On May 15, 2024, the U.S. Securities and Exchange Commission (the "SEC") adopted amendments to Regulation S-P (the "Data Privacy Amendments"), which were published in the Federal Register on June 3, 2024, starting the clock for covered entities to become compliant . Regulation S-P governs the use of personal information by certain financial institutions and historically required broker dealers, investment companies and registered investment advisers to (i) have written policies and procedures to safeguard client information, (ii) dispose of consumer report information in a manner to protect against access to, or use of, client information without authorization, and (iii) comply with certain privacy policy requirements and opt out provisions. The Data Privacy Amendments include a number of changes, including with respect to a written incident response program, client notifications, and certain other changes, each discussed in the below sections.
Incident Response Program
The Data Privacy Amendments require SEC registered investment advisers, investment companies, broker dealers, funding portals, and transfer agents (collectively, "Covered Entities") to adopt written policies and procedures to detect, respond to and recover from data breaches resulting in access to, or use of, customer information. The response program must include procedures to assess the nature and scope of any data breach incident and take steps to contain and control the incident to prevent further access or use. The incident response program must include the establishment, maintenance and enforcement of written policies and procedures for the oversight, including through due diligence and monitoring, of service providers.
Client Notification
In the event of a data breach, the Data Privacy Amendments require Covered Entities to provide affected individuals with written notice as soon as practicable, and in no event later than 30 days after the incident. The notice must include details about the incident, including information accessed, or reasonably likely to have been accessed, and how affected individuals can respond to protect themselves. The Data Privacy Amendments include an exception to the notification requirement if a Covered Entity determines, after reasonable investigation, no sensitive client information was, or is reasonably likely to be, accessed or used in a manner that would result in substantial harm or inconvenience to an affected individual.
Other Changes to Regulation S-P from the Data Privacy Amendments
Additionally, the Data Privacy Amendments revise Regulation S-P to (i) require Covered Entities to comply with the safeguarding and disposal rules with respect to the collection and receipt of information constituting nonpublic personal information, including consumer reports, about its clients, whether the information is received from a client or another entity, (ii) impose record keeping obligations on Covered Entities, other than funding portals, to document compliance with the safeguard and disposal rules, (iii) conform the annual privacy notice delivery provisions to those under the Gramm-Leach Bliley Act, which includes an exception from the requirement to deliver an annual privacy notice if certain conditions are met, and (iv) extend the applicability of Regulation S-P to transfer agents.
Compliance
Starting from the publication of the Data Privacy Amendments in the Federal Register on June 3, 2024, larger Covered Entities have 18 months to comply and smaller entities have 24 months to comply. Should you have any questions, please contact one of the above listed authors who can provide expertise and counsel on any of the matters described herein.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.