Consistent with requirements under the Gramm-Leach-Bliley Act (GLBA) and regulations adopted by the Commodity Futures Trading Commission (CFTC) and other federal regulators, on Feb. 27, 2014, the CFTC issued an advisory outlining data privacy and information security safeguards for futures commission merchants, commodity trading advisers, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers and major swap participants (Covered Entities). The GLBA and CFTC regulations require that Covered Entities “must adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” As outlined under CFTC regulations, Covered Entities must have written policies and procedures that:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of such records; and
- Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
The advisory further sets forth recommended best practices to maximize customer information security. First, each Covered Entity must develop, implement and maintain a written information security and privacy program that is appropriate to its size and complexity and the nature and scope of its activities. At a minimum this information security and privacy program should designate a specific employee with privacy and security management oversight responsibilities who will develop a strategic plan for implementing the required controls. This employee must be part of, or report directly to, senior management or the board of directors, and should designate employee(s) to coordinate, implement and regularly assess the effectiveness of the program.
Assessment is also important. The advisory recommends that specific internal employees should be designated to perform routine assessments on the security and privacy program. Reasonably foreseeable internal and external risks to security, confidentiality and integrity of personal information should be identified in writing. Thereafter, Covered Entities should design and implement procedures to minimize these risks and maintain a written record of the procedures.
Of course, systems only work as well as the people who use them. The CFTC advisory recommends that Covered Entities should train staff to implement privacy and security programs. The Covered Entity should also provide refresher training and regularly test and maintain system safeguards and controls. At least once every two years, an independent party should test and monitor the safeguards’ controls, systems, policies and procedures.
If third-party service providers have access to customer records and information, Covered Entities must oversee such service providers and take reasonable steps to select and retain vendors capable of maintaining appropriate safeguards. Covered Entities should contractually require service providers to implement and maintain appropriate safeguards.
To maximize the effectiveness of any security and privacy program, it must be routinely evaluated and adjusted. The CFTC recommends adjusting the security program if weaknesses are identified in light of risk assessment processes, relevant changes in technology or business processes, any material changes in operations and business processes, or any other circumstance that would reasonably impact the program.
The CFTC’s attention to data privacy and information security programs is in keeping with federal regulators nationwide. Recent unauthorized intrusions into payment systems, banks and other businesses have heightened the awareness around data privacy and information security.
A copy of the CFTC’s release outlining GLBA security safeguards is available here.
Please contact your regular McGuireWoods attorney or one of the authors with any questions regarding the data privacy and information security or CFTC regulations.