In Brief
On March 15, 2023, the US Securities Exchange Commission (“SEC”) proposed amendments to Regulation S-P (“Reg S-P”). If adopted, the amendments would introduce new data security and governance requirements for broker-dealers, investment companies, and investment advisers registered with the SEC.
Background
When the SEC first promulgated Regulation S-P in 2000, the goal was to ensure that covered entities establish adequate safeguards to protect customer information. The existing version consists essentially of two cornerstone requirements: the “safeguards rule,” which requires covered entities to establish operational measures to protect customer data; and the “disposal rule,” requiring the proper disposal of customer data.
What are the key changes?
Against this background, the SEC is proposing the following key changes.
Expanded Scope: While the existing Reg S-P applies to broker-dealers, investment companies, and investment advisers registered with the SEC, the amendments would extend the application of the Regulation’s “safeguards” provisions to transfer agents (transfer agents are already bound by the disposal rule). This change amounts to an acknowledgment that transfer agents routinely possess critical customer data and that threat actors increasingly target entities across the information supply chain.
In addition to including transfer agents among the covered entities, the amendments would also broaden and clarify the types of information that require protection. Under the existing version, the safeguards rule and disposal rule apply to different sets of information. The safeguards rule, for example, applies to “customer records and information,” which is undefined. The disposal rule applies to “consumer report information,” which is defined by reference to the FACT Act.
Under the proposed amendments, the term “customer information” would apply uniformly to both the safeguards and disposal rules. The proposal defines this term as “any records containing nonpublic personal information about a customer of a financial institution that is handled or maintained by the covered institution or on its behalf,” but contemplates this definition may be changed or expanded subject to the rulemaking process.
Incident Response Program: The proposal would also amend the safeguards rule to require covered institutions to implement policies and procedures that include a response program for incidents of unauthorized access to customer information. The proposed amendments to the safeguards rule would require the response program to feature certain general elements but would not prescribe specific steps. In particular, the response program must include policies and procedures to: (1) assess the nature and scope of an incident and to identify customer information that has been subject to unauthorized access, (2) take steps to prevent further unauthorized access, and (3) notify individuals whose “sensitive customer information” was, or was reasonably likely to have been, accessed.
Customer Notification: Customer notification is required only when there has been unauthorized access to sensitive customer information, which the amended regulation would define as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” The proposed amendments provide non-exhaustive examples of sensitive customer information, which includes Social Security numbers, biometric records, and unique electronic identification numbers, addresses or routing codes. Accordingly, notice would not be required if the institution determines after a reasonable investigation that the information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. An institution electing not to notify customers should affirmatively demonstrate, and document, its basis for determining that there is no risk of substantial harm; mere lack of evidence of harm is insufficient to excuse notification.
Notice in 30 Days: Under the proposed amended Reg S-P, the notice should be provided to the customer as soon as practicable, and in event, within 30 days of the incident. The notice should be designed to give affected individuals an opportunity to respond to and remediate any issues arising from the incident. The rule proposal provides that the notice should include: (1) a description of the incident and the type of data affected, (2) steps taken to prevent further unauthorized access, (3) the date, or estimated date or range, of the incident, (4) contact information to enable the customer to obtain additional information, (4) a recommendation that the customer review account statements (if applicable), (5) an explanation of how to place a fraud alert in the customer’s credit reports, (6) a recommendation that the customer obtain credit reports and an explanation of how credit reports may be obtained free of charge, and (7) information on FTC and usa.gov resources on how to prevent identity theft. If the covered entity has overlapping notification obligations under state privacy laws, only a single communication is required.
Service Providers: The incident response program, as contemplated under the proposed amendments, would also require covered institutions to address risks posed by security incidents at service providers, by mandating contractual obligations requiring the service providers to take appropriate measures to protect against unauthorized access to customer information. Such measures would include an obligation on the part of the service provider to notify the institution of any breach compromising customer information as soon as possible, and no later than 48 hours after discovery of the event.
Exception to GLBA Annual Notice Requirement: Under the Gramm-Leach-Bliley Act (GLBA) financial institutions are required to deliver an annual notice to customers, informing them of the institution’s privacy policy and these requirements were implemented by the original Reg S-P. The FACT Act, enacted in 2015, introduced exceptions to this requirement by amending the GLBA. The proposed rule amendment would memorialize the FACT Act exception to the annual notice requirement into Reg S-P.
What’s Next?
The timeframe for comments on the proposed amendments is within 60 days of the publication of the proposals in the Federal Register. To read the proposed amendments to Reg S-P, click here. If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to one of the contacts listed below.
