Page 50 - Investment Advisor January/February 2022
P. 50

THE COMPLIANCE COACH

                By Thomas D. Giachetti




                A Privacy Check-Up Can Keep Advisors

                Out of Trouble


                New state and foreign laws mean being ultra-careful about collecting

                and disclosing a client’s personal data.


                      he   ever-increasing  confus-                                   These are just a few of the preliminary
                      ing maze of  privacy  is critically                           questions that you will need to answer to
                Timportant for  advisors, my  part-                                 determine whether your collection and
                ner, Trina Glass, told me recently. She                             use of your client’s data is beyond the
                began by saying: “Perhaps, and I admit I                            scope of the GLBA. Specifically, wheth-
                am a bit biased, but the most important                             er state and international privacy laws
                disclosure you are required to provide                              should be considered when evaluating and
                your client is your firm’s Privacy Notice.                          implementing a robust Privacy Program.
                Advisors are subject to the Gramm-Leach-                              To address your firm’s Privacy
                Bliley-Act (GLBA), specifically Regulation                          Readiness,  first  consider  creating  an
                S-P, which requires advisors to implement                           inventory of the NPPI the firm collects:
                notice requirements and restricts the                                 • Determine all of the ways the firm
                advisor’s ability to disclose a consumer’s   Check-Up to determine:  collects NPPI. For example, client
                nonpublic personal information (NPPI).”  • Is your client deemed a consumer   onboarding or website cookies;
                  The Privacy Notice must provide cli-  under the law? For example, certain   •  Determine  where  and/or  how  the
                ents with notice of the firm’s privacy   individuals  who  interact  with  financial   NPPI is stored, ie. in the firm’s internal
                policies and practices. If the advisor   institutions may be considered “con-  systems or hosted/stored by a third-party;
                intends to disclose NPPI about a con-  sumers” under the California Consumer   • Determine whether the initial and
                sumer to nonaffiliated third parties, the   Privacy Act (CCPA) but not under   routine due diligence the firm conducts
                advisor must first provide certain corre-  GLBA. Is your firm subject to the CCPA?   on  third-party  applications  or  vendors
                sponding disclosures to the client, giving   Or any other state privacy law?  that collect, store and/or use your cli-
                them the ability to “opt-out” (i.e., pro-  • What types of sensitive information   ent’s NPPI is sufficient;
                hibit the advisor from disclosing NPPI).  and NPPI do you collect from your cli-  • Determine how the firm protects
                  Does your privacy notice comply   ent? Is it covered under GLBA, if no, is it   client NPPI, including when employees
                with Regulation S-P notice/disclosure   subject to other state privacy laws?  access the NPPI from outside of the
                requirements?                       • How are you collecting sensitive infor-  firm’s offices or remotely; and
                  The last few years there has been the   mation and NPPI from your client? Does   •  Has  the  firm  developed  a  com-
                emergence of state and foreign privacy   your website use cookies? If yes, are you   prehensive and reasonably adequate
                laws. Generally, if you are collecting or   collecting sensitive information and NPPI   information security program around its
                using personal information for purposes   that may not be covered under GLBA?  collection, storage, access and monitor-
                outside of providing financial products   • Who and what has access to your   ing of the client’s NPPI?
                or services to your client  or collecting   client’s sensitive information and NPPI   If your client’s data is breached, com-
                NPPI not covered under the GLBA, then   and how does your firm monitor that   promised or misused, the consequences
                your firm may be subject to the evolving   access? For example, have you provided   could prove costly. Consider addressing
                privacy obligations required by certain   access to vendors or third parties outside   your firm’s privacy readiness with an
                state and international privacy laws.  the scope of your financial engagement?  experienced privacy attorney.
                  Moreover, some of these laws provide   • How do you use your client’s NPPI?
                consumers with private rights of action.   If used for any reason outside of the scope   Thomas D. Giachetti is chairman of the
                So annually when evaluating its compli-  of providing financial services, have you   Investment Management and Securities
                ance program, as part thereof, it is pru-  advised and provided your client with a   Practice Group of Stark & Stark. He can be   Adobe Stock
                dent for the advisor to conduct a Privacy   way to opt-out of that disclosure?  reached at [email protected].



             48 INVESTMENT ADVISOR JANUARY/FEBRUARY 2022 | ThinkAdvisor.com
   45   46   47   48   49   50   51   52