Federal privacy laws require all “financial institutions,” defined to include investment advisers to establish procedures and systems to assure privacy of customer personal and financial information. The privacy requirements set forth herein apply only to individual, non-entity Clients, including U.S. individuals who invest in private funds.
Federal privacy laws define “customers” of a “financial institution,” such as an investment management firm, to mean natural persons (as opposed to corporations, partnerships, limited liability companies, trusts, and other entities) that have a continuing relationship with the Firm under which the Firm provides one or more financial products or services to the individual that are to be used primarily for personal, family, or household purposes. It is the Firm’s policy to keep all Client information strictly confidential and not to disclose any such information to non-affiliated third parties, except as set forth in the Firm’s Privacy Notice.
A. Protected Information
A financial institution must respect the privacy of its customers and protect the security of “non-public personal information,” defined as personally identifiable financial information provided by a customer, obtained as a result of a transaction with a customer or obtained otherwise. Regulation S-P, adopted by the SEC to implement federal privacy laws, treats any personally identifiable information as “financial” if the financial institution received the information in connection with providing a financial product or service to a consumer. Thus, any information provided by U.S. individual Clients with managed accounts in connection with the investment advisory relationship should be considered subject to these privacy requirements. In addition, information created in the course of the relationship, such as account balances and securities positions or transactions, is subject to privacy protection.
B. Initial and Annual Notices
Regulation S-P requires advisers to provide notice to “customers” about the institution’s privacy policies and practices. The initial notice must be provided to an individual when the “customer relationship” is established. An annual notice must be provided to Clients only if there are any changes to the initial Privacy Notice. It is the Firm’s policy to issue notices of the Firm’s privacy policies and practices to Clients at the inception of the Firm’s relationship with the Client and once annually thereafter.
C. Content of Notices
Both the initial and annual notices must set forth, among other things, a general description of the Firm’s policies and procedures to protect Clients’ non-public information; categories of non-public personal information, if any, that are disclosed; and categories of affiliates or non-affiliated third parties, if any, that may receive the information.
D. Firm Policies and Procedures
1. Delivery of Initial Privacy Notice. The Firm will deliver the initial Privacy Notice to individual Clients at the time an account is opened.
2. Delivery of Annual Privacy Notice. The Chief Compliance Officer will confirm whether an annual Privacy Notice is required to be provided to Clients. The Chief Compliance Officer will facilitate such distribution if required.
3. Record Retention. The Chief Compliance Officer is responsible for maintaining the Firm’s Privacy Notice and updating the notice in light of any changes. The Chief Compliance Officer will retain evidence that the initial and annual Privacy Notice was delivered to individual U.S. Clients.
4. Safeguarding Client Information. The Firm maintains safeguards that comply with federal standards to protect Client information, restrict access to the personal and account information of Clients to those Employees who need to know that information in the course of their job responsibilities, and require that third parties with which the Firm shares Client information must agree to follow appropriate standards of security and confidentiality.
5. Physical Facilities. The Firm’s physical office space is secure and accessible only by authorized personnel who have keys and/or electronic access cards.
6. Training. To assist Employees in understanding their obligations with respect to non-public personal financial information of U.S. Clients, the Chief Compliance Officer will:
a. Inform Employees regarding the Firm’s confidentiality and security standards for handling Client information by giving them a copy of this Manual.
b. Instruct Employees to take basic steps to maintain the security, confidentiality and integrity of Client information, including:
- not leaving files, notes or correspondence in the open;
- changing passwords periodically, and not posting passwords near computers;
- conversing behind closed doors and not in the presence of any persons not authorized to hear or receive such information;
- avoiding the use of speaker phones and discussions in hallways, elevators, and any public places;
- recognizing any fraudulent attempt to obtain Client information and reporting it to appropriate management personnel; and
- access to Client information only to Employees who have a business reason for seeing it.
c. Keep access to computer files containing Client information restricted on a need to know basis.
d. Inform Employees not to leave open files that hold Client information on the computer while they are not at their desk.
e. Keep back-up computer files locked at alternate sites allowing access only by authorized persons.
f. Oversee service providers by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards and requiring service providers to agree contractually to implement and maintain such safeguards.
g. Evaluate and adjust the information security program in light of results of testing and monitoring, any material changes to the Firm’s operations or business arrangements or any other circumstances that would impact the Firm’s information security program.
7. Outside service providers, including the Firm’s attorneys, auditors, brokerages and administrators, may be given access to non-public personal financial information concerning U.S. Clients in connection with the provision of services to the Firm and its Clients. It is the Firm’s reasonable belief that such service providers are capable of maintaining and have in place appropriate safeguards to protect Client information.
8. Information Systems. The Firm will maintain the security of its information systems by:
a. Storing electronic Client information on a secure server that is accessible only with a password and is kept in a physically secure area.
b. Disposing, when necessary and permissible, of Client information in a secure manner by:
c. Supervising the disposal of records containing non-public personal information;
d. Erasing all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain Client information;
e. Effectively destroying obsolete or replaced hardware;
f. Promptly disposing of outdated Client information; and
g. Using appropriate oversight to detect the improper disclosure or theft of Client information.
9. Additional Procedures for Massachusetts Residents. For the purposes of the procedures in this sub-section, “personal information” includes a Massachusetts resident’s first and last name and any of the following a) social security number; b) driver’s license number; or c) financial account number (e.g. bank, credit card, etc.). To the extent that a client is a Massachusetts resident, the Firm will implement the following procedures:
a. Any personal information maintained or stored on a mobile device (e.g. laptop or smart phone) will be stored in an encrypted format;
b. To the extent technically feasible, any personal information transmitted wirelessly or across a public network will be transmitted in an encrypted format; and
c. The Firm will take reasonable steps to ensure that its service providers who have access to the personal information of the Firm’s Clients will implement and maintain appropriate security measures for the information.