SEC Data Breach Consumer Notices

On May 16, SEC final rule to enhance protection of customer data.

  • SEC adopted Reg S-P amendments to modernize, enhance customer data protection.
  • Follows SEC Mar. 2023 proposal on Reg S-P data breach notifications, see #166393.
  • Establish a Federal minimum standard for covered institutions to provide data breach notifications to affected individuals, as protections currently may vary across States.
  • Adopted substantially as proposed, with some changes in response to comments. Amended 17 CFR 240, 17 CFR 248 (Regulation S-P), 17 CFR 270, and 17 CFR 275.
  • Issued fact sheet, Chair Gensler, commissioners Uyeda, Peirce supporting statements.
  • Final Rule Overview
  • The amendments apply to B/Ds (including funding portals), investment companies, registered IAs, and transfer agents (collectively called the covered institutions).
  • Requirew covered institutions adopt incident response program, customer notices.
  • Aligned, expanded safeguards (17 CFR 248.30(a), disposal rules (17 CFR 248.30(b)).
  • To cover both nonpublic personal data covered institution collects on own customers.
  • Also, nonpublic personal data from another institution on that institutions' customers.
  • Requires covered institutions, other than funding portals, to make, maintain written records documenting compliance with requirements of safeguards and disposal rules.
  • Conform Reg S-P’s annual privacy notice delivery provisions to terms of exception added by FAST Act, for exceptions to obligation to deliver annual privacy notice.
  • Extended both the safeguards rule and the disposal rule to registered transfer agents.
  • Incident Response Program
  • Require covered institutions develop, implement, maintain written policies, procedures.
  • Policies, procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
  • Response program procedures for covered institutions to provide timely notification.
  • Incident response program in policies, procedures under safeguards rule, 16 CFR 314.
  • Customer Notifications
  • Must provide notifications to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
  • Provide notice as soon as practicable, not later than 30 days after becoming aware unauthorized access to or use of customer information occurred/was reasonably likely.
  • Such notification must be provided, except under certain limited circumstances.
  • Notices must include details about incident, breached data, how individuals respond.
  • Not required to provide notification if determined sensitive customer data was not/ reasonably unlikely to be used in way resulting in substantial harm/ inconvenience.
  • Also, broadening the scope of information covered by Regulation S-P's requirements.
  • Changes from Proposal
  • Specified obligation to protect security and confidentiality of customers' nonpublic personal information continues through disposal of customer information.
  • Revised, as proposed, requirements of 17 CFR 248.17 to refer to determinations made by CFPB rather than FTC, consistent with changes to GLBA S. 507, made by the DFA.
  • Changed structure of 17 CFR 248.30, concerning scope of information protected.
  • Modified safeguarding amendments to promote greater consistency with federal safeguard standards, where such changes to not affect investor protection purpose.
  • Service provider must notify affected institutions of a breach in 72 hours (was 48).
  • Requires institutions oversee, monitor, conduct due diligence on service providers to ensure that they take appropriate measures to protect customer information.
  • Also, notify covered institution in case of breach instead of requiring written contracts.
  • Proposed compliance period was 12 months all institutions, extended to 12-18 months.
  • Final Rule Changes Benefit
  • Expect some changes made to final rule to result in lower costs relative to proposal.
  • Also, to reduce compliance costs for all covered institutions, including smaller in size.
  • Some changes may mitigate costs, reduce degree final rule acts as a barrier to entry.
  • Compliance Dates
  • Compliance date for larger institutions 18 months from publication in federal register.
  • Smaller entities will have 24 month after date of federal register publication to comply.
  • Effectiveness
  • Final rule effective in 60 days after pending publication in the federal register.
  • Jun. 3, 2024 SEC Fed Reg Final Rule
  • On Jun. 3, 2024, SEC published final rule in federal register, effective on Aug. 2, 2024.
  • Jun. 21, 2024 SEC Corrected Final Rule
  • On Jun. 21, 2024, SEC corrected final rule, text amended regarding authority citations.
  • Jun. 27, 2024 SEC Fed Reg Correction
  • On Jun. 27, 2024, SEC published correction in federal register, effective Aug. 2, 2024.

Regulators SEC
Entity Types B/D; IA; Inv Co
Reference 89 FR 53487, 6/27/2024; SEC RF 34-100155A, IA-6604A, IC-35193A, 6/21/2024; 89 FR 47688, 6/3/2024; SEC RF 34-97141, IA-6604, IC-35193, PR 2024-58, 5/16/2024; RIN 3235-AN26; File No. S7-05-23; DFA; GLBA; Citation: 16 CFR 314; *17 CFR* 240, 248, 248.17, 248.30, 270, 275;
Functions Cyber; Financial; Operations; Outsourcing; Privacy; Product Administration; Record Retention; Reporting; Risk; Technology
Countries United States of America
Products Equity; Fund Mgt; Securities
Regions Am
Rule Type Final
Rule Date 5/16/2024
Effective Date 8/2/2024
Rule Id 212369
Linked to Rule :166393
Reg. Last Update 6/27/2024
Report Section US Investment

Last substantive update on 07/01/2024