Investment funds, asset managers and broker-dealers have a new set of privacy directives on the horizon geared at the development of more formal, documented programmes to maintain and safeguard their customers' information. These initiatives – five are discussed below – stem from not only US Federal regulators but from the US States as well. Both the new and proposed rules will apply to businesses irrespective of where they are located and (in some cases) irrespective of whether they are registered with the US Securities and Exchange Commission (SEC).

The first of these developments is the SEC's adoption of Regulation S-AM – with a compliance date of 1 June 2010 – targeting information used by business affiliates. Under the final version of the regulation, securities firms and investment companies are prohibited from using specific types of information to make marketing solicitations to consumers (defined as natural person clients and fund investors) unless they fully disclose that the information may be used for marketing campaigns and the consumer has been given the opportunity to opt out. Information protected by Regulation S-AM is referred to as "eligibility information," broadly defined as information that bears on a person's creditworthiness or credit standing as well as personal identifiers such as names, addresses, and so on. In many cases, the adoption of Regulation S-AM will require covered firms to develop and distribute new privacy notices and procedures to address the expanded disclosures and opt-out rights. The final rules provide examples of privacy notices tailored to the new requirements.

Regulation S-AM expands on the rules set out in the better known Regulation S-P, which likewise has a new set of proposed rules. The Regulation S-P proposals, in limbo since 2008, primarily focus on expansion of the scope of information and parties covered under the Regulation as well as the development of documented "data breach" response protocols. The proposed rules also go further than current practice in addressing guidelines for departing employees when contacting former clients, but have not yet been adopted.

Other Regulation S-P proposals have in fact been adopted, as have parallel rules by other regulators, including privacy rules adopted by the US Federal Trade Commission (FTC) for hedge funds, private equity funds and unregistered investment advisers. As of 31 December 2010, the current guidance or safe harbour provisions related to the form and substance of privacy notices will be phased out in favour of a new standardised formulation. Although no changes in practice are required, many institutions relying on the guidance or safe harbours will be modifying their notices throughout the year.

Also drawing attention is the FTC's new "Red Flags" Rule. Starting on 1 June 2010, covered firms (defined as financial institutions offering "transaction accounts" or "creditors" (a term broad enough to include broker-dealers extending margin credit)) will have an obligation under Federal law to maintain data security measures aimed at identifying evidence of identity theft or any other irregularities in a client's account information.

Lastly, the State of Massachusetts has developed a new security directive (in effect as of 1 March 2010) related to the protection of personal information. Any entity that owns, licenses, stores, or maintains the personal information of a resident of Massachusetts – a category of businesses that will include many investment advisers, broker-dealers or investment companies having US clients, employees or investors – must develop a comprehensive written information security policy meeting an extensive laundry list of requirements. This is a sharp reminder that within the world of US privacy laws, certain State laws may avoid pre-emption by Federal laws (for example, under certain circumstances when State law provides greater protections than Federal law). Consequently, the onus falls on firms, operating nationally, to be conscious of both Federal and State rules.

For more information, click here.