On March 11, 2008, the United States Securities and Exchange Commission (SEC) published proposed rules  intended to “set forth more specific requirements for safeguarding information and responding to information security breaches, and broaden the scope of the information covered by Regulation S-P’s safeguarding and disposal provisions.” Interested parties are invited to send comments concerning the new rules, and the deadline for submitting suggestions is May 12, 2008.
I do not promise you that this document is an easy read. The text is a veritable thicket of legalese, despite the SEC’s well publicized espousal of “plain English.” (Apparently, the agency’s advocacy of “plain English” extends mainly to the companies regulated by the SEC, rather than to documents published by the agency itself.). However, the proposed rules represent an important development in the ever-expanding literature comprising federal regulations that invoke the services of information security in the cause of preserving and strengthening customer privacy within the financial services industry. In fact, the SEC’s proposed rules may represent the most systematic effort of a federal agency to provide guidance to Infosec professionals concerning privacy controls. The provisions of virtually all previous governmental privacy initiatives—including Gramm-Leach-Bliley, the FACT Act, and state data breach regulations—are here combined into one comprehensive set of rules. Interestingly, the new rules do not simply collect these separate initiatives into a single document, but incorporate diverse regulations into a new and broadly expanded concept of “privacy.” In addition, the proposed SEC rules enlarge the scope of InfoSec compliance responsibilities. If these rules are adopted as originally proposed, it is likely that other agencies responsible for the regulation of financial and medical services industries will adopt a similar approach to privacy. Therefore, Information Security professionals are well advised to read these rules and consider their implications.
This article will discuss some of the most significant of these implications.
A New Kind of Protected Data: “Personal Information”
The authors of the SEC rules are aware that prior federal regulations have identified several different types of financial information that must be safeguarded by security measures. The Gramm-Leach-Bliley Act (GLBA) , for example, maintained that “nonpublic personal information” (NPI) must be protected by appropriate access and other technical controls. NPI was never precisely defined, although GLBA classified two general types of data as nonpublic personal information: (1) Nonpublic personally identifiable financial information pertaining to a “natural person” (i.e., a human being, as opposed to a corporation) and (2) any list, description, or other grouping of consumers derived using any personally identifiable financial information that is not publicly available. Thus, the fact that an individual is the customer of a particular financial institution is, in itself, NPI. Also, a consumer’s name, address, social security number, and account number are also NPI—unless the information can be obtained from a publicly available source. However, a customer’s telephone number, if listed in a phone book, is not NPI.
The FACT Act introduced a second type of protected data, “consumer report information.” This refers to any record about a “natural person,” whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. The term “consumer report” generally means a report bearing on a consumer’s creditworthiness, credit standing, reputation or other factors used in connection with establishing the consumer’s eligibility for credit, insurance, or employment.
Authors of the new SEC rules accept the view the “nonpublic personal information” and “consumer report information” must be safeguarded. However, they establish a new kind of protected data—“Personal Information”—that includes these two types, plus a new category of confidential information. This new category includes “information identified with any customer, or with any employee, investor, or securityholder who is a natural person, in paper, electronic or other form, that is handled by the institution or maintained on the institution’s behalf.” Thus, for example, records of employee user names and passwords are now considered protected. In addition, the nonpublic personal information belonging to an institutional client must also be protected, even though the individuals associated with the information are not themselves clients of the company responsible for storing or processing the data. Under this broad notion of “personal information,” all nonpublic personal data associated with clients, employees, and institutional clients’ clients must be carefully secured.
Data Security Breach Response
Since California originally implemented its data security breach response legislation (popularly known as SB1386 ) in 2003, numerous states (and also New York City) have passed similar measures. Several statutes have also been discussed on Capitol Hill as a federal initiative that could supersede and bring order to the occasionally-conflicting state laws. However, the proposed SEC regulations have now introduced a federal rule that represents a departure from many of the existing state laws.
According to the new SEC rules, a data security breach must involve “sensitive personal information.” This “information” is defined as “any personal information, or combination of components of personal information, that would allow an unauthorized person to use, log into, or access an individual’s account, or to establish a new account using the individual’s identifying information.” The SEC proposal describes several specific types of information that are considered “sensitive”: (1) any identifying information (including an individual’s Social Security Number, name, telephone numbers, street address, email address, or online user name) in combination with (2) authenticating information, such as account number, credit or debit card number, driver’s license number, credit card expiration date or security code, mother’s maiden name, password, or PIN.
The proposed rules require any regulated institution to report to the SEC any incident involving a data breach if (1) sensitive personal information is involved and (2) the institution becomes aware of any incident of unauthorized access to or use of personal information “in which there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information.” Previous data breach regulations have not included the condition concerning the presence of significant risk of “harm or inconvenience” to an individual; the SEC regulators are explicitly attempting to limit the scope of incidents that must be reported.
Rationale for the New Rules
President Clinton signed the Gramm-Leach-Bliley Act into law on November 12, 1999. On February 1, 2001, the major federal agencies responsible for regulating the banking industry published their “Interagency Guidelines Establishing Standards for Safeguarding Customer Information.”  These Guidelines were intended to implement the privacy provisions of GLBA. Interestingly, this document did not emphasize the threat of identity theft as a major rationale for the new regulations. However, written more than seven years later, the proposed SEC regulations are explicitly focused upon the prevention of identity theft and the strengthening of trust in online brokerage services. “In recent years,” the authors assert, “we have become concerned with the increasing number of information security breaches that have come to light and the potential for identity theft and other misuse of personal financial information…Perhaps most disturbing is the increase in incidents involving the takeover of online brokerage accounts….” Clearly, the regulators are not motivated simply by awareness that consumer privacy is, in itself, a good thing. Rather, the authors of the new rules are concerned that maintaining the privacy of certain consumer information is necessary to prevent criminal activity and to bolster trust in online investor services.
Implications for Information Security Professionals
The proposed SEC rules have broadened the types of data that are subject to security controls pertaining to encryption, access control, and transmission and storage. All types are now grouped under the general category of “Personal Information.” Frequent reference to specific types of data that comprise “Personal Information” will require information security professionals to assist with the development of a robust data classification program that can accommodate the diverse data elements comprising “Personal Information.” In addition, appropriate controls must be implemented to ensure the security of these elements. For most organizations, hopefully, these additional efforts will simply build upon the work already accomplished, or in progress, to accommodate existing state and federal privacy regulations.