Appleton Partners Inc. Privacy Notice
As a registered investment adviser, Appleton Partners, Inc. (“API” or the “Firm”) must comply with SEC Regulation S-P, which requires registered advisers to adopt policies and procedures to protect the “non-public personal information” of natural person consumers and customers (“Clients”) and to disclose to such persons policies and procedures for protecting that information. Further, API must also comply with SEC Regulation S-AM, to the extent that the Firm has affiliated entities with which it may share and use consumer information received from affiliates. Lastly, API must also comply with 201 CMR 17.00 if the Firm does business with Massachusetts consumers and with the California Financial Information Privacy Act (“SB1”) if the Firm does business with California consumers.
Regulation S-P/Privacy Rule
The purpose of these regulatory requirements and privacy policies and procedures is to provide administrative, technical, and physical safeguards which assist API employees in maintaining the confidentiality of non-public personal information (“NPI”) collected from Clients of the Firm. All NPI, whether relating to API’s current or former Clients, is subject to these privacy policies and procedures. Any doubts about the confidentiality of Client information must be resolved in favor of confidentiality.
For these purposes, NPI includes non-public “personally identifiable financial information” plus any list, description or grouping of Clients that is derived from non-public personally identifiable financial information. Such information may include personal financial and account information, information relating to services performed for or transactions entered into on behalf of Clients, advice provided by the Firm to Clients, and data or analyses derived from such NPI.
Regulation S-AM/Affiliate Sharing
Regulation S-AM requires API, to the extent relevant, to implement limitations on the Firm’s use of certain Client information received from an affiliated entity to solicit that Client for marketing purposes. Regulation S-AM provides for notice and opt-out procedures, among other things.
201 CMR 17.00/Written Information Security Program
Intending to help protect residents of the Commonwealth of Massachusetts from unauthorized disclosure of personal information, the Massachusetts Office of Consumer Affairs & Business Regulation (the “OCABR”) requires the following under 201 CMR 17.00: (i) the development and implementation of a comprehensive, written information security program (the “WISP”); and (ii) adoption of a security system for computer and wireless networks that includes, amongst other things, the use of secure user authorization protocols, secure access control measures, encryption of stored and transmitted data, and internet firewall protections.
Identity Theft/Red Flags Rules
The SEC and CFTC (together, the “Commissions”) jointly adopted Regulation S-ID: Identity Theft Red Flags (the “Identity Theft Rules”) requiring each SEC and/or CFTC-regulated entity that meets the definition of a “financial institution” or a “creditor” that offers a “covered account” (as those terms are defined under the Fair Credit Reporting Act) to develop and implement a written identity theft prevention program (the “Program”) designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts and the opening of new accounts.
Notably, the Identity Theft Rules require that a designated senior management employee of API:
(i) provide initial approval of the Program; and (ii) maintains responsibility for the ongoing oversight, development, implementation, and administration of the Program.
Legal & Compliance is responsible for reviewing, maintaining, and enforcing these policies and procedures to ensure API meets its client privacy goals and objectives, while at a minimum ensuring compliance with applicable federal and state laws and regulations. Legal & Compliance is responsible for distributing these policies and procedures to employees and conducting appropriate employee training to ensure employee adherence. In light of any violation of these policies and procedures, may recommend to the Firm’s principal(s) any disciplinary or other necessary actions deemed appropriate.
API has adopted various procedures to implement the Firm’s policy and conducts periodic reviews
to monitor and ensure the Firm’s policy is observed, properly implemented, and/or amended or
updated, as appropriate, which include the following:
Non-Disclosure of Client Information
API has adopted various procedures to implement the Firm’s policy and conducts periodic reviews to monitor and ensure the Firm’s policy is observed, properly implemented, and/or amended or updated, as appropriate, which include the following:
- as necessary to provide the service that the Client has requested or authorized, or to maintain and service the Client’s account;
- as required by regulatory authorities or law enforcement officials who have jurisdiction over API, or as otherwise required by any applicable law;
- to the extent reasonably necessary to prevent fraud and unauthorized transactions.
Employees are prohibited, either during or following termination of their employment, from disclosing NPI to any person or entity outside API, including family members, except under the circumstances described above. An employee is permitted to disclose NPI only to such other employees who need to have access to such information to deliver the Firm’s services to the Client.
Safeguarding of Client Information
API restricts access to NPI to those employees who need to know such information to provide services to our Clients. Any employee who is authorized to have access to NPI is required to keep such information in a secure compartment or receptacle on a daily basis as of the close of business each day. All electronic or computer files containing such information shall be password secured and firewall protected from access by unauthorized persons. Any conversations involving NPI, if appropriate at all, must be conducted by employees in private, and care must be taken to avoid any unauthorized persons overhearing or intercepting such conversations.
Safeguarding standards encompass all aspects of API that affect security. This includes not just computer security standards, but also such areas as physical security and personnel procedures. Examples of important safeguarding standards that the Firm has adopted include:
- access controls on Client information systems, including controls to authenticate, which restrict access only to authorized individuals and prevent employees from providing Client information to unauthorized individuals who may seek to obtain this information through fraudulent means (e.g., requiring employee use of user ID numbers and passwords and periodic rotation of such passwords);
- access restrictions at physical locations containing Client information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;
- encryption and/or password protection of electronic customer information, including while in transit or in storage on networks or systems, to which unauthorized individuals may have access;
- firewall protection, operating system patches, up-to-date security software, and malware protection;
- monitoring procedures to detect actual and attempted attacks on or intrusions into customer information systems;
- security policies and procedures designed for persons working outside the office (i.e., telecommuting policies and procedures);
- response programs specifying actions to be taken when the Firm suspects or detects that unauthorized individuals may have gained access to Client information systems, including appropriate reports to affected Clients and/or regulatory and law enforcement agencies;
- measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures;
- adoption of a Written Information Security Policy pursuant to 201 CMR 17.00; and
- review, assessment and/or attestation of critical vendor privacy policies and practices.
Disposal of Client Information
Any API employee who is authorized to possess NPI for a business purpose is required to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The Firm has adopted the following secure disposal procedures:
- procedures requiring the shredding or papers containing Client report information;
- procedures to ensure the destruction or erasure of electronic media; and
- after conducting due diligence, contracting with a service provider engaged in the business of record destruction, to provide such services in a manner consistent with the disposal rule.
Regulation S-P Privacy Notices
API will provide each natural person Client with an initial notice of the Firm’s current policy when the relationship is established. API shall also provide each such Client with a new notice of the Firm’s current privacy policies at least annually. If at any time, API adopts material changes to its privacy policies, the Firm shall provide each such Client with a revised notice reflecting the updated privacy policies. Legal & Compliance is responsible for ensuring that required notices are distributed to the Firm’s clients.
Regulation S-ID/Identity Theft Prevention Policy
As a “financial institution” that offers and maintains one or more “covered accounts,” API is required to adopt a written identity theft prevention program (the “Identify Theft Prevention Program”). API has adopted reasonable procedures to implement the Firm’s policy and conducts reviews to monitor and ensure the policy is observed, implemented properly, and amended or updated, as appropriate, which include the following:
- identification of relevant patterns, practices, and specific activities that are “red flags” signaling possible identity theft and the incorporation of those red flags into the Identity Theft Prevention Program;
- detection of the occurrence of a red flag occurring with the Identity Theft Prevention Program;
- an appropriate response to any detected red flag to prevent and mitigate identity theft;
- the Firm must review and update the Identity Theft Prevention Program, if necessary, on at least an annual basis to reflect changes in risks to Clients and to the safety and soundness of the Firm from identity theft; and
- conduct appropriate staff training to effectively implement the Identity Theft Prevention Program.
With respect to the third-party vendors and service providers with which API either shares Client information or provisions access to such information, the Firm’s oversight procedures include the following:
- API will make reasonable efforts to review the vendor’s/service provider’s security policy and procedures, as part of the Firm’s initial due diligence assessment, to determine reasonableness;
- if determined necessary, API will request that the vendor/service provider implement appropriate measures designed to meet the objectives of API’s data security policies;
- API will request that the vendor/service provider promptly notify the Firm of any material security incidents experienced, including incidents not resulting in the actual compromise of the Firm’s data; and