United States: Associations Comment On Data Privacy, Protection And Collection

In comments submitted to the U.S. Senate Banking Committee, SIFMA and the Managed Funds Association ("MFA") offered feedback on data privacy, protection and collection.

SIFMA advised Congress to:

• ensure that any privacy regime is flexible enough to allow the use of new technology and foster innovation;
• devise a federal data breach notification regime that preempts state laws and existing federal regulations and guidance;
• be aware of the need to "harmonize any future privacy obligations," which may include new consumer rights, with current legal obligations for financial institutions; and
• protect consumers' rights to "opt out of the sharing of personal financial data for third-party marketing purposes."

According to SIFMA, any federal privacy bill should make it clear that consumers cannot opt out of the sharing of personal financial information for anti-money laundering, fraud monitoring, financial crime prevention or other law enforcement purposes.

The MFA expressed concern over the SEC's ability to protect the data it requests from registered investment advisers, and urged the SEC to:

• update policies to implement statutory requirements relating to protecting the confidential and proprietary information of registrants;
• limit the scope of system risk filings to information that could identify risks, including cyber theft and exam requests, to data that is only necessary to ensure compliance;
• include protections within the design of its forms and reporting systems to alleviate any cyber breaches; and
• implement a process through which it would "exhaust less-sensitive means of understanding a firm's activities before requesting for any confidential, commercially-valuable intellectual property."

Commentary / Mark Chorazak

The antiquated and complicated 50-state patchwork of data breach notification requirements no longer reflects how consumers and merchants interact or how the flow of data works. For years, data experts and consumer groups have called for a comprehensive federal standard, without any action by Congress. High-profile data breaches in recent years should be more than enough reason for Congress to act. This is clearly a national - not state-by-state - issue.

Commentary / Steven Lofchie

One of the industry's most significant requests to Congress is that the government should acknowledge that the government is itself a material potential source of vulnerability in data protection. Put bluntly, information that is collected and stored by the government may be more accessible to hackers than the information stored by private parties. Given the vast quantity of information that may be collected by the government, a raid on the government's information could be a far larger haul than could be had by attacking almost any private party.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.