s private data, which would include most IAs. The new California regs, which free up the state’s attorney general to begin enforcing CCPA violations, carry far fewer provisions for firms that don’t sell their clients’ data.

Actions to consider

However, the regs still require some must-dos. These include placing your privacy policy on your website (again, many advisors can check this off already), making some revisions due to the CCPA (such as stating that you do not sell their information, disclosing what information you do capture and how you use it); giving clients a right to know what personal information of theirs that you collect, disclose or sell; providing a way for your clients to request to know what data you have on them as well as to ask that you delete that data; conducting staff training; and maintaining records.

A sizeable investment advisor with California clients and investors in other states must decide whether it will amend its privacy policies to match the CCPA or carve out California clients for special treatment, says Behnam Dayanim, a partner with Paul Hastings in Washington, DC.

Begin with math. The CCPA defines a business covered by the law as one with annual gross revenues of $25 million or more. But it remains unclear if that means revenues earned only in California, said Darren Mooney, senior vice-president of Greyline Partners in Boston.

Mooney says numerous complaints alleging CCPA violations have already pelted the state’s AG, who likely will focus his enforcement on major tech companies rather than smaller financial firms.

Smart moves

“Just make sure your privacy policy is on your website. That will get you out of the ‘egregious violators’ box,’” noted Mooney, who recently left his in-house CCO position at a California advisory firm, where he prepped for complying with the CCPA.

If you don’t sell customer data, “make it unambiguous” on your website, added Mooney. He suggests a button emblazoned in all caps “WE DO NOT SELL YOUR INFORMATION.”

The CCPA hands you the obligation to disclose if you may share your client information with third parties and to explain why you do. Common disclosures would probably reveal that you share client data with affiliates, vendors providing legitimate services and law enforcement.

Be clear that the client information you provide to a vendor is “strictly limited” to the business services provided by that vendor, said Mooney.

Engage in a data mapping exercise. Know what data you have, where it’s housed and who has access to it. As CCO, Mooney gathered the firm’s leaders, including IT, to collate answers. He then created a spreadsheet listing the CCPA’s 12 categories of data and shared it with colleagues and asked them to “give me a yes or a no” whether their data fit any category. “Then I had a universe of where this information could be vulnerable,” says Mooney.

Taking requests

A major piece of the CCPA that will affect advisors that fall under the California law is to give clients the right to (a) know what data you have on them and (b) to delete that data.

“The best methodology appears to be to have an online form” where clients can make these requests, stated Stauss. The CCPA’s original proposal would have required such a form but the final regs removed this mandate. Still, an online form makes sense. Stauss recommends that your form seek the requester’s name, address, extent of the request (eg, individual or for the entire household) and whether the person seeks to know what data you have on them or that you delete that personal data.

Mooney’s former firm set up a dedicated e-mail address where such requests would be routed. In the first six months, the firm received no requests. Create a procedure for responding to these requests, making a privacy or compliance officer in charge of it, suggested Dayanim. Take steps to verify that the person making the request is who he claims to be. Mooney recommends at least a phone call, similar to how many advisors confirm wire transfers.

Once you receive a request, you’d have 10 days to respond, acknowledging receipt and 45 days total to act on the request. Data that would fall under the GLBA would be exempt from these requests, recognizing that businesses have a legitimate purpose in using client data.

The GLBA shield offers advisors that fall under the CCPA no protection regarding data breaches, though. Penalties can sting, ranging from $100-$750 per consumer per incident or actual damages, whichever is greater, noted Dayanim.

The November elections can shift the sands of the CCPA. Stauss noted voters could approve a measure on the California ballot that would create an entirely new state agency just to enforce the CCPA.

Reg S-P compliance guidance

Last year, OCIE released a risk alert that touched on Reg S-P compliance, as RCW reported. It faulted some advisors for not implementing P&Ps “reasonably designed to safeguard customer records and information.” It also urged an inventory of client PII. We’ve previously shared tips for complying with Reg S-P.

What do you think about this story? Please, share your thoughts with Carl Ayers.