31 CFR 31.217 - Confidentiality of information.
(a) Nonpublic information defined. Any information that Treasury provides to a retained entity under an arrangement, or that the retained entity obtains or develops pursuant to the arrangement, shall be deemed nonpublic until the Treasury determines otherwise in writing, or the information becomes part of the body of public information from a source other than the retained entity.
(b) Prohibitions. The retained entity shall not:
(1) Disclose nonpublic information to anyone except as required to perform the retained entity's obligations pursuant to the arrangement, or pursuant to a lawful court order or valid subpoena after giving prior notice to Treasury.
(2) Use or allow the use of any nonpublic information to further any private interest other than as contemplated by the arrangement.
(c) Retained entity's responsibility. A retained entity shall take appropriate measures to ensure the confidentiality of nonpublic information and to prevent its inappropriate use. The retained entity shall document these measures in sufficient detail to demonstrate compliance, and shall maintain this documentation for three years after the arrangement has terminated. The retained entity shall notify the TARP Chief Compliance Officer in writing within five business days of detecting a violation of the prohibitions in paragraph (b), above. The security measures required by this paragraph shall include:
(1) Security measures to prevent unauthorized access to facilities and storage containers where nonpublic information is stored.
(2) Security measures to detect and prevent unauthorized access to computer equipment and data storage devices that store or transmit nonpublic information.
(3) Periodic training to ensure that persons receiving nonpublic information know their obligation to maintain its confidentiality and to use it only for purposes contemplated by the arrangement.
(4) Programs to ensure compliance with federal securities laws, including laws relating to insider trading, when the arrangement relates to the acquisition, valuation, management, or disposition of troubled assets.
(5) A certification from each key individual stating that he or she will comply with the requirements in section 31.217(b). The retained entity shall obtain this certification, in the form of a nondisclosure agreement, before a key individual performs work under the arrangement, and then annually thereafter.
(d) Certification. No later than ten business days after the effective date of the arrangement, the retained entity shall certify to the Treasury that it has received a certification form from each key individual stating that he or she will comply with the requirements in § 31.217(b). In making this certification, the retained entity may rely on the information obtained pursuant to paragraph (b) of this section, unless the retained entity knows or should have known that the information provided is false or inaccurate.