Understanding Regulation S-P Privacy of Consumer Financial Information

SEGMENT 2: Brice Prince, Special Counsel, Division of Trading and Markets, U.S. Securities and Exchange Commission - Regulation S-P’s current requirements - Status of proposal to amend Regulation S-P - Recent Regulation S-P enforcement actions - Model privacy form rulemaking - Regulation S-AM - FTC identity theft Red Flags Rule SEGMENT 2: David Medine, Partner, Regulatory and Government Affairs Department, WilmerHale - What information can departing financial advisors take with them? - What Red Flags Rule obligations do broker dealers have? - How can I share eligibility information with affiliates for marketing purposes? - What will the impact be of proposed Reg. S-P safeguards provisions? - What do I need to do if there has been a security breach involving client data? - Does Reg S-P apply to international operations? SEGMENT 3: Brian L. Rubin, Partner, Sutherland - NEXT Financial case » Genesis of case » Allegations » Trial » Decision » Implications for recruiting — inbound and outbound » Current Recruiting and Transition Practices SEGMENT 4: Julianne Inozemcev, Partner, Financial Services Office, Ernst & Young LLP - Independent broker-dealers, registered investment advisors, and Transfer agents that are not part of a Financial Holding company will be required to expend the greatest effort to comply with the specific and extensive standards related to information security programs for protecting and disposing of customer information, including requiring procedures for responding to security breeches - Due to the proposal to expanded the scope of information protected and extends coverage to persons associated with firms – data flow mapping activities to understand information covered by the regulation and covered parties will need to be undertaken (or updated) and documented to evidence to regulators and management that the organization understands where their information resides and how is it processed (collected, use, shared, and disposed of) - Formal risk assessments will need to be conducted to identify internal and external threats to protected information / covered parties and the internal controls (governance structure, policies, procedures, manual and automated processes) necessary to comply with the Reg-S-P information security/breach response requirements - Written information security programs and vendor management programs will need to e updated for risk assessment results - Corporate audit or an independent third party may partner with management to perform procedures to evidence regulator testing / monitoring of the effectiveness of the safeguards key controls, systems, and procedures SEGMENT 5 : Patricia Albrecht, Assistant General Counsel; Office of the General Counsel, FINRA - FINRA Examination Findings and Priorities - Changes in Examination Procedures in Light of Recent SEC Enforcement Actions