On June 2, 2010, the Financial Industry Regulatory Authority, Inc. (“FINRA”) filed with the Securities and Exchange Commission (the “Commission” or “SEC”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Exchange Act” or “Act”)  and Rule 19b-4 thereunder, a proposed rule change to amend FINRA Rule 8210 to require that information provided via portable media device to FINRA in response to a request under the rule be encrypted. The proposed rule change was published for comment in the Federal Register on June 25, 2010.
II. Background and Description of Proposal
FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) confers on FINRA staff the authority to compel a member, person associated with a member, or other person over whom FINRA has jurisdiction, to produce documents, provide testimony, or supply written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding. The rule applies to all members, associated persons, and other persons over whom FINRA has jurisdiction, including former associated persons subject to FINRA's jurisdiction as described in the FINRA By-Laws. FINRA Rule 8210(c) provides that a member's or person's failure to provide information or testimony or to permit an inspection Start Printed Page 61794and copying of books, records, or accounts is a violation of the rule.
FINRA is proposing to amend FINRA Rule 8210 to require that information provided via a portable media device pursuant to a request under the rule be encrypted, as discussed further below. Requiring such information to be encrypted will help ensure that such information, which in many instances includes individuals' personal information, is protected from unauthorized or improper use.
According to FINRA, frequently, members and persons who respond to requests pursuant to FINRA Rule 8210 provide information in electronic format. Because of the size of the electronic files, persons often provide information in electronic format using a portable media device such as a CD-ROM, DVD or portable hard drive. In many instances, the response contains personal information that, if accessed by an unauthorized person, could be used inappropriately. For example, a response may include a person's first and last name, or first initial and last name, in combination with that person's: (1) Social security number; (2) driver's license, passport or government-issued identification number; or (3) financial account number (including but not limited to the number of a brokerage account, debit card, credit card, checking account, or savings account). If such personal information were to be intercepted by an unauthorized third party, it could be used improperly.
Additionally, according to FINRA, data security issues regarding personal information have become increasingly important in recent years. In this regard, FINRA believes that requiring persons to encrypt information on portable media devices provided to FINRA in response to FINRA Rule 8210 requests will help ensure that personal information is protected from improper use by unauthorized third parties.
The proposed rule change would require that information provided via a portable media device be “encrypted,” i.e., the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device would be required: (1) To use an encryption method that meets industry standards for strong encryption; and (2) to provide FINRA staff with the confidential process or key regarding the encryption in a communication separate from the encrypted information itself (e.g., a separate e-mail, fax or letter).
III. Discussion of Comment Letters and Commission Findings
The Commission received eleven comment letters on the proposed rule change and FINRA responded to these comments. One commenter supported the proposal, but recommended that FINRA's rules be amended to add information security rules for itself and notify registrants when their non-public information has been accessed. Two commenters questioned the need for the encryption requirement and suggested that FINRA, and not its members, should undertake the responsibility of establishing data protection  and controls. Another commenter believed that the proposed rule change did not address FINRA's responsibility to maintain the confidentiality of the information it obtains and proposed that members be allowed to redact sensitive information. FINRA responded that these comments do not address the purpose of the proposal which is to safeguard information being delivered to FINRA via portable media device and noted that it has a “robust and current information security policy.” 
Five commenters indicated that the application of the proposed rule to electronic media and not paper documents is too narrow or misplaced. One commenter noted that the proposed rule change did not cover “hard data transfers” and was “inconsistent,” therefore “adding an unnecessary layer of cost and inconvenience to the normal process of business.”  Another commenter believed that the proposed rule was “form over function” and suggested that overnight delivery of the electronic files could accomplish the goals of the proposal. One commenter noted that FINRA wishes to remove the discretion of members to encrypt data and yet the proposal does not cover hard-copy, email and voluntary transmissions of information. This commenter stated that the proposed rule change “was a poor solution” and suggested that FINRA allow members discretion to determine encryption methods and apply them to all transmissions to FINRA. FINRA responded to these comments by stating that it believes that encryption is a useful method to protect electronic data and notes that it is not technically possible to encrypt information in paper form. FINRA suggested that it might accept only electronic submissions of information in the future, but currently must accept the limitations of paper delivery. FINRA also stated that it will explore encryption of other communication methods such as email. FINRA states that “the argument that the difficulty of the perfect encryption of all information irrespective of media is a reason not to protect that information which can be encrypted could be used to negate all iterative protections to investors and should not be credited as a matter of public policy.” 
Three commenters indicated that requiring encryption of all information sent via portable media devices is overbroad and suggested lesser content encryption. FINRA responded that it “believes it is simpler, more efficient and safer to require encryption of all information provided via portable media device pursuant to a request under the rule.”  FINRA stated that the requirement “obviates the need for FINRA to circumscribe and monitor, Start Printed Page 61795and for members to determine, the types of information that should or should not be encrypted under the rule.”  FINRA believes that the suggested alternatives would be more costly than the proposal and believes the proposal “further supports compliance with the laws in some jurisdictions.” 
Seven commenters believed that the proposal was difficult or costly to implement. For example, some commenters believe that small firms lack the technical experience to implement the proposal and may have to hire third parties. One commenter suggested an exception when information is provided directly to FINRA staff or on the FINRA premises. FINRA questioned the burden on members “given the availability of web-based encryption solutions currently available at low- or no-cost.”  FINRA noted that “members may be subject to various data protection laws that are in part the impetus” of the proposal. FINRA stated that it would “help educate its members about the process of encryption” and would “endeavor to provide information regarding various options for encrypting data, including low- or no-cost web-based encryption software.” 
Three commenters suggested that the proposed requirement to use an encryption method that “meets industry standards for strong encryption” is too vague and suggested alternatives such as providing members with the specific method of encryption. FINRA acknowledged that, as proposed, the rule does not mandate a specific method of encryption. However, FINRA believes that this standard, which it stated is “identical to that employed by Massachusettes and Nevada,” is necessary to “adapt to changing technology regarding encryption.”  FINRA stated that it does not believe that it is “appropriate at this time to dictate a `one size fits all' approach” to encryption. As designed, this requirement will allow each member to choose an appropriate method of encryption that works for it.
The Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to a national securities association. In particular, the Commission finds that the proposed rule change is consistent with the provisions of Section 15A(b)(6) of the Act, which requires, among other things, that FINRA rules be designed to prevent fraudulent and manipulative acts and practices, to promote just and equitable principles of trade, and, in general, to protect investors and the public interest.
The Commission believes that the proposed rule change is reasonably designed to ensure that information provided to FINRA on a portable media device in response to Rule 8210 is secure. FINRA has represented that this requirement is necessary to address laws in some jurisdictions that establish safeguards for personal information and records. The Commission also notes FINRA's representation that there are low- or no-cost ways to encrypt files and that it will help educate its members about the process of encryption and meeting their obligations under the rule. Although the Commission recognizes that the proposed rule change does not mandate a specific encryption method, the Commission believes that some flexibility is appropriate to allow for changes in technology and for members to choose encryption methods that meet their needs. Finally, the Commission believes that the fact that information produced to it in other forms, such as paper-based forms, for which there is no comparable means of protecting the information from unwanted disclosure, should not preclude the protection of information that can be protected.
It is therefore ordered, pursuant to Section 19b(2) of the Act, that the proposed rule change (SR-FINRA-2010-021) be, and hereby is, approved.Start Signature
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.
Florence E. Harmon,
3. See Securities Exchange Act Release No. 62318 (June 17, 2010), 75 FR 36461 (“Notice”).Back to Citation
4. See letter from David M. Sobel, Esq., EVP/CCO, Abel/Noser Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 6, 2010 (“Abel/Noser Letter”); letter from Larry Taunt, Chief Executive Officer, Regal Financial Group, to Elizabeth M. Murphy, Secretary, Commission, dated July 7, 2010 (“Regal Letter”); letter from Lisa Roth, NAIBD Member Advocacy Committee Chair, CEO/CCO, National Association of Independent Broker-Dealers, Inc., to Elizabeth M. Murphy, Secretary, Commission, dated July 9, 2010 (“NAIBD Letter”); letter from Chris Charles, President, Wulff, Hansen, & Co., to Elizabeth M. Murphy, Secretary, Commission, dated July 13, 2010 (“Wulff Hansen Letter”); letter from Tamara K. Salmon, Senior Associate Counsel, Investment Company Institute, to Elizabeth M. Murphy, Secretary, Commission, dated July 14, 2010 (“ICI Letter”); letter from Byron “Pat” Treat, President/CEO, Great Nation Investment Corporation, to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 (“Great Nation Letter”); letter from Eric Segall, Sr. V.P., Manager, Business Conduct, and Edward W. Wedbush, President, Wedbush Securities, Inc., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 (“Wedbush Letter”); letter from Raymond C. Holland, Vice-Chairman, Triad Securites Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 (“Triad Letter I”); letter from Sis DeMarco, Director of Compliance, Triad Securities Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 (“Triad Letter II”); letter from S. Kendrick Dunn, Assistant Vice President, Pacific Select Distributors, Inc. to Elizabeth M. Murphy, Secretary, Commission, dated July 16, 2010 (“PSD Letter”); and letter from Howard Spindel, Senior Managing Director, Integrated Management Solutions, to Elizabeth M. Murphy, Secretary, Commission, dated July 16, 2010 (“IMS Letter”).Back to Citation
5. See letter from Stan Macel, Assistant General Counsel, FINRA, to Elizabeth M. Murphy, Secretary, Commission, dated September 14, 2010 (“FINRA Letter”).Back to Citation
6. See FINRA By-Laws, Article V, Section 4(a) (Retention of Jurisdiction).Back to Citation
7. FINRA has emphasized that its members have an obligation under existing laws to protect confidential customer records and information pursuant to the requirements of SEC Regulation S-P. See, e.g., Notice to Members 05-49 (Safeguarding Confidential Customer Information).Back to Citation
8. The proposed rule change defines “portable media device” as a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette, or any other portable device for storing and transporting electronic information.Back to Citation
9. In its Notice, FINRA represents, for example, that some jurisdictions, including Massachusetts and Nevada, have recently enacted legislation that establishes minimum standards to safeguard personal information in electronic records. See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), effective March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability), effective January 1, 2010. As stated in the Notice, these laws contain penalties that can be imposed on persons and entities for failures to adequately safeguard electronic records containing personal information.Back to Citation
10. See supra notes 4 and 5.Back to Citation
11. See ICI Letter.Back to Citation
12. See NAIBD Letter (endorsed by Triad I Letter and Triad II Letter), and PSD Letter.Back to Citation
13. See NAIBD Letter.Back to Citation
14. See Wedbush Letter.Back to Citation
15. See FINRA Letter.Back to Citation
16. See Abel/Noser Letter, IMS Letter, NAIBD Letter, PSD Letter, and Regal Letter, and Abel/Noser Letter.Back to Citation
17. See Regal Letter.Back to Citation
18. See Abel/Noser Letter.Back to Citation
19. See IMS Letter.Back to Citation
20. Id.Back to Citation
21. See FINRA Letter.Back to Citation
22. Id.Back to Citation
23. Id.Back to Citation
24. Id.Back to Citation
25. See Great Nation Letter, IMS Letter, and PSD Letter.Back to Citation
26. See FINRA Letter.Back to Citation
27. Id.Back to Citation
28. Id.Back to Citation
29. See Abel/Noser Letter, Great Nation Letter, NAIBD Letter, PSE Letter, Triad Letter I, Triad Letter II, and Wulff Hansen Letter.Back to Citation
30. See, e.g., Great Nation Letter, NAIBD Letter, and PSE Letter.Back to Citation
31. See Wulff Hansen Letter.Back to Citation
32. See FINRA Letter.Back to Citation
33. Id.Back to Citation
34. Id.Back to Citation
35. See NAIBD Letter, PSE Letter, and Great Nation Letter.Back to Citation
36. See FINRA Letter.Back to Citation
37. Id.Back to Citation
38. Id.Back to Citation
39. Id.Back to Citation
40. In approving this proposal, the Commission has considered the proposed rule's impact on efficiency, competition and capital formation. See 15 U.S.C. 78c(f).Back to Citation
[FR Doc. 2010-25067 Filed 10-5-10; 8:45 am]
BILLING CODE 8011-01-P