Self-Regulatory Organizations; Financial Industry Regulatory Authority, Inc.; Order Approving Proposed Rule Change to Amend FINRA Rule 8210 to Require Information Provided via Portable Media Device be Encrypted, 61793-61795 [2010-25067]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 75, Number 193 (Wednesday, October 6, 2010)]
[Notices]
[Pages 61793-61795]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-25067]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-63016; File No. SR-FINRA-2010-021]


Self-Regulatory Organizations; Financial Industry Regulatory 
Authority, Inc.; Order Approving Proposed Rule Change to Amend FINRA 
Rule 8210 to Require Information Provided via Portable Media Device be 
Encrypted

September 29, 2010.

I. Introduction

    On June 2, 2010, the Financial Industry Regulatory Authority, Inc. 
(``FINRA'') filed with the Securities and Exchange Commission (the 
``Commission'' or ``SEC''), pursuant to Section 19(b)(1) of the 
Securities Exchange Act of 1934 (the ``Exchange Act'' or ``Act'') \1\ 
and Rule 19b-4 thereunder,\2\ a proposed rule change to amend FINRA 
Rule 8210 to require that information provided via portable media 
device to FINRA in response to a request under the rule be encrypted. 
The proposed rule change was published for comment in the Federal 
Register on June 25, 2010.\3\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ See Securities Exchange Act Release No. 62318 (June 17, 
2010), 75 FR 36461 (``Notice'').
---------------------------------------------------------------------------

    The Commission received eleven comment letters on the proposal.\4\ 
FINRA responded to these comment letters in a letter dated September 
14, 2010.\5\ This order approves the proposed rule change.
---------------------------------------------------------------------------

    \4\ See letter from David M. Sobel, Esq., EVP/CCO, Abel/Noser 
Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 6, 
2010 (``Abel/Noser Letter''); letter from Larry Taunt, Chief 
Executive Officer, Regal Financial Group, to Elizabeth M. Murphy, 
Secretary, Commission, dated July 7, 2010 (``Regal Letter''); letter 
from Lisa Roth, NAIBD Member Advocacy Committee Chair, CEO/CCO, 
National Association of Independent Broker-Dealers, Inc., to 
Elizabeth M. Murphy, Secretary, Commission, dated July 9, 2010 
(``NAIBD Letter''); letter from Chris Charles, President, Wulff, 
Hansen, & Co., to Elizabeth M. Murphy, Secretary, Commission, dated 
July 13, 2010 (``Wulff Hansen Letter''); letter from Tamara K. 
Salmon, Senior Associate Counsel, Investment Company Institute, to 
Elizabeth M. Murphy, Secretary, Commission, dated July 14, 2010 
(``ICI Letter''); letter from Byron ``Pat'' Treat, President/CEO, 
Great Nation Investment Corporation, to Elizabeth M. Murphy, 
Secretary, Commission, dated July 15, 2010 (``Great Nation 
Letter''); letter from Eric Segall, Sr. V.P., Manager, Business 
Conduct, and Edward W. Wedbush, President, Wedbush Securities, Inc., 
to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 
(``Wedbush Letter''); letter from Raymond C. Holland, Vice-Chairman, 
Triad Securites Corp., to Elizabeth M. Murphy, Secretary, 
Commission, dated July 15, 2010 (``Triad Letter I''); letter from 
Sis DeMarco, Director of Compliance, Triad Securities Corp., to 
Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010 
(``Triad Letter II''); letter from S. Kendrick Dunn, Assistant Vice 
President, Pacific Select Distributors, Inc. to Elizabeth M. Murphy, 
Secretary, Commission, dated July 16, 2010 (``PSD Letter''); and 
letter from Howard Spindel, Senior Managing Director, Integrated 
Management Solutions, to Elizabeth M. Murphy, Secretary, Commission, 
dated July 16, 2010 (``IMS Letter'').
    \5\ See letter from Stan Macel, Assistant General Counsel, 
FINRA, to Elizabeth M. Murphy, Secretary, Commission, dated 
September 14, 2010 (``FINRA Letter'').
---------------------------------------------------------------------------

II. Background and Description of Proposal

    FINRA Rule 8210 (Provision of Information and Testimony and 
Inspection and Copying of Books) confers on FINRA staff the authority 
to compel a member, person associated with a member, or other person 
over whom FINRA has jurisdiction, to produce documents, provide 
testimony, or supply written responses or electronic data in connection 
with an investigation, complaint, examination or adjudicatory 
proceeding. The rule applies to all members, associated persons, and 
other persons over whom FINRA has jurisdiction, including former 
associated persons subject to FINRA's jurisdiction as described in the 
FINRA By-Laws.\6\ FINRA Rule 8210(c) provides that a member's or 
person's failure to provide information or testimony or to permit an 
inspection

[[Page 61794]]

and copying of books, records, or accounts is a violation of the rule.
---------------------------------------------------------------------------

    \6\ See FINRA By-Laws, Article V, Section 4(a) (Retention of 
Jurisdiction).
---------------------------------------------------------------------------

    FINRA is proposing to amend FINRA Rule 8210 to require that 
information provided via a portable media device pursuant to a request 
under the rule be encrypted, as discussed further below. Requiring such 
information to be encrypted will help ensure that such information, 
which in many instances includes individuals' personal information, is 
protected from unauthorized or improper use.\7\
---------------------------------------------------------------------------

    \7\ FINRA has emphasized that its members have an obligation 
under existing laws to protect confidential customer records and 
information pursuant to the requirements of SEC Regulation S-P. See, 
e.g., Notice to Members 05-49 (Safeguarding Confidential Customer 
Information).
---------------------------------------------------------------------------

    According to FINRA, frequently, members and persons who respond to 
requests pursuant to FINRA Rule 8210 provide information in electronic 
format. Because of the size of the electronic files, persons often 
provide information in electronic format using a portable media device 
such as a CD-ROM, DVD or portable hard drive.\8\ In many instances, the 
response contains personal information that, if accessed by an 
unauthorized person, could be used inappropriately. For example, a 
response may include a person's first and last name, or first initial 
and last name, in combination with that person's: (1) Social security 
number; (2) driver's license, passport or government-issued 
identification number; or (3) financial account number (including but 
not limited to the number of a brokerage account, debit card, credit 
card, checking account, or savings account). If such personal 
information were to be intercepted by an unauthorized third party, it 
could be used improperly.
---------------------------------------------------------------------------

    \8\ The proposed rule change defines ``portable media device'' 
as a storage device for electronic information, including but not 
limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop 
computer, disc, diskette, or any other portable device for storing 
and transporting electronic information.
---------------------------------------------------------------------------

    Additionally, according to FINRA, data security issues regarding 
personal information have become increasingly important in recent 
years.\9\ In this regard, FINRA believes that requiring persons to 
encrypt information on portable media devices provided to FINRA in 
response to FINRA Rule 8210 requests will help ensure that personal 
information is protected from improper use by unauthorized third 
parties.
---------------------------------------------------------------------------

    \9\ In its Notice, FINRA represents, for example, that some 
jurisdictions, including Massachusetts and Nevada, have recently 
enacted legislation that establishes minimum standards to safeguard 
personal information in electronic records. See, e.g., Commonwealth 
of Massachusetts, 201 CMR 17.00 (Standards for the Protection of 
Personal Information of Residents of the Commonwealth), effective 
March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for 
Data Collector that Accepts Payment Card; Use of Encryption; 
Liability for Damages; Applicability), effective January 1, 2010. As 
stated in the Notice, these laws contain penalties that can be 
imposed on persons and entities for failures to adequately safeguard 
electronic records containing personal information.
---------------------------------------------------------------------------

    The proposed rule change would require that information provided 
via a portable media device be ``encrypted,'' i.e., the data must be 
encoded into a form in which meaning cannot be assigned without the use 
of a confidential process or key. To help ensure that encrypted 
information is secure, persons providing encrypted information to FINRA 
via a portable media device would be required: (1) To use an encryption 
method that meets industry standards for strong encryption; and (2) to 
provide FINRA staff with the confidential process or key regarding the 
encryption in a communication separate from the encrypted information 
itself (e.g., a separate e-mail, fax or letter).

III. Discussion of Comment Letters and Commission Findings

    The Commission received eleven comment letters on the proposed rule 
change and FINRA responded to these comments.\10\ One commenter 
supported the proposal, but recommended that FINRA's rules be amended 
to add information security rules for itself and notify registrants 
when their non-public information has been accessed.\11\ Two commenters 
questioned the need for the encryption requirement and suggested that 
FINRA, and not its members, should undertake the responsibility of 
establishing data protection \12\ and controls.\13\ Another commenter 
believed that the proposed rule change did not address FINRA's 
responsibility to maintain the confidentiality of the information it 
obtains and proposed that members be allowed to redact sensitive 
information.\14\ FINRA responded that these comments do not address the 
purpose of the proposal which is to safeguard information being 
delivered to FINRA via portable media device and noted that it has a 
``robust and current information security policy.'' \15\
---------------------------------------------------------------------------

    \10\ See supra notes 4 and 5.
    \11\ See ICI Letter.
    \12\ See NAIBD Letter (endorsed by Triad I Letter and Triad II 
Letter), and PSD Letter.
    \13\ See NAIBD Letter.
    \14\ See Wedbush Letter.
    \15\ See FINRA Letter.
---------------------------------------------------------------------------

    Five commenters indicated that the application of the proposed rule 
to electronic media and not paper documents is too narrow or 
misplaced.\16\ One commenter noted that the proposed rule change did 
not cover ``hard data transfers'' and was ``inconsistent,'' therefore 
``adding an unnecessary layer of cost and inconvenience to the normal 
process of business.'' \17\ Another commenter believed that the 
proposed rule was ``form over function'' and suggested that overnight 
delivery of the electronic files could accomplish the goals of the 
proposal.\18\ One commenter noted that FINRA wishes to remove the 
discretion of members to encrypt data and yet the proposal does not 
cover hard-copy, email and voluntary transmissions of information.\19\ 
This commenter stated that the proposed rule change ``was a poor 
solution'' and suggested that FINRA allow members discretion to 
determine encryption methods and apply them to all transmissions to 
FINRA.\20\ FINRA responded to these comments by stating that it 
believes that encryption is a useful method to protect electronic data 
and notes that it is not technically possible to encrypt information in 
paper form.\21\ FINRA suggested that it might accept only electronic 
submissions of information in the future, but currently must accept the 
limitations of paper delivery.\22\ FINRA also stated that it will 
explore encryption of other communication methods such as email.\23\ 
FINRA states that ``the argument that the difficulty of the perfect 
encryption of all information irrespective of media is a reason not to 
protect that information which can be encrypted could be used to negate 
all iterative protections to investors and should not be credited as a 
matter of public policy.'' \24\
---------------------------------------------------------------------------

    \16\ See Abel/Noser Letter, IMS Letter, NAIBD Letter, PSD 
Letter, and Regal Letter, and Abel/Noser Letter.
    \17\ See Regal Letter.
    \18\ See Abel/Noser Letter.
    \19\ See IMS Letter.
    \20\ Id.
    \21\ See FINRA Letter.
    \22\ Id.
    \23\ Id.
    \24\ Id.
---------------------------------------------------------------------------

    Three commenters indicated that requiring encryption of all 
information sent via portable media devices is overbroad and suggested 
lesser content encryption.\25\ FINRA responded that it ``believes it is 
simpler, more efficient and safer to require encryption of all 
information provided via portable media device pursuant to a request 
under the rule.'' \26\ FINRA stated that the requirement ``obviates the 
need for FINRA to circumscribe and monitor,

[[Page 61795]]

and for members to determine, the types of information that should or 
should not be encrypted under the rule.'' \27\ FINRA believes that the 
suggested alternatives would be more costly than the proposal and 
believes the proposal ``further supports compliance with the laws in 
some jurisdictions.'' \28\
---------------------------------------------------------------------------

    \25\ See Great Nation Letter, IMS Letter, and PSD Letter.
    \26\ See FINRA Letter.
    \27\ Id.
    \28\ Id.
---------------------------------------------------------------------------

    Seven commenters believed that the proposal was difficult or costly 
to implement.\29\ For example, some commenters believe that small firms 
lack the technical experience to implement the proposal and may have to 
hire third parties.\30\ One commenter suggested an exception when 
information is provided directly to FINRA staff or on the FINRA 
premises.\31\ FINRA questioned the burden on members ``given the 
availability of web-based encryption solutions currently available at 
low- or no-cost.'' \32\ FINRA noted that ``members may be subject to 
various data protection laws that are in part the impetus'' of the 
proposal.\33\ FINRA stated that it would ``help educate its members 
about the process of encryption'' and would ``endeavor to provide 
information regarding various options for encrypting data, including 
low- or no-cost web-based encryption software.'' \34\
---------------------------------------------------------------------------

    \29\ See Abel/Noser Letter, Great Nation Letter, NAIBD Letter, 
PSE Letter, Triad Letter I, Triad Letter II, and Wulff Hansen 
Letter.
    \30\ See, e.g., Great Nation Letter, NAIBD Letter, and PSE 
Letter.
    \31\ See Wulff Hansen Letter.
    \32\ See FINRA Letter.
    \33\ Id.
    \34\ Id.
---------------------------------------------------------------------------

    Three commenters suggested that the proposed requirement to use an 
encryption method that ``meets industry standards for strong 
encryption'' is too vague and suggested alternatives such as providing 
members with the specific method of encryption.\35\ FINRA acknowledged 
that, as proposed, the rule does not mandate a specific method of 
encryption.\36\ However, FINRA believes that this standard, which it 
stated is ``identical to that employed by Massachusettes and Nevada,'' 
is necessary to ``adapt to changing technology regarding encryption.'' 
\37\ FINRA stated that it does not believe that it is ``appropriate at 
this time to dictate a `one size fits all' approach'' to 
encryption.\38\ As designed, this requirement will allow each member to 
choose an appropriate method of encryption that works for it.\39\
---------------------------------------------------------------------------

    \35\ See NAIBD Letter, PSE Letter, and Great Nation Letter.
    \36\ See FINRA Letter.
    \37\ Id.
    \38\ Id.
    \39\ Id.
---------------------------------------------------------------------------

    The Commission finds that the proposed rule change is consistent 
with the requirements of the Act and the rules and regulations 
thereunder applicable to a national securities association.\40\ In 
particular, the Commission finds that the proposed rule change is 
consistent with the provisions of Section 15A(b)(6) of the Act,\41\ 
which requires, among other things, that FINRA rules be designed to 
prevent fraudulent and manipulative acts and practices, to promote just 
and equitable principles of trade, and, in general, to protect 
investors and the public interest.
---------------------------------------------------------------------------

    \40\ In approving this proposal, the Commission has considered 
the proposed rule's impact on efficiency, competition and capital 
formation. See 15 U.S.C. 78c(f).
    \41\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------

    The Commission believes that the proposed rule change is reasonably 
designed to ensure that information provided to FINRA on a portable 
media device in response to Rule 8210 is secure. FINRA has represented 
that this requirement is necessary to address laws in some 
jurisdictions that establish safeguards for personal information and 
records. The Commission also notes FINRA's representation that there 
are low- or no-cost ways to encrypt files and that it will help educate 
its members about the process of encryption and meeting their 
obligations under the rule. Although the Commission recognizes that the 
proposed rule change does not mandate a specific encryption method, the 
Commission believes that some flexibility is appropriate to allow for 
changes in technology and for members to choose encryption methods that 
meet their needs. Finally, the Commission believes that the fact that 
information produced to it in other forms, such as paper-based forms, 
for which there is no comparable means of protecting the information 
from unwanted disclosure, should not preclude the protection of 
information that can be protected.

IV. Conclusion

    It is therefore ordered, pursuant to Section 19b(2) of the Act,\42\ 
that the proposed rule change (SR-FINRA-2010-021) be, and hereby is, 
approved.
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 78s(b)(2).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\43\
---------------------------------------------------------------------------

    \43\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Florence E. Harmon,
Deputy Secretary.
[FR Doc. 2010-25067 Filed 10-5-10; 8:45 am]
BILLING CODE 8011-01-P