§ 5.13 Privacy and Cybersecurity Regulation

• Jurisdiction: United States
• Publication year: 2022

§ 5.13 Privacy and Cybersecurity Regulation

[1]—Privacy

[a]—Overview

As the role of technology in the collection and use of personal information by financial institutions has increased and evolved, so too have instances of identity theft and other misuse of personal information about individuals. Regulators have responded to these developments with increased privacy regulations, many of which have a direct impact on how fund managers and funds collect and use information related to investors, prospective investors, employees and other relevant persons. In the United States, the absence of a comprehensive federal privacy law means fund managers and funds must navigate a growing patchwork of federal and state laws and regulations. Outside the United States, the European Union, United Kingdom and Cayman Islands have adopted expansive privacy laws with which fund managers and funds who are organized or otherwise do business with persons located in these jurisdictions must comply.

[b]—Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 ("GLBA")⁷⁰⁸ was the first, and remains the only, federal legislative framework for the regulation of the privacy practices of financial institutions. GLBA defines "financial institution" as "any institution the business of which is engaging in financial activities" as described in the Bank Holdings Company Act of 1956.⁷⁰⁹ Fund managers and funds domiciled in the United States or with U.S. investors are "financial institutions" within the meaning of GLBA.

At a high-level, GLBA requires every covered fund manager [and fund] to:

• provide initial and annual privacy notices to investors who are individual persons (as opposed to entities), disclosing the types of non-public personal information that the fund manager [or fund] collects and describing the extent to which it discloses such information to third parties;
• inform such investors of their right to opt out of sharing of their personal information with nonaffiliated third parties; and

• take measures to protect the non-public personal information of such investors.

"Non-public personal information" is defined in GLBA as "personally identifiable financial information (1) provided by a consumer to a financial institution; (2) resulting from any transaction with the consumer or any service performed for the consumer; or (3) otherwise obtained by the financial institution that is not otherwise publicly available."⁷¹⁰ The definition of "non-public personal information" expressly excludes "publicly available information" which has been interpreted to include data that has been "de-identified."⁷¹¹ However, GLBA clarifies that, in any case, "non-public personal information" includes any "list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any non-public personal information other than publicly available information."⁷¹² For example, a list of the names or email addresses of natural persons that subscribe to a fund would constitute "non-public personal information" even if the names or email addresses themselves could be obtained from a public source, but a list of positions in a fund that could not—alone or when taken together with any other information available to the recipient (including public information)—be used to link the information to a natural person would not constitute "non-public personal information."

Two other terms important to understanding the application of GLBA to fund managers are "nonaffiliated third party" and "affiliate." "Nonaffiliated third party" is defined by GLBA as "any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution."⁷¹³ The definition of "nonaffiliated third party" expressly excludes any "joint employee" of a financial institution. "Affiliate" is defined as "any company that controls, is controlled by or is under common control with another company."⁷¹⁴

While GLBA established a framework for regulating the privacy practices of financial institutions, it charged federal agencies with the task of developing specific rules and regulations for the institutions over which they have jurisdiction. Fund managers registered under the Investment Company Act, and thus regulated by the SEC, must comply with Regulation S-P, the SEC's rules implementing GLBA. Fund managers not regulated by the SEC may, nonetheless, be required to comply with the rules and regulations issued by the Consumer Financial Protection Bureau ("CFPB") and FTC under their "catchall" jurisdiction, namely Regulation P and the FTC Safeguards Rule. The specific requirements of these rules and regulations are outlined below.

[c]—SEC Privacy Regulation: Regulation S-P

The SEC has implemented GLBA through the adoption of Regulation S-P. Regulation S-P requires registered advisers to provide customers written notice of the firm's privacy policies and practices, place limits on the sharing of non-public personal information with nonaffiliated entities, and adopt safeguards to protect the security of customer information.

[i]—"Consumer" vs. "Customer"

The obligations Regulation S-P places on fund managers and funds differ depending on whether the fund manager or fund is dealing with a "customer" or a "consumer." A "consumer" and a "customer" are both individuals to whom a financial institution provides a financial product or service "to be used primarily for personal, family, or household purposes"; however, while a "consumer" is someone who obtains or has obtained such a financial product or service from the institution, a "customer" is an individual who has a "continuing relationship" with the institution for the provision of such a financial product or service.⁷¹⁵ An institution's evaluation of an application or request from an individual to obtain a financial product or service is sufficient for such individual to become a "consumer."⁷¹⁶ Therefore, a prospective investor who is evaluated for participation in a fund is considered to be a "consumer" even if that person ultimately does not subscribe to such fund.

As "consumer" and "customer" are both defined to only include "individuals," the requirements of Regulation S-P do not extend to entity investors, including personal corporations, partnerships and trusts.⁷¹⁷ A participant in an employee benefit plan and a beneficiary of a trust also are not "individuals" within the meaning of Regulation S-P.⁷¹⁸ It is not uncommon, however, for fund managers to treat individual and entity investors in the same way for purposes of Regulation S-P compliance.

[ii]—Privacy Notice Requirement

Regulation S-P requires fund managers to provide a "clear and conspicuous" initial privacy notice to its customers and consumers that accurately reflects the firm's privacy policies and practices.⁷¹⁹ For a customer, this means providing the notice no later than when the customer relationship is established. For a consumer this means providing the notice before disclosing any non-public personal information to a nonaffiliated entity for which an opt-out notice is required.⁷²⁰ In practice, most fund managers deliver an initial privacy notice along with subscription documents or other offering documents provided to prospective investors.⁷²¹

In addition to an initial notice, Regulation S-P requires registered advisers to provide a privacy notice to its customers on an annual basis.⁷²² An annual notice must reflect any changes to an investment manager's privacy policies or procedures.⁷²³ There is, however, an exception to the annual privacy notice requirements under a 2015 amendment to GLBA. The exception applies to investment managers [and funds] that (1) only share non-public personal information about their individual investors with nonaffiliated third parties in a manner that does not require an opt-out under GLBA, and (2) have not changed their policies and practices with respect to disclosing non-public personal information since last providing the investor with a privacy notice.⁷²⁴ Many managers have chosen not to take advantage of the exception, because the SEC has not yet issued amendments to Regulation S-P to implement the GLBA exception, and for other management and compliance reasons. The SEC's staff did, however, acknowledge the amendment in a footnote to a Risk Alert, dated April 16, 2019, regarding Regulation S-P.⁷²⁵

A privacy notice provided under Regulation S-P must contain information regarding the following:

(1) the categories of non-public personal information collected by the manager;

(2) the categories of non-public personal information disclosed by the manager, including in respect of former customers;

(3) the categories of affiliates and nonaffiliated parties to whom the manager discloses non-public personal information, including in respect of former customers;
(4) the categories of non-public personal information that are disclosed under agreements with third-party service providers and joint marketers, and the categories of third parties with whom the manager has contracted;

(5) an explanation of the consumer's right to opt out of disclosure of non-public information to nonaffiliated third parties, including the methods by which a customer may exercise that right;

(6) any disclosures regarding the ability to opt out of certain sharing of information with affiliates made to comply with the Fair Credit Reporting Act ("FCRA");⁷²⁶ and

(7) policies and practices of the manager with respect to protecting the confidentiality and security of non-public personal information.⁷²⁷

The required content of the privacy notice is the same for initial and annual privacy notices.⁷²⁸ In terms of the level of detail required to be included in a privacy notice, SEC staff has advised that the notice need not precisely identify every type of information collected or shared or the name of every entity with which the...