Alternative Capital Market Insights | WealthForge

Lessons from Facebook’s Follies: Are you Doing Enough to Protect your Investors’ Privacy?

Written by Tim Boykin | April 16, 2018

As you’ve probably seen, Facebook has recently been in the news for all the wrong reasons. Facebook’s CEO, Mark Zuckerberg, has been grilled by Congress regarding the privacy and protection of user data at the company. Facebook’s stock is plummeting and the Federal Trade Commission has stated that Facebook is under investigation.


Facebook’s Privacy Problems

Even as this post is written, more facts are coming to light on the extent of the breach of its user’s data. Most of these facts are not flattering. 

At a high level, two of the main issues the media has highlighted about Facebook’s privacy practices relate to:

  • Inappropriate access to user information via Facebook-provided tools. Hackers used Facebooks search functionality to scrape information about users, allowing bad actors to compile a more holistic profile on Facebook users for identity theft targets.

 

How this Relates to Your Business

Users' privacy concerns about Facebook as a networking service may seem different from the concerns of those participating in the private capital markets. However, there is fundamental similarity between Facebook’s social media users' data and the investor information an issuer or financial intermediary uses and maintains: privacy rights. As discussed in a previous post, privacy relates to an individual’s right to have third parties protect their information.

There are two types of third parties your company should be wary of:

  • Known third parties – Third-party vendors are an often necessary, but nevertheless important to consider, risk of doing business. This is particularly true with an increasing amount of data sharing between a business and its vendors through technology applications. Indeed, many vendors, by design, store, access, and manipulate data, including your investor’s personally-identifiable information (PII). As a concrete example, almost all those in the capital raising world have some kind of software system to store investor information. Gone are the days of a literal physical rolodex. But knowing what data those third parties access and how they use that data is essential. Mark Zuckerberg said during his testimony before Congress that most people don’t read Facebook’s full terms of service. That is not a risk you can take when dealing with sensitive company data.

    Do you know what limits your CRM system or investor data system has on turning around and subsequently using “your” data and that of your investors?

    Do you know what security protocols your vendors have in place to protect PII and other information?

    What diligence do you perform on key vendors? What is your process for determining that your vendors are doing what they commit to doing with regards to privacy protection?

    Have you even identified where your data is and what third parties might have access to it?
  • Outside Bad Actors – In addition to the vendors you choose to work with, you also must be on the lookout for third-parties accessing your data without your consent. Your systems and those of your vendors may not have a built-in search functionality for the outside world to use (and misuse), but financial criminals have become increasingly sophisticated over the past few years. Gone are the days of typo-and-CAPITAL-LETTER-infused requests for your banking information to collect your inheritance from a third-world prince. People – in some cases, professionals on behalf of hostile nation-states – are out there looking for information on unsecure networks and from people without proper security processes in place.

These concerns matter to you, because whether you realize it or not, state breach notification laws apply to you. You have a legal duty to protect investor information and, in fact, may have 50 or more legal duties in the event of a breach. The U.S. currently lags behind the rest of the world as far as comprehensive laws and regulation at the federal level. As Congress’ reaction to Facebook highlights, that may be changing sooner than later.

Your exposure is not limited to U.S. and state laws. Internationally, each country can have its own laws to protect its citizens. For example, there are enhanced requirements, called the General Data Protection Regulation (GDPR), coming into effect in May for those who maintain data of European Union residents. Each country outside of the EU may have its own regulations. To be clear, a vendor’s data breach may trigger obligations for you.

 

Broker-Dealers have heightened regulatory requirements

If you have investors, you need data to simply maintain the relationship. For example, you have to know addresses to send K-1s at the end of each tax year.  There is heightened risk associated with the financial and personal information transferred and stored relating to a specific investment transaction at the “point of sale.” Broker-dealers have parallel heightened security regulatory requirements for handling investor information.

At a baseline, broker-dealers must comply with Reg S-P, which provides for notice requirements and disclosure limits for PII.[1] Broker-dealers must also have procedures in place to safeguard information about investors and prospective investors, including PII.

FINRA, generally a broker-dealer’s most direct regulator for financial practices, has ramped up its interest on cybersecurity of its member firms. FINRA has noted cyber-specific areas for broker-dealers to focus on, including access management, vendor management, and data loss prevention. FINRA prescribes parameters regarding ongoing assessments for cybersecurity risks as a whole. The SEC has also recently issued cybersecurity-specific guidance for public companies.[2] States – most notably, New York – have issued cybersecurity regulations specifically applying to the financial sector.[3]

While some of these rules do not apply to all industry participants, the pervasive nature of cybersecurity is invading the operations of regulated entities – in a good way. This focus is progress in the right direction as far as protecting individual data rights. At a minimum, your financial service provider should be willing to have an open conversation about the steps they are taking to address cyber risks.  

 

Is your investor data secure?

This article only scratches the surface of privacy issues facing Facebook privacy and cybersecurity topics overall. A company’s understanding of who has access to its data, whether intended or not, is paramount to an appropriate cybersecurity posture. This is especially important when you hold investor PII, which will apply in some form to all issuers successfully raising capital. An issuer cannot transfer this obligation for information it keeps after its sale of securities. Still, a broker-dealer cognizant of these issues should help mitigate the risk of an investor data breach during the capital raising process.

These issues are not going away. In light of the hearings on Capitol Hill, there is a renewed focus on individual privacy in the U.S. – perhaps with the most widespread societal impact since the technology and internet boom of the 1990s. While we may not adopt the relatively strict rules as in the E.U. and other parts of the world, it does feel that there will be a shift towards individual privacy protections. This means heightened scrutiny on requirements for participants in the financial industry and those raising capital, whether regulated or not. At a baseline, this warrants a deep dive into your internal policies, as well as all those outside parties with whom you entrust with your data and the data of your investors. If these basic obligations are ignored, a U.S. or even foreign government agency may soon be knocking on your door asking questions.

 

[1] Procedures to Safeguard Customer Records and Information; Disposal of Consumer Report Information, 17 C.F.R. 248.30.

[2] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Nos. 33-10459; 34-82746, 17 C.F.R. 229, 249 (Feb. 26, 2018).

[3] Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500.