One of the most common things we discuss with clients is the need to ensure that privacy policies accurately reflect the actual procedures in place for handling confidential information. The SEC reiterated that point last week in a Risk Alert that encouraged SEC-registered companies to review their written policies and procedures to ensure adequate implementation and compliance with the law. In the Risk Alert, the Office of Compliance Inspections and Examinations (“OCIE”) published a list of issues under Regulation S-P (the privacy rule) it has seen in the context of exams.
The Risk Alert identifies the following common deficiencies:
- Privacy and Opt-Out Notices: Many companies have failed to provide the necessary notices and even when notices are provided, they do not accurately reflect the company’s policies and procedures.
- Lack of Policies and Procedures: Some companies simply do not have in place all policies and procedures that are necessary to be in compliance with Regulation S-P. For example, OCIE has encountered companies that purport to adopt the Safeguards Rule but have no documented procedures related to administrative, technical and physical safeguards.
- Policies Not Implemented or Reasonably Designed to Safeguard Information: Some of the written policies that are in place are not actually suited to accomplish the stated goal – namely, safeguarding sensitive information. OCIE has seen inadequacies related to the handling of personal information on personal devices, electronic communications, unsecure networks, and outside vendors. OCIE also has encountered inadequate training and monitoring policies, incomplete incident response plans, and various other protocols that put sensitive information at risk.
Entities registered with the SEC should take this opportunity – while they are (hopefully) outside the spotlight of a regulatory exam – to revisit their policies and procedures to ensure that they accurately reflect the protocols in place and comply with Regulation S-P. This sort of preventative analysis could help companies avoid charges of violating Regulation S-P in the future.