Regulatory Notice 10-59

SEC Approves Amendments to FINRA Rule 8210 to Require Encryption of Information Provided Via Portable Media Device

Published Date:

November 29, 2010

Effective Date: December 29, 2010

Encryption of Rule 8210 Information

Regulatory Notice
Notice Type Rule Amendment	Referenced Rules & Notices FINRA Rule 8210
Suggested Routing Compliance Legal Operations Senior Management	Key Topics Encryption Investigations

Executive Summary

Beginning December 29, 2010, information provided via a portable media device in response to requests under FINRA Rule 8210 must be encrypted.

The text of FINRA Rule 8210, as amended, is set forth in Attachment A.

Questions regarding this Notice should be directed to:

• Emily Gordy, Senior Vice President and Director Of Policy, Enforcement, at (202) 974-2916;

• Laurie Dzien, Chief Privacy Officer and Associate General Counsel, Data Privacy & Protection, Office of General Counsel (OGC), at (240) 386-6339; or

• Stan Macel, Assistant General Counsel, OGC, at (202) 728-8056.

Background and Discussion

The SEC recently approved amendments to FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) that require information provided via a portable media device pursuant to a request under the rule be encrypted, as described in more detail below.¹ These amendments take effect on December 29, 2010.

FINRA Rule 8210 confers on FINRA staff the authority to compel a member firm, person associated with a member firm or other person over which FINRA has jurisdiction, to produce documents, provide testimony or supply written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding.² FINRA Rule 8210(c) provides that a firm's or person's failure to provide information or testimony or to permit an inspection and copying of books, records or accounts is a violation of the rule.

Frequently, member firms and persons that respond to requests pursuant to FINRA Rule 8210 provide information in electronic format. Because of the size of the electronic files, often this information is provided in electronic format using a portable media device such as a CD-ROM, DVD or portable hard drive.³ In many instances, the response contains personal information that, if accessed by an unauthorized person, could be used inappropriately.⁴

Data security issues regarding personal information have become increasingly important in recent years.⁵ In this regard, FINRA believes that requiring persons to encrypt information on portable media devices provided to FINRA in response to Rule 8210 requests will help ensure that personal information is protected from improper use by unauthorized third parties.

As amended, the rule requires that when information responsive to a request pursuant to Rule 8210 is provided on a portable media device, it must be "encrypted"—i.e., the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device are required:

(1) to use an encryption method that meets industry standards for strong encryption; and

(2) to provide FINRA staff with the confidential process or key regarding the encryption in a communication separate from the encrypted information itself (e.g., a separate email, fax or letter).

Currently, FINRA views industry standards for strong encryption to be 256-bit or higher encryption. Encryption software meeting this standard is widely available as embedded options in desktop applications and through various vendors via the Internet at no cost or minimal cost to the user.

¹See Exchange Act Release No. 63016 (Sept. 29, 2010), 75 FR 61793 (Oct. 6, 2010) (Order Approving Proposed Rule Change; File No. SR-FINRA-2010-021).

² The rule applies to all member firms, associated persons and other persons over which FINRA has jurisdiction, including former associated persons subject to FINRA's jurisdiction as described in the FINRA By-Laws. See FINRA By-Laws, Article V, Section 4(a) (Retention of Jurisdiction).

³ The amended rule defines "portable media device" as a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette or any other portable device for storing and transporting electronic information.

⁴ For example, a response may include a person's first and last name, or first initial and last name, in combination with that person's: (1) social security number; (2) driver's license, passport or government-issued identification number; or (3) financial account number (including, but not limited to, number of a brokerage account, debit card, credit card, checking account or savings account).

⁵ For example, some jurisdictions, including Massachusetts and Nevada, have recently enacted legislation that establishes minimum standards to safeguard personal information in electronic records. See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth), effective March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability), effective January 1, 2010. These laws contain potential penalties against persons and entities for failures to adequately safeguard electronic information containing personal information.

ATTACHMENT A

New language is underlined.

* * * * *

8200. INVESTIGATIONS

8210. Provision of Information and Testimony and Inspection and Copying of Books

(a) through (f) No Change.

(g) Encryption of Information Provided in Electronic Form

(1) Any member or person who, in response to a request pursuant to this Rule, provides the requested information on a portable media device must ensure that such information is encrypted.

(2) For purposes of this Rule, a "portable media device" is a storage device for electronic information, including but not limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette, or any other portable device for storing and transporting electronic information.

(3) For purposes of this Rule, "encrypted" means the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. To ensure that encrypted information is secure, a member or person providing encrypted information to FINRA staff pursuant to this Rule shall (a) use an encryption method that meets industry standards for strong encryption, and (b) provide the confidential process or key regarding the encryption to FINRA staff in a communication separate from the encrypted information itself.