The recent OCIE Risk Alert on compliance issues related to privacy and safeguard policies is notable for how basic the problems are that the SEC continues to find. The #1 most-frequent violation cited in the Alert was simply failure to provide the firm’s privacy policy initially and annually. Further, when the policy was provided, often the notice did not accurately reflect practice or written policies.
The fix? Stop right now and go confirm what your process is for delivering the privacy policy. The initial delivery should be connected to delivery of the ADV (another critical area that often gets messed up). Who is responsible for delivery? How is delivery made? How is it documented? How do you know it’s happening?
Once you know what the process is, create a workflow and provide ongoing training and testing. This is particularly critical if your firm disperses responsibility, such as by making IARs or remote office support staff in charge of delivering disclosures.
Now actually read your policies. Is it clear they match what you do? How do your cyber policies integrate with or conflict with your privacy policy?
Here are some of the underlying issues that we think contribute to other problems noted in the Alert.
1. Not dealing with mobile device policies effectively.
One of the biggest vulnerabilities is failure to properly secure data on mobile devices and to have clear policies (as well as automated controls) on what can be downloaded or stored on these devices. Two things we’ve seen come up are: not addressing the issue of personal device vs corporate device, and not addressing questions of exempt vs non-exempt staff.
Mobile devices must be protected by strong passwords, anti-virus and anti-malware, encryption-at-rest, and the ability to remotely wipe the device if it’s lost, stolen, or compromised. Firms that fail to implement these protections or fail to implement them through automatic (company-maintained) controls, are asking for trouble.
The difficulty is when you’re trying to impose these controls on employee-owned equipment. There are important issues at stake, including employee privacy and the boundaries between work and personal life. We see the primary question as whether you want to pay for a corporate device and require that all company device be conducted through that device, or whether you want to create a stair-stepped approach. For example, the company could pay a portion of the employee’s mobile bill. Ignoring the problem, though, will not make it go away.
Another consideration is whom you’re asking to do work outside of work hours. Wage and hour law is clear – non-exempt staff (and many folks are non-exempt, despite how we treat them) must be paid overtime. Addressing this issue head-on will lead you to make tough decisions about who really needs access to sensitive information outside of work hours and outside of corporate-controlled equipment. Just taking the first step of limiting access will provide some protection.
2. Not managing credentials effectively.
Use a password manager and mandate implementation across the company. There are many vendors who do a great job with this, depending on your size and needs. Just do a search for “password manager” and read the reviews and feature descriptions. If you are keeping passwords on sticky notes or in an Excel spreadsheet, you will experience great suffering when those passwords are inappropriately accessed.
Beyond that, you need to know who has access to what, and you need clarity about the types of PII each employee has access to. You need to be able to provide detail quickly in response to regulatory requests and in case there’s a breach. We’ve recently started using a great and affordable software solution that provides meaningful vendor due diligence, as well as and provides a central tracking application. It addresses several of the items found in the Alert, including training, outside vendors, PII inventory, login credentials, departed employees, and incident response plans. Give us a call or email for more information.