In general, GLBA (Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999) prohibits you from sharing an individual’s confidential information with non-affiliated third parties unless:
You tell the individual that you may share the information with others;
You give the individual the opportunity to tell you not to share the information; and
The individual does not tell you to keep the information confidential (i.e., the individual does not “opt out” of disclosure to third parties).
M.G.L c. 110A
950 CMR 12.205(9)(c)(13) states that for the purposes of M.G.L. c.110A, it is deemed a dishonest and unethical business practice for an investment adviser to:
“[disclose] the identity, affairs or investments of any client to any third party unless required by law to do so, or unless consented to by the client”
The current regulation prohibits the state registered investment adviser from sharing non-public personal information with non-affiliated third parties unless the customer specifically consents to the disclosure. Hence, unlike the GLBA, a state registered investment adviser must give its customers an “opt-in” option to share information with any unaffiliated third parties. An “opt-in” requires the investment adviser to obtain from its customers and consumers a signed statement in which the person makes an affirmative declaration of permission to disclose such information. Without this affirmative affirmation from the person, investment advisers are prohibited from sharing this information with non-affiliated third parties.
All of this privacy information, taken from my own research and from my state’s securities division, is provided to clients annually as required by my regulatory body.
Massachusetts Identity Theft Law
In early, 2009, the Office of Consumer Affairs and Business of the Commonwealth of Massachusetts adopted new regulations under Chapter 93H of the Massachusetts General Laws (201 CMR 17.00) concerning organizations that hold personal Information ("PI") of residents of the Commonwealth of Massachusetts. These new regulations implement one of the most far-reaching data security laws in the nation. The new regulations become effective March 1, 2010, and all organizations holding PI must be compliant by the effective date.
In order to comply with the new regulations, all organizations holding PI are required, among other things, to amend all current client service agreements by the March 1, 2010 deadline. This amendment will state that the firm is in compliance with the new law's standards. There is no "opt out" provision allowed after March 1, 2010.
Personal Information
Under the new regulations, PI is defined as a person's first and last name (or first initial and last name) and one of the following: Social Security number, driver's license number or state-issued identification card number, or a financial account number, credit card number, or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account, provided that PI shall not include “information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”
Computer System Security
Every person that owns, licenses, stores or maintains PI about a resident of the Commonwealth and electronically stores or transmits such information shall include in a written, comprehensive information security program the establishment and maintenance of a security system covering computers, including any wireless system that, at a minimum, shall have the following elements:
(a) Secure user authentication protocols including:
(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(b) Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(c) Access restricted to active users and active user accounts only; and
(d) Access blocked to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system;
(e) Secure access control measures that:
(i) restrict access to records and files containing personal;
(ii) Information to those who need such information to perform their job duties; and
(iii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
(f) To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(g) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
(h) Encryption of all personal information stored on laptops or other portable devices;
(i) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
