Skip to Content


Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Notice of Filing of Proposed Rule Change To Amend FINRA Rule 8210 To Require Information Provided via Portable Media Device Be Encrypted

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble June 17, 2010.

Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) [1] and rule 19b-4 thereunder,[2] notice is hereby given that on June 2, 2010, Financial Industry Regulatory Authority, Inc. (“FINRA”) filed with the Securities and Exchange Commission (“SEC” or “Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been prepared by FINRA. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.

I. Self-Regulatory Organization's Statement of the Terms of Substance of the Proposed Rule Change

FINRA is proposing to amend FINRA Rule 8210 to require that information provided via portable media device pursuant to a request under the rule be encrypted.

The text of the proposed rule change is available on FINRA's Web site at, at the principal office of FINRA and at the Commission's Public Reference Room.

II. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

In its filing with the Commission, FINRA included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. FINRA has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.

A. Self-Regulatory Organization's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

1. Purpose

FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) confers on FINRA staff the authority to compel a member, person associated with a member, or other person over whom FINRA has jurisdiction, to produce documents, provide testimony, or supply written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding. The rule applies to all members, associated persons, and other persons over which FINRA has jurisdiction, including former associated persons subject to FINRA's jurisdiction as described in the FINRA By-Laws.[3] FINRA Rule 8210(c) provides that a member's or person's failure to provide information or testimony or to permit an inspection and copying of books, records, or accounts is a violation of the rule.

FINRA is proposing to amend FINRA Rule 8210 to require that information provided via a portable media device pursuant to a request under the rule be encrypted, as discussed further below. Start Printed Page 36462Requiring such information to be encrypted will help ensure that such information, which in many instances includes individuals' personal information, is protected from unauthorized or other improper use.[4]

Frequently, members and persons that respond to requests pursuant to FINRA Rule 8210 provide information in electronic format. Because of the size of the electronic files, persons often provide information in electronic format using a portable media device such as a CD-ROM, DVD or portable hard drive.[5] In many instances, the response contains personal information that, if accessed by an unauthorized person, could be used inappropriately. For example, a response may include a person's first and last name, or first initial and last name, in combination with that person's: (1) Social security number; (2) driver's license, passport or government-issued identification number; or (3) financial account number (including but not limited to number of a brokerage account, debit card, credit card, checking account, or savings account). If such personal information were to be intercepted by an unauthorized third party, it could be used improperly.

Data security issues regarding personal information have become increasingly important in recent years.[6] In this regard, FINRA believes that requiring persons to encrypt information on portable media devices provided to FINRA in response to FINRA Rule 8210 requests will help ensure that personal information is protected from improper use by unauthorized third parties.

The proposed rule change would require that responding information from a portable media device must be “encrypted”, i.e., the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device would be required: (1) To use an encryption method that meets industry standards for strong encryption; and (2) to provide FINRA staff with the confidential process or key regarding the encryption in a communication separate from the encrypted information itself (e.g., a separate e-mail, fax or letter).

FINRA will announce the effective date of the proposed rule change in a regulatory notice to be published no later than 60 days following Commission approval. The effective date will be 30 days following publication of the regulatory notice announcing Commission approval.

2. Statutory Basis

FINRA believes that the proposed rule change is consistent with the provisions of section 15A(b)(6) of the Act,[7] which requires, among other things, that FINRA rules must be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest. FINRA believes that the proposed rule change will help ensure that personal information provided in response to a request under FINRA Rule 8210 via a portable media device is protected from improper use by unauthorized third parties. Thus, FINRA believes the proposed rule change will help protect investors consistent with the statutory provisions noted above.

B. Self-Regulatory Organization's Statement on Burden on Competition

FINRA does not believe that the proposed rule change will result in any burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act.

C. Self-Regulatory Organization's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others

Written comments were neither solicited nor received.

III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action

Within 35 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the self-regulatory organization consents, the Commission will:

(A) By order approve such proposed rule change, or

(B) Institute proceedings to determine whether the proposed rule change should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:

Electronic Comments

Paper Comments

  • Send paper comments in triplicate to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-1090.

All submissions should refer to File Number SR-FINRA-2010-021. This file number should be included on the subject line if e-mail is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site (​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for Web site viewing and printing in the Commission's Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official Start Printed Page 36463business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of FINRA. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make publicly available. All submissions should refer to File Number SR-FINRA-2010-021 and should be submitted on or before July 16, 2010.

Start Signature

For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[8]

Florence E. Harmon,

Deputy Secretary.

End Signature End Preamble


3.  See FINRA By-Laws, Article V, Section 4(a) (Retention of Jurisdiction).

Back to Citation

4.  FINRA has emphasized that its members have an obligation under existing laws to protect confidential customer records and information pursuant to the requirements of SEC Regulation S-P. See, e.g., Notice to Members 05-49 (Safeguarding Confidential Customer Information).

Back to Citation

5.  The proposed rule change defines “portable media device” as a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette, or any other portable device for storing and transporting electronic information.

Back to Citation

6.  For example, some jurisdictions, including Massachusetts and Nevada, have recently enacted legislation that establishes minimum standards to safeguard personal information in electronic records. See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), effective March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability), effective January 1, 2010. These laws contain potential penalties against persons and entities for failures to adequately safeguard electronic information containing personal information.

Back to Citation

[FR Doc. 2010-15359 Filed 6-24-10; 8:45 am]