SEC Enhances Data Breach Disclosure Requirements
The Securities and Exchange Commission (SEC) has recently implemented changes that will compel certain financial institutions to disclose any security breaches within 30 days of becoming aware of them.
Amendments to Regulation S-P
On Wednesday, the SEC passed modifications to Regulation S-P, a regulation that governs the management of consumers’ personal information. Under the new amendments, institutions are obligated to inform individuals whose personal data has been compromised “as soon as practicable, but no later than 30 days” after discovering unauthorized access to customer information. The new requirements will apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
SEC Chair Gary Gensler remarked on the significance of these changes, saying, “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.” Gensler added, “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Requirements and Procedures
Notifications must outline the details of the incident, which information was compromised, and how those affected can safeguard themselves. One notable exception to the notification requirement is if the institution can demonstrate that the breached information has not led to “substantial harm or inconvenience” or is unlikely to do so.
Additionally, the amendments stipulate that covered institutions must establish, implement, and uphold written policies and procedures designed to detect, respond to, and recover from unauthorized access to customer data. The updates also expand and align the safeguards and disposal rules to cover both personal information collected by the institution and data received from other financial entities.
To ensure compliance, covered institutions are required to maintain records documenting adherence to the safeguards and disposal rules. The amendments further align the annual privacy notice delivery provisions with the terms of an exception added by the FAST Act, which may exempt covered institutions from delivering an annual privacy notice under specific conditions.
The scope of nonpublic personal information covered under the new rules extends beyond the data collected by the institution itself to include information acquired from other financial entities.
Commissioner’s Concern
While the majority of SEC commissioners support the updated Regulation S-P, Commissioner Hester M. Peirce expressed some reservations about the breadth of the new requirements. Peirce acknowledged that the amendments will aid institutions in prioritizing the protection of customer information and providing timely notifications to affected individuals. However, she cautioned that the rule’s broad scope might result in an excessive number of consumer notices.
Regulation S-P had not undergone significant revisions since its inception in 2000. Last year, the SEC mandated that publicly traded companies disclose security breaches that significantly impact business operations, strategy, or financial outcomes.
These latest amendments will officially take effect 60 days after their publication in the Federal Register. Larger organizations will have 18 months to comply, while smaller entities will be granted a 24-month compliance period.
For those interested, public comments on the amendments are accessible here.
Image/Photo credit: source url