The SEC has adopted rules protecting the non-public personal information of customers of SEC registered investment advisers and the Federal Trade Commission has adopted substantially the same rules governing that information for customers that are investors in Investment Funds. The following is a summary of the principal requirements:
- Individuals that are customers of a regulated financial institution or that invest in an Investment Fund must receive a clear and conspicuous notice that details the financial institution’s privacy policies and practices.
- If a financial institution intends to disclose private information to a nonaffiliated thirdparty, then the customer must be given (with some exceptions) the right to opt-out (“optout rights”), and the financial institution must comply with any opt-out request when sharing information.
- Financial institutions are required to adopt policies and procedures reasonably designed to ensure the security, confidentiality, and integrity of customer records and protect them against anticipated hazards and unauthorized access.
2.1 Delivering the Privacy Notice to Investment Fund Investors
For Investment Funds, the Privacy Notice (see Exhibit A for current form of Privacy Notice) will initially be distributed to each investor at the direction of the Chief Compliance Officer with or as part of the subscription agreement and/or posting on the offered fund’s electronic data room.
Distribution of the Privacy Notice will be made to investors in the Investment Funds at the direction of the Chief Compliance Officer by posting a copy of the Privacy Notice on the Investor Dashboard.
2.2 Delivering the Privacy Notice to Advisory Clients
The Privacy Notice (see Exhibit A for current form of Privacy Notice) and an acknowledgement of receipt of the Privacy Notice will initially be distributed to each advisory client at the direction of the Chief Compliance Officer with or as part of the application for products and services or in the advisory contract. EIG must send the Privacy Notice once during each calendar year to each advisory client, unless there has been no change to its previously disclosed procedures regarding the handling of client nonpublic personal information. That annual delivery may be combined with EIG’s annual offer to deliver a copy of its Form ADV.
2.3 Consumer Report Information
EIG does not obtain consumer reports or information derived from consumer reports (“Consumer Report Information”), except for employment purposes. Consumer Report Information obtained for employment purposes currently is retained indefinitely. Any other Employee who obtains Consumer Report Information should contact EIG Compliance for direction on the safekeeping and disposition of that information.
2.4 Keeping Information Private
EIG follows procedures designed to ensure that data is maintained in a controlled and secure manner. The procedures may include:
- Maintaining subscription documents and other investor or client information on password protected drives or sites;
- Reformatting hard drives to physically remove data from personal computers that are retired or reallocated to other Employees;
- Deleting password access for Employees and contractors who have left EIG;
- Deleting data on personal network drives when Employees and contractors leave EIG;
- Maintaining logs regarding the status and disposition of back-up data;
- Maintaining current patch and release levels for operating system, database, and web browsing software;
- Instituting security precautions for remote Employee access to computer systems; and
- Requiring passwords to be maintained by Employees and contractors for access to all network data and applications;
- For paper records, Employees are responsible for maintaining the confidentiality of those records by appropriate means, including:
- Not leaving confidential information unattended in conference rooms;
- Storing the information in a locked and restricted file room so that visitors or Employees without a business need for the information do not inadvertently have access; and
- Shredding or destroying the information by secured disposal services when disposing of the records.
2.5 Use of Social Security Numbers
Employees are prohibited from:
- Intentionally communicating or making available to the general public any individual’s social security number;
- Printing an individual’s social security number on any card required for the individual to access products or services provided by the person or entity;
- Requiring an individual to transmit his or her social security number over the internet unless the connection is secure or the social security number is encrypted;
- Requiring an individual to use his or her social security number to access an internet website unless a password or unique personal identification number or other authentication device also is required to access the website; and
- Printing an individual’s social security number on any materials that are mailed to the individual unless state or federal law requires the number to be on the document to be mailed. However, applications and forms sent by mail may include a social security number.
2.6 Unauthorized Access to Data
EIG is required to protect the personal data of individuals maintained on its data systems. Personal data of individuals generally means an individual’s name plus one or more of the following for that individual:
- Social security number;
- Passport number, Driver’s license number or state identification card number; or
- Account number, credit card number, or debit card number, in combination with any required security code access code or password that would permit access to an individual’s financial account.
- Personal data does not include information that is lawfully made available to the general public from federal, state or local government records.
Employees who become aware of a breach of the security of data systems maintained by EIG or by third-parties on behalf of EIG that resulted in, or that reasonably may have resulted in, the acquisition of the personal data of individuals by an unauthorized person, must notify the General Counsel and Chief Compliance Officer immediately of that breach. The General Counsel will coordinate the investigation and response, which may include, where appropriate or required by law, notification of the individual(s) whose data may have been acquired by an unauthorized person.
A breach of the security of data systems does not include the good faith acquisition of personal information by an Employee or agent of EIG or its third-party vendors for the purposes of EIG’s or the vendor’s business provided that the personal information is not used for or subject to further, unauthorized disclosure.
2.7 Defining Non-Public Personal Information
Non-public personal information includes:
- All personally identifiable financial information (including names, addresses, telephone numbers, social security and other tax identification numbers, financial circumstances and income and account balances); and
- Any list, description, or other grouping of customers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information – e.g., a list of persons (and their publicly listed telephone numbers) who have disclosed assets or wealth in excess of $1,000,000.00.
2.8 Policy Statement Regarding Use and Treatment of Confidential Information
No confidential information, including non-public personal information, whatever the source, regarding any customer, may be disclosed to anyone except as follows:
- To other Employees in connection with EIG’s business.
- To an affiliate, but the affiliate may disclose the information only to the same extent as EIG.
- To any person expressly authorized by a customer.
- To certain of EIG’s outside service providers (including its attorneys, custodians, fund administrators, accountants, brokers and consultants).
- To regulators and others when required by law.
- To nonaffiliated third parties with whom EIG has a contractual agreement to jointly offer, endorse or sponsor a financial product or service; and to service and maintain customer accounts including effectuating a transaction. Contracts with nonaffiliated third parties creating a joint marketing or servicing agreement with EIG must contain language prohibiting the disclosure of all non-public personal information by the nonaffiliated third party except as necessary to carry out the purpose of the agreement. The General Counsel reviews relevant contracts for inclusion of the requisite disclosure.
2.9 Procedures Regarding Disclosure of Non-public Personal Information
- Non-public personal information may not be disclosed to any nonaffiliated third parties unless customers have been previously informed of the disclosure, as required by law.
- Non-public personal information may be disclosed to the extent specifically permitted or required under other provisions of law.
- Otherwise there may be no disclosure of that information except pursuant to an express disclosure authorization from the customer.
2.10 Penalties for Violation of Procedures
Any questions regarding EIG’s policies or procedures with respect to non-public personal information should be directed to the EIG Compliance.
1 EIG Global Energy Partners operates a single advisory business through EIG Management Company, LLC, an investment adviser registered with the Securities and Exchange Commission and a group of related advisers, and EIG Credit Management, LLC, an investment adviser separately registered with the SEC.