
[Federal Register: June 25, 2010 (Volume 75, Number 122)]
[Notices]               
[Page 36461-36463]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr25jn10-108]                         

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-62318; File No. SR-FINRA-2010-021]

 
Self-Regulatory Organizations; Financial Industry Regulatory 
Authority, Inc.; Notice of Filing of Proposed Rule Change To Amend 
FINRA Rule 8210 To Require Information Provided via Portable Media 
Device Be Encrypted

June 17, 2010.
    Pursuant to section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act'') \1\ and rule 19b-4 thereunder,\2\ notice is hereby given that 
on June 2, 2010, Financial Industry Regulatory Authority, Inc. 
(``FINRA'') filed with the Securities and Exchange Commission (``SEC'' 
or ``Commission'') the proposed rule change as described in Items I, 
II, and III below, which Items have been prepared by FINRA. The 
Commission is publishing this notice to solicit comments on the 
proposed rule change from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Self-Regulatory Organization's Statement of the Terms of Substance 
of the Proposed Rule Change

    FINRA is proposing to amend FINRA Rule 8210 to require that 
information provided via portable media device pursuant to a request 
under the rule be encrypted.
    The text of the proposed rule change is available on FINRA's Web 
site at http://www.finra.org, at the principal office of FINRA and at 
the Commission's Public Reference Room.

II. Self-Regulatory Organization's Statement of the Purpose of, and 
Statutory Basis for, the Proposed Rule Change

    In its filing with the Commission, FINRA included statements 
concerning the purpose of and basis for the proposed rule change and 
discussed any comments it received on the proposed rule change. The 
text of these statements may be examined at the places specified in 
Item IV below. FINRA has prepared summaries, set forth in sections A, 
B, and C below, of the most significant aspects of such statements.

A. Self-Regulatory Organization's Statement of the Purpose of, and 
Statutory Basis for, the Proposed Rule Change

1. Purpose
    FINRA Rule 8210 (Provision of Information and Testimony and 
Inspection and Copying of Books) confers on FINRA staff the authority 
to compel a member, person associated with a member, or other person 
over whom FINRA has jurisdiction, to produce documents, provide 
testimony, or supply written responses or electronic data in connection 
with an investigation, complaint, examination or adjudicatory 
proceeding. The rule applies to all members, associated persons, and 
other persons over which FINRA has jurisdiction, including former 
associated persons subject to FINRA's jurisdiction as described in the 
FINRA By-Laws.\3\ FINRA Rule 8210(c) provides that a member's or 
person's failure to provide information or testimony or to permit an 
inspection and copying of books, records, or accounts is a violation of 
the rule.
---------------------------------------------------------------------------

    \3\ See FINRA By-Laws, Article V, Section 4(a) (Retention of 
Jurisdiction).
---------------------------------------------------------------------------

    FINRA is proposing to amend FINRA Rule 8210 to require that 
information provided via a portable media device pursuant to a request 
under the rule be encrypted, as discussed further below.

[[Page 36462]]

Requiring such information to be encrypted will help ensure that such 
information, which in many instances includes individuals' personal 
information, is protected from unauthorized or other improper use.\4\
---------------------------------------------------------------------------

    \4\ FINRA has emphasized that its members have an obligation 
under existing laws to protect confidential customer records and 
information pursuant to the requirements of SEC Regulation S-P. See, 
e.g., Notice to Members 05-49 (Safeguarding Confidential Customer 
Information).
---------------------------------------------------------------------------

    Frequently, members and persons that respond to requests pursuant 
to FINRA Rule 8210 provide information in electronic format. Because of 
the size of the electronic files, persons often provide information in 
electronic format using a portable media device such as a CD-ROM, DVD 
or portable hard drive.\5\ In many instances, the response contains 
personal information that, if accessed by an unauthorized person, could 
be used inappropriately. For example, a response may include a person's 
first and last name, or first initial and last name, in combination 
with that person's: (1) Social security number; (2) driver's license, 
passport or government-issued identification number; or (3) financial 
account number (including but not limited to number of a brokerage 
account, debit card, credit card, checking account, or savings 
account). If such personal information were to be intercepted by an 
unauthorized third party, it could be used improperly.
---------------------------------------------------------------------------

    \5\ The proposed rule change defines ``portable media device'' 
as a storage device for electronic information, including but not 
limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop 
computer, disc, diskette, or any other portable device for storing 
and transporting electronic information.
---------------------------------------------------------------------------

    Data security issues regarding personal information have become 
increasingly important in recent years.\6\ In this regard, FINRA 
believes that requiring persons to encrypt information on portable 
media devices provided to FINRA in response to FINRA Rule 8210 requests 
will help ensure that personal information is protected from improper 
use by unauthorized third parties.
---------------------------------------------------------------------------

    \6\ For example, some jurisdictions, including Massachusetts and 
Nevada, have recently enacted legislation that establishes minimum 
standards to safeguard personal information in electronic records. 
See, e.g., Commonwealth of Massachusetts, 201 CMR 17.00 (Standards 
for the Protection of Personal Information of Residents of the 
Commonwealth), effective March 1, 2010; State of Nevada, NRS 
603A.215 (Security Measures for Data Collector that Accepts Payment 
Card; Use of Encryption; Liability for Damages; Applicability), 
effective January 1, 2010. These laws contain potential penalties 
against persons and entities for failures to adequately safeguard 
electronic information containing personal information.
---------------------------------------------------------------------------

    The proposed rule change would require that responding information 
from a portable media device must be ``encrypted'', i.e., the data must 
be encoded into a form in which meaning cannot be assigned without the 
use of a confidential process or key. To help ensure that encrypted 
information is secure, persons providing encrypted information to FINRA 
via a portable media device would be required: (1) To use an encryption 
method that meets industry standards for strong encryption; and (2) to 
provide FINRA staff with the confidential process or key regarding the 
encryption in a communication separate from the encrypted information 
itself (e.g., a separate e-mail, fax or letter).
    FINRA will announce the effective date of the proposed rule change 
in a regulatory notice to be published no later than 60 days following 
Commission approval. The effective date will be 30 days following 
publication of the regulatory notice announcing Commission approval.
2. Statutory Basis
    FINRA believes that the proposed rule change is consistent with the 
provisions of section 15A(b)(6) of the Act,\7\ which requires, among 
other things, that FINRA rules must be designed to prevent fraudulent 
and manipulative acts and practices, to promote just and equitable 
principles of trade, and, in general, to protect investors and the 
public interest. FINRA believes that the proposed rule change will help 
ensure that personal information provided in response to a request 
under FINRA Rule 8210 via a portable media device is protected from 
improper use by unauthorized third parties. Thus, FINRA believes the 
proposed rule change will help protect investors consistent with the 
statutory provisions noted above.
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------

B. Self-Regulatory Organization's Statement on Burden on Competition

    FINRA does not believe that the proposed rule change will result in 
any burden on competition that is not necessary or appropriate in 
furtherance of the purposes of the Act.

C. Self-Regulatory Organization's Statement on Comments on the Proposed 
Rule Change Received From Members, Participants, or Others

    Written comments were neither solicited nor received.

III. Date of Effectiveness of the Proposed Rule Change and Timing for 
Commission Action

    Within 35 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to 90 days of such date if it finds such longer period to 
be appropriate and publishes its reasons for so finding or (ii) as to 
which the self-regulatory organization consents, the Commission will:
    (A) By order approve such proposed rule change, or
    (B) Institute proceedings to determine whether the proposed rule 
change should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views, and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://
www.sec.gov/rules/sro.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number SR-FINRA-2010-021 on the subject line.

Paper Comments

     Send paper comments in triplicate to Elizabeth M. Murphy, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File Number SR-FINRA-2010-021. This 
file number should be included on the subject line if e-mail is used. 
To help the Commission process and review your comments more 
efficiently, please use only one method. The Commission will post all 
comments on the Commission's Internet Web site (http://www.sec.gov/
rules/sro.shtml). Copies of the submission, all subsequent amendments, 
all written statements with respect to the proposed rule change that 
are filed with the Commission, and all written communications relating 
to the proposed rule change between the Commission and any person, 
other than those that may be withheld from the public in accordance 
with the provisions of 5 U.S.C. 552, will be available for Web site 
viewing and printing in the Commission's Public Reference Room, 100 F 
Street, NE., Washington, DC 20549, on official

[[Page 36463]]

business days between the hours of 10 a.m. and 3 p.m. Copies of such 
filing also will be available for inspection and copying at the 
principal office of FINRA. All comments received will be posted without 
change; the Commission does not edit personal identifying information 
from submissions. You should submit only information that you wish to 
make publicly available. All submissions should refer to File Number 
SR-FINRA-2010-021 and should be submitted on or before July 16, 2010.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\8\
---------------------------------------------------------------------------

    \8\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Florence E. Harmon,
Deputy Secretary.
[FR Doc. 2010-15359 Filed 6-24-10; 8:45 am]
BILLING CODE 8010-01-P

