SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information Provided Via Portable Media Device
Encryption of Rule 8210 Information
Regulatory Notice | |
Notice Type Rule Amendment |
Referenced Rules & Notices FINRA Rule 8210 |
Suggested Routing Compliance Legal Operations Senior Management |
Key Topics Encryption Investigations |
Executive Summary
Beginning December 29, 2010, information provided via a portable media device in response to requests under FINRA Rule 8210 must be encrypted.
The text of FINRA Rule 8210, as amended, is set forth in Attachment A.
Questions regarding this Notice should be directed to:
Background and Discussion
The SEC recently approved amendments to FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) that require information provided via a portable media device pursuant to a request under the rule be encrypted, as described in more detail below.1 These amendments take effect on December 29, 2010.
FINRA Rule 8210 confers on FINRA staff the authority to compel a member firm, person associated with a member firm or other person over which FINRA has jurisdiction, to produce documents, provide testimony or supply written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding.2 FINRA Rule 8210(c) provides that a firm's or person's failure to provide information or testimony or to permit an inspection and copying of books, records or accounts is a violation of the rule.
Frequently, member firms and persons that respond to requests pursuant to FINRA Rule 8210 provide information in electronic format. Because of the size of the electronic files, often this information is provided in electronic format using a portable media device such as a CD-ROM, DVD or portable hard drive.3 In many instances, the response contains personal information that, if accessed by an unauthorized person, could be used inappropriately.4
Data security issues regarding personal information have become increasingly important in recent years.5 In this regard, FINRA believes that requiring persons to encrypt information on portable media devices provided to FINRA in response to Rule 8210 requests will help ensure that personal information is protected from improper use by unauthorized third parties.
As amended, the rule requires that when information responsive to a request pursuant to Rule 8210 is provided on a portable media device, it must be "encrypted"—i.e., the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device are required:
Currently, FINRA views industry standards for strong encryption to be 256-bit or higher encryption. Encryption software meeting this standard is widely available as embedded options in desktop applications and through various vendors via the Internet at no cost or minimal cost to the user.
1See Exchange Act Release No. 63016 (Sept. 29, 2010), 75 FR 61793 (Oct. 6, 2010) (Order Approving Proposed Rule Change; File No. SR-FINRA-2010-021).
2 The rule applies to all member firms, associated persons and other persons over which FINRA has jurisdiction, including former associated persons subject to FINRA's jurisdiction as described in the FINRA By-Laws. See FINRA By-Laws, Article V, Section 4(a) (Retention of Jurisdiction).
3 The amended rule defines "portable media device" as a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette or any other portable device for storing and transporting electronic information.
4 For example, a response may include a person's first and last name, or first initial and last name, in combination with that person's: (1) social security number; (2) driver's license, passport or government-issued identification number; or (3) financial account number (including, but not limited to, number of a brokerage account, debit card, credit card, checking account or savings account).
5 For example, some jurisdictions, including Massachusetts and Nevada, have recently enacted legislation that establishes minimum standards to safeguard personal information in electronic records. See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), effective March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability), effective January 1, 2010. These laws contain potential penalties against persons and entities for failures to adequately safeguard electronic information containing personal information.
ATTACHMENT A
New language is underlined.
* * * * *
8200. INVESTIGATIONS
8210. Provision of Information and Testimony and Inspection and Copying of Books