As a registered investment adviser, Erben Associates must comply with SEC Regulation S-P, or other applicable regulations, which requires registered advisers to adopt policies and procedures to protect the “nonpublic personal information” of natural person consumers and customers and to disclose to such persons policies and procedures for protecting that information. Nonpublic personal information includes nonpublic “personally identifiable financial information” plus any list, description, or grouping of customers that is derived from nonpublic personally identifiable financial information. Such information may include personal financial and account information, information relating to services performed for or transactions entered into on behalf of clients, advice provided by Erben Associates to clients, and data or analyses derived from such nonpublic personal information. Erben Associates must also comply with the California Financial Information Privacy Act (SB1) if the firm does business with California consumers.
Background
The purpose of these privacy policies and procedures is to provide administrative, technical, and physical safeguards which assist employees in maintaining the confidentiality of nonpublic personal information collected from the consumers and customers of an investment adviser. All nonpublic information, whether relating to an adviser’s current or former clients, is subject to these privacy policies and procedures. Any doubts about the confidentiality of client information must be resolved in favor of confidentiality.
Responsibility
Brittany Worrell is responsible for reviewing, maintaining, and enforcing these policies and procedures to ensure meeting Erben Associates’ client privacy goals and objectives while, at a minimum, ensuring compliance with applicable federal and state laws and regulations. Brittany Worrell may recommend to the President any disciplinary or other action as appropriate. Brittany Worrell is also responsible for distributing these policies and procedures to employees and conducting appropriate employee training to ensure employee adherence to these policies and procedures.
Procedure
Erben Associates has adopted various procedures to implement the firm’s policy and reviews to monitor and ensure the firm’s policy is observed, implemented properly, and amended or updated as appropriate, which include the following:
Non-Disclosure of Client Information
Erben Associates maintains safeguards to comply with federal and state standards to guard each client’s nonpublic personal information. Erben Associates does not share any nonpublic personal information with any nonaffiliated third parties, except in the following circumstances:
- As necessary to provide the service that the client has requested or authorized, or to maintain and service the client’s account;
- As required by regulatory authorities or law enforcement officials who have jurisdiction over Erben Associates, or as otherwise required by any applicable law; and
- To the extent reasonably necessary to prevent fraud and unauthorized transactions.
Employees are prohibited, either during or after termination of their employment, from disclosing nonpublic personal information to any person or entity outside Erben Associates, including family members, except under the circumstances described above. An employee is permitted to disclose nonpublic personal information only to such other employees who need to have access to such information to deliver our services to the client.
Use of AI in Operations and Client Service
Erben Associates utilizes artificial intelligence (“AI”) and automated technologies for limited operational and administrative purposes designed to enhance efficiency, accuracy, and client service. These uses may include data organization, document drafting support, workflow automation, and internal analytics. Erben Associates does not rely on AI to make discretionary investment decisions or provide personalized investment advice without appropriate human oversight. Any client information processed through such technologies is handled in accordance with Erben Associates’ privacy policies and applicable state and federal regulations, including safeguards designed to protect the confidentiality and security of nonpublic personal information. Erben Associates conducts reasonable due diligence on third-party AI service providers, where applicable, to ensure appropriate data protection standards are maintained.
Safeguarding and Disposal of Client Information
Erben Associates restricts access to nonpublic personal information to those employees who need to know such information to provide services to our clients.
Any employee who is authorized to have access to nonpublic personal information is required to keep such information in a secure compartment or receptacle on a daily basis as of the close of business each day. All electronic or computer files containing such information shall be password secured and firewall protected from access by unauthorized persons. Any conversations involving nonpublic personal information, if appropriate at all, must be conducted by employees in private, and care must be taken to avoid any unauthorized persons overhearing or intercepting such conversations.
Safeguarding standards encompass all aspects of Erben Associates that affect security. This includes not just computer security standards but also such areas as physical security and personnel procedures. Examples of important safeguarding standards that Erben Associates may adopt include:
- Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means, such as requiring employee use of user ID numbers and passwords;
- Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities, to permit access only to authorized individuals, such as intruder detection devices and use of fire and burglar resistant storage devices;
- Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
- Procedures designed to ensure that customer information system modifications are consistent with the firm’s information security programs, independent approval, and periodic audits of system modifications;
- Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information, such as requiring data entry to be reviewed for accuracy by personnel not involved in its preparation, and adjustments and correction of master records to be reviewed and approved by personnel other than those approving routine transactions;
- Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems, such as data being auditable for detection of loss and accidental and intentional manipulation;
- Response programs that specify actions to be taken when the firm suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies;
- Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures, such as use of fire resistant storage facilities and vaults, and backing up and storing off site key data to ensure proper recovery; and
- Information systems security should incorporate system audits and monitoring, security of physical facilities and personnel, the use of commercial or in-house services, such as networking services, and contingency planning.
Any employee who is authorized to possess “consumer report information” for a business purpose is required to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. There are several components to establishing “reasonable” measures that are appropriate for the firm:
- Assessing the sensitivity of the consumer report information we collect;
- The nature of our advisory services and the size of our operation;
- Evaluating the costs and benefits of different disposal methods; and
- Researching relevant technological changes and capabilities.
Some methods of disposal to ensure that the information cannot practicably be read or reconstructed that Erben Associates may adopt include:
- Procedures requiring the burning, pulverizing, or shredding of papers containing consumer report information;
- Procedures to ensure the destruction or erasure of electronic media; and
- After due diligence, contracting with a service provider engaged in the business of record destruction to provide such services in a manner consistent with the disposal rule.
Privacy Notices
Erben Associates will provide each natural person client with initial notice of the firm’s current policy when the client relationship is established. Erben Associates shall also provide each such client with a new notice of the firm’s current privacy policies at least annually. If Erben Associates shares nonpublic personal information relating to a non-California consumer with a nonaffiliated company under circumstances not covered by an exception under Regulation S-P, the firm will deliver to each affected consumer an opportunity to opt out of such information sharing. If Erben Associates shares nonpublic personal information relating to a California consumer with a non-affiliated company under circumstances not covered by an exception under SB1, the firm will deliver to each affected consumer an opportunity to opt in regarding such information sharing. If at any time Erben Associates adopts material changes to its privacy policies, the firm shall provide each such client with a revised notice reflecting the new privacy policies. The Compliance Officer is responsible for ensuring that required notices are distributed to Erben Associates’ consumers and customers.
