A financial advisor's guide to privacy and data security laws

Complying with the patchwork of privacy and information security laws is an often daunting task for financial advisors. But beware: Doing so hastily or haphazardly can subject you to broad privacy obligations, regulatory scrutiny and, in some cases, hefty fines.  

In broad outlines, advisors are required to abide by certain privacy and security obligations with respect to clients' personal information and to explain their information sharing practices to clients via privacy notices. Certain laws also require that advisors give clients the ability to opt-out of certain sharing of their personal information with third parties (other than vendors) while other laws go even further by requiring active consent before advisors can share personal information with third parties (not including vendors).

Which privacy and security obligations apply to your practice? That depends on the state or country in which you operate and where your clients reside. In some cases, privacy obligations only apply when clients are individuals investing for their personal benefit, as opposed to institutional investors.

Here's the latest on major governing laws, rules and proposed rules that advisors need to be aware of.

Gramm-Leach-Bliley Act Privacy Notice 
The Gramm-Leach-Bliley Act of 1999 requires financial institutions — defined as companies that offer financial products or services like investment advice — to explain their information sharing practices to clients and safeguard clients' sensitive data. 

More specifically, it mandates that financial advisors who are registered with the SEC provide individuals investing for personal, family or household purposes with a GLBA-specific privacy notice. The notice must describe what nonpublic personal information is collected from clients, how it is used and whether it is shared with affiliated third parties. In addition, the notice must specify whether the financial advisor engages in the restricted sharing of personal information with unaffiliated third parties, and, if they do, describe how clients can exercise their right to opt out of such sharing.  

The law also restricts financial advisors from sharing their clients' nonpublic personal information with unaffiliated third parties, other than vendors, for joint marketing or other purposes unless the clients received the opportunity to opt out of such sharing. Analogous state laws in California, North Dakota and Vermont have additional requirements, such as the obligation to seek prior consent from clients in order to share their personal information with unaffiliated third parties. However, California and Vermont do not require that advisors seek such prior consent if the sharing is for joint marketing purposes and if advisors provide clients with the option to opt-out, among other requirements.

 This GLBA-specific privacy notice is typically crafted from a template created by federal regulators which, used properly, affords financial advisors a safe harbor from liability under the law. Note that the information in such a notice must be updated annually. 

SEC-proposed cybersecurity management rules for RIAs and funds
In March 2022, the SEC proposed cybersecurity rules for financial institutions, including investment advisors registered under the Investment Advisers Act of 1940. If adopted, the rules would establish explicit cybersecurity compliance and breach notification requirements, including:

·      Cybersecurity policies and procedures that include a periodic assessment of information systems, controls designed to minimize user-related risks, procedures for threat and vulnerability management and cybersecurity incident response and recovery procedures

·      Annual reviews of cybersecurity policies and procedures and written reports describing the review and its findings  

·      A requirement to report significant cybersecurity incidents to the SEC within 48 hours of determining that an incident has occurred  

·      Disclosure of cybersecurity risks and incidents to clients

·      Record keeping requirements obliging advisors to maintain records regarding their cybersecurity programs for five years.

General Data Protection Regulation
The GDPR similarly imposes privacy obligations on advisors, including American advisors, who are established in the European Union or who offer investment opportunities to EU individuals. 

Whether an investor is "established" in the EU is a complex question that should be evaluated on a case-by-case basis. Such an analysis will include whether the advisor has a physical presence in the EU or whether data processing activities are inextricably linked to the activities, such as revenue raising, of a local EU establishment. 

An advisor governed by the GDPR will be required to have a GDPR privacy notice and abide by several other privacy and cybersecurity requirements. For example, if an advisor is not established in the EU, they must appoint a local representative in the EU for clients with questions about their privacy rights. Also per the GDPR, clients have rights including access to their personal information and the right to have it corrected or deleted on demand. Additionally, many jurisdictions, including the European Union, United Kingdom, Canada, Japan and others, require that financial advisors post a website privacy notice that addresses their data collection, use, and sharing practices with respect to the personal information of site users. 

The GDPR also imposes robust data protection requirements on a business — and penalties for noncompliance can be steep. Financial advisors should work closely with privacy and security counsel to mitigate such risk by developing and fully implementing the appropriate privacy notice and cybersecurity policies and procedures.