This article was originally published in the NSCP Currents May 2020 publication.
Compliance officers routinely build and maintain compliance programs to protect confidential information related to covered securities accounts and investments as required under applicable U.S. federal laws, rules and regulations1 (“investment laws”). Arguably, these efforts, including the mandated code of ethics, establish a clear standard to guard against misuse of such coveted information (“investment data”). This article explores the case for considering a similarly clear standard for consumer information, company proprietary information, security information and other confidential information (“privacy data”) traditionally covered by targeted privacy programs and legal liability mitigants such as written privacy, cybersecurity and information policies and procedures, training, assessments and non-disclosure agreements and contractual obligations. This type of confidential information is the subject of evolving and a somewhat converging body of federal and state privacy and cybersecurity-related laws, rules and regulations2 (“privacy laws”) and state attorney general offices and federal regulators’3 efforts to combat unfair or deceptive trade practices and prosecute violations of privacy laws. We consider whether adoption of a code of data ethics could lead to more effective, efficient and impactful compliance with privacy laws and protection of valuable privacy data.
1. What is a Code of Data Ethics?
Sets a Tone: A code of data ethics can be used to communicate company-wide cultural and governance standards. With a commitment to such a standard, the compliance officer and related team of privacy officer, Chief Information Security Officer (“CISO”) and/or risk officer (“compliance team”) can more effectively set the tone for use of privacy data which is increasingly more necessary as they grapple with data questions related to complex technology. To understand compliance with privacy laws and the adequacy of the compliance program, it is not uncommon for compliance officers to address questions about development of a technology platform, launch of a new digital product or a new marketing and business development tool and/or use of artificial intelligence, machine learning and biometrics. In the same manner governance and culture is crucial to support an adequate compliance program for investment data, arguably, that same strategic approach is needed to support adequate compliance controls for privacy data. Both types of information are of bottom-line value to the company and need priority protection and, in both cases, it is difficult to incentivize employees and others to act as though they are accountable for protecting the data. We believe compliance officers and the programs they administer should cover both types of data by clearly setting expectations designed to drive desired behavior. This will enable the compliance team to reasonably rely on management and employees to use good business judgment, promptly escalate issues and collaborate to align the compliance program in a dynamic business environment. By way of example, many compliance programs adopt an investment code of ethics to strategically address insider trading risks and mitigate exposure to misuse of information by third parties such as temporary outsiders and tippees4 because, among other things, a compliance officer faces challenges controlling the flow and use of the firm’s investment data in compliance with investment laws. Likewise, a code of data ethics could be used by compliance teams to more effectively manage the challenge of adequately controlling access to and use of privacy data in adherence with privacy laws. The challenge of controlling behavior is similar. In the case of privacy data, the compliance team does not typically have the expertise, authority and resources to control this vast and mutable data including its use across the company and by a network of strategic partners and third party vendors. In sum, a code of data ethics is more strategic; it helps increase engagement and accountability across an organization. Something a compliance officer, without the support of a company standard, will struggle to achieve.
2. Why Align Privacy and Investment Efforts?
Harness Efficiencies to do a Better Job: There are at least three potential benefits to aligning data privacy and other compliance efforts. The benefits involve more efficiently deploying compliance resources, so compliance officers have more time to proactively address priority matters at their companies.
- 1. An aligned approach can help eliminate siloes that can lead to inefficient risk monitoring and mitigation and instead treat protection of privacy data as an enterprise risk. Investment data is subject to a code in part because of precedent that deems failure to protect it an enterprise risk. Without that precedent, the compliance team will need to share the research that shows data protection is a systemic risk and then advocate why it should be mitigated as strategic priority.5 Additionally, the compliance officer could present a comparison to senior management, and a board if appropriate, of the risk of non-compliance with privacy and investment laws. It is reasonable to consider failure to escalate and resolve compliance gaps create commensurate reputational, regulatory enforcement and legal risks.
- 2. Additionally, an aligned approach can help minimize confusion by employees about the importance of their role in protecting privacy data. A code of data ethics could be an efficient method to minimize unintentional data breaches. Research shows employee access and use of privacy data is a major risk and potential cause of data breaches6. A code of data ethics will more clearly communicate employees are stakeholders that are accountable for protecting privacy data.
- 3. Alignment will help facilitate fulsome and accurate regulatory reporting, board reporting and third party due diligence about the company’s data protection and privacy controls. This approach will elevate the discussion of the treatment of privacy data and promote more natural coordination among the CISO, Chief Compliance Officer (“CCO”) and Chief Technology Officer (“CTO”) for such reports and certifications.
3. How To Implement a Code of Data Ethics
Keep it Simple. Start a Conversation: To consider making a change within a compliance program, it will be important to build a company-specific case for heightened attention to a data ethics governance and culture. The need for a more strategic approach could be based on the need to make more of an impact with current budgeted, or decreased, resources. For example, compliance officers could consider recent experiences, such as the below, to support needed change:
- Has your company had a recent data breach or increase in data incidents such that self-reporting is more of a priority to ensure those incidents are promptly handled? i.e., A code is a foundation for incentivizing employees to self-report and deter willful blindness. The benefit of a code is apparent in the investment compliance arena because data is subject to whistleblower reporting. Likewise, a compliance officer could make an analogy that privacy data is similarly subject to whistleblower and breach reporting protocols.
- To facilitate global and interstate business, is your company tracking regulatory changes such as CCPA and other state laws and finding it is too risky and/or complicated without a strategic approach to data privacy? A code of data ethics could establish a framework that allows the company to be more agile as it focuses on business stability and development and digital marketing campaigns at the same time it adjusts to new privacy laws. Adoption of a code of data ethics can be implemented as a stand-alone document or a new section of the current code of ethics or code of conduct. Regardless of the end result, this is an opportunity for compliance officers to lead a strategic discussion about the need to identify enterprise data risks and protect privacy data, and present an innovative idea about how to deliver a more effective, efficient and impactful return on investment for data privacy and compliance resources.
1. For example, Rule 17j-1 and Rule 38a-1 under the Investment Company Act of 1940, as amended (“1940 Act”), section 15(f) of the Securities Exchange Act of 1934 (“Exchange Act”), FINRA Rule 3210, NFA Compliance Rules 2-36 and section 204A of the Investment Advisers Act of 1940 and Rule 204(A)-1 and Rule 206(4) (“Advisers Act”), Insider Trading and Securities Fraud Enforcement Act of 1988 (“ITSFEA”).
2. For example, the Gramm-Leach-Bliley Act (“GLB”), Section 5 of the Federal Trade Commission (“FTC”) Act, California Consumer Privacy Act (“CCPA”), NY SHIELD Act, Department of Financial Services New York Cybersecurity Requirements: 23 NYCRR 500; SEC and FINRA rules, regulations and guidance for compliance programs related to SEC Regulation S-ID: Identity Theft Red Flags (“Red Flags Rule”).
3. See more information about FTC enforcement – https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act; Important SEC notices include the following: Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features; Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies; Risk Alert: Observations from Cybersecurity Examinations; Risk Alert: OCIE’s 2015 Cybersecurity Examination Initiative; Risk Alert: Cybersecurity Examination Sweep Summary.
4. See Dirks v. SEC, 463 U.S. 646, 655 n.14 (1983) temporary outsiders such as underwriters, lawyers, accountants, and consultants are covered in the code; Chiarella v. United States, 445 U.S. 222 (1980). Recipients of investment data from corporate insiders who do not owe a fiduciary duty (known as “tippees”), are covered as well.
5. https://advisory.kpmg.us/articles/2019/ten-key-challenges-2020.html; https://www.nist.gov/system/files/documents/2017/06/05/privengworkshop_preso.pdf; https://www.cisco. com/c/dam/en/us/products/collateral/security/2020-data-privacy-cybersecurity-series-jan-2020.pdf. Recipients of investment data from corporate insiders who do not owe a fiduciary duty (known as “tippees”), are covered as well.
7. Many companies voluntarily adhere to or are required by contract to comply with cybersecurity requirements such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. www.nist.gov/cyberframework. The NIST Cybersecurity Framework provides voluntary cybersecurity standards for protecting company computer networks owned or operated by critical infrastructure entities. The Framework is divided into three parts: Framework Core, Implementation Tiers and Framework Profile. The Framework Core is designed to identify key cybersecurity activities common across all critical infrastructure networks. These are activities that companies should address when creating programs to protect critical computer systems and that identify best practices for communicating risks throughout an organization. Specifically, the Framework Core consists of five functions designed to provide company decision-makers with a strategic view of cybersecurity risk management: identify, protect, detect, respond and recover. Cybersecurity (United States) 06/18/2019 by Benjamin A Powell, Jason C Chipman, Leah Schloss, Maury Riggan, Wilmer Cutler Pickering Hale and Dorr LLP