NAREIM Legal, Compliance & Risk meeting

April 5, 2023

Data privacy concerns are managed equally between compliance and technology teams within real estate investment management firms – with almost half of managers saying compliance takes the lead.

During the NAREIM Legal, Compliance and Risk meeting held this week, members discussed federal and state privacy regulations and how to manage the growing workload with lean teams. During the conversation, 47% of attendees said compliance was responsible for data privacy, with 42% saying technology took the lead.

Only 5% of managers had dedicated Chief Privacy Officers, according to the member poll, while seven out of 10 had concerns about international, as well as domestic, privacy laws. And almost one-third said they did not know if they maintained covered accounts, a key target of the SEC under Regulation S-ID.

To download the member poll, attendee list and presentation from the meeting, click here.

• Covered accounts:

In December, the SEC issued a risk alert relating to covered accounts – which include margin or custodial accounts and accounts which permit individuals to make wire transfers to other parties. One member said they got caught under S-ID because their subscription documents allowed distributions to be paid back to a different account than the one which made the contribution.

“A lot of people make the mistake thinking about covered accounts in terms of what they do practically versus what is legally allowed,” said one member. “When we saw an SEC question on this we checked if we had covered account and no-one was sure. However, once we went into the sub-docs and spoke to the IR team we realize we had covered accounts, even though we didn’t use them.”

Members shared the advice: “When you see a risk alert from the SEC: Jump and do something about it.”

Others mentioned that the SEC is significantly staffing up and data privacy will be a target area for regulators.

During a presentation on emerging privacy rules, members were also told about Regulation S-P.

• Reg S-P: The SEC has determined that SEC-registered firms need written procedures for incident response programs, and have broadened the amount of information that needs to be safeguarded.

No, but yes. Follow the SP rules:

While on the surface Reg S-P seems as though it doesn’t apply to private funds, members agreed that in practice managers should follow the rules. “You are not technically beholden to SP,” said one member. “But you are beholden to the FTC (Federal Trade Commission) regulations so following SP makes most sense.”

Other key takeaways from the meeting included:

• Data privacy rules are coming fast and furious, and state rules mean it’s a patchwork quilt of regulations. California though has the most robust rules and is emerging the model for other states to follow.

• California’s Privacy Rights Act 2020 came into force on Jan 1 – but can apply to breaches over the past year with a look-back provision through Jan 1, 2022. It applies to any firm with one employee in CA and global revenues of more than $25m. It covers information including name, email address, Social Security Number (SSN), physical address and other data for employee, contractors, job applicants, business prospects, website visitors and suppliers.

• Biometric data privacy is an emerging class action issue in Illinois thanks to the state’s privacy laws, not least taking personal data from drivers licenses, passports etc for corporate reporting requirements or to check

• Almost nine out of 10 managers implement email encryption controls within their firm followed by website restrictions. According to a member poll, data mapping and data inventories were the third area where controls were placed followed by service provider certifications. A third of firms had restrictions on AI/ChatGPT and destroyed data periodically.

To download the member poll, attendee list and presentation from the meeting, click here.