ARTICLE
31 May 2024

SEC Revamps And Enhances Data Protections With Amendments To Regulation S-P

FH
Foley Hoag LLP

Contributor

Foley Hoag LLP logo
Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
Explore
SEC Revamps And Enhances Data Protections With Amendments To Regulation S-P...
United States Privacy
Photo of Catherine M. Anderson
Photo of Aleksis Fernández Caballero
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Key Takeaways:

  • The Securities and Exchange Commission ("SEC") has announced the adoption of amendments to Regulation S-P ("Amendments") to modernize and enhance the rules that govern the treatment of consumers' nonpublic personal information by certain financial institutions (including SEC registered investment advisers ("RIA")).
  • RIAs with $1.5 billion or more in assets under management will have 18 months after the date of publication in the Federal Register to comply (and others will have 24 months).
  • The Amendments will require the covered institutions to:
    • develop and implement a written incident response program that reasonably responds to unauthorized access to or use of customer information;
    • provide notice, no later than 30 days, to affected individuals in connection with incidents involving such unauthorized access or use;
    • establish, maintain and enforce written policies and procedures designed to require oversight of service providers; and
    • make and keep compliance records to document policies and procedures to better safeguard and dispose of customer information.
  • RIAs should examine their existing incident response programs (or implement a program) to ensure compliance with the Amendments. In particular, they should review and update any service provider arrangements.

Overview of the Amendments to Regulations S-P

On May 15, 2024, the SEC adopted Amendments applicable to "covered institutions" being:

  • investments advisers registered with the SEC ("RIA")
  • broker-dealers (including funding portals)
  • investment companies
  • transfer agents

The Amendments apply solely to RIAs, and not other types of investment advisers, including state registered investment advisers and exempt reporting investment advisers. In the adopting release footnotes, it is noted that "private funds that are able to rely on 3(c)(1) and 3(c)(7) of the Investment Company Act are not subject to Regulation S-P but they may be subject to the FTC Safeguards Rule. Investment advisers registered with the Commission, including those that are advisers to private funds are covered institutions for the purposes of the final amendments."

The Amendments will not only broaden the scope of covered institutions by Regulation S-P, but will also require the following:

  • Development, implementation, and maintenance of written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
  • Procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use;
  • Timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization;
  • Establishment, maintenance and enforcement of written policies and procedures for the oversight of service providers; and
  • Maintenance of written records documenting compliance with the safeguards rule and the disposal rule (as defined).

Finally, the Amendments adopt an exception to the annual delivery of privacy notice requirement.

Written Incident Response Program Requirements

General

Regulation S-P, as newly amended, requires that the covered institution's incident response program has written policies and procedures that address administrative, technical and physical safeguards for the protection of customer information.

The program must be reasonably designed to:

  • ensure the security and confidentiality of customer information;
  • protect against any anticipated threats or hazards to the security or integrity of customer information;
  • protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer; and
  • detect, respond to, and recover from unauthorized access to or use of customer information.

The program must include procedures for the covered institution to:

  • assess the nature and scope of any incident and identify the customer information systems and types of customer information that may have been accessed or used;
  • take appropriate steps to contain and control the incident to prevent further unauthorized access or use; and
  • notify those affected individuals whose sensitive information was, or is reasonably likely to have been accessed or used (as specified below).

The incident response program enables such covered institutions the flexibility to tailor their policies and procedures based on the size, complexity of the institution and the nature and scope of its activities.

Service Providers

In addition, the covered institution's program should be reasonably designed to require oversight including through due diligence and monitoring of service providers to ensure that the covered institution itself notifies affected individuals. A "service provider" means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution. The program should be reasonably designed to ensure service providers take appropriate measures to:

  • Protect against unauthorized access to or use of customer information; and
  • Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach has occurred (which would then trigger the covered institution to initiate its own incident response program).

The service provider may also be permitted by written agreement with the covered institution to notify affected individuals on the covered institution's behalf.

Notification Requirements

Covered institutions will be required to comply with quite specific notification requirements in the event an incident of unauthorized access or use occurs or is reasonably likely to have occurred of "sensitive consumer information."

  • "Sensitive customer information," for purposes of the Amendments, is any component of customer information alone or in conjunction with any other information, the compromise of which would create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information. Examples include, social security numbers, driver's license and passport numbers, biometric records, unique electronic identification numbers or routing codes, telecommunication identifying information or access devices, or an individual's account including the account number, name or online username in combination with authenticating information.
  • Notice must be provided no later than 30 days after becoming aware of the incident to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization (subject to certain carveouts relating to delaying the notice for substantial risk to national security or public safety).
  • Notices must:
    • describe in general terms the incident and the type of sensitive customer information that was or is reasonably believed to have been accessed or used without authorization;
    • include if the information is reasonably possible at the time of notice: date of incident, estimated date of incident, or the date range within which the incident occurred;
    • include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident; (including a phone number, an email address and the name of a specific office, if applicable);
    • recommend, if the individual has an account with a covered institution, to review account statements and report suspicious activity;
    • explain what a fraud alert is and how an individual may place a fraud alert in their credit reports and place creditors on notice, and periodically obtain credit reports to have fraudulent transactions deleted;
    • explain how the individual may obtain a free credit report, and include information about the availability of online guidance from the Federal Trade Commission ("FTC") and usa.gov regarding how to better protect oneself from identity theft and how to report the incident to the FTC and include their website; and
    • be clear and conspicuous, and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it.

However, notice does not have to be given if, after a reasonable investigation of the facts and circumstances of the incident, the covered institution determines that sensitive customer information has not been or is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Note that the Amendments do not define the term "substantial harm or inconvenience," rather it is a facts and circumstances test. If a covered institution determines that notice is not required, then they will be required to maintain a record of the investigation and basis for its determination.

Broadening the Scope of Information Under Regulation S-P

The Amendments update the requirements of the "safeguards" and "disposal" rules, first introduced in Regulation S-P in 2000. As a recap, the safeguards rule broadly requires broker-dealers, investment companies, and RIAs to adopt written policies and procedures to safeguard customer records and information. The disposal rule requires proper disposal of consumer report information in a manner that protects against unauthorized access to or use of such information.

The Amendments include technical amendments to:

  • Adopt a new definition of "customer information". This definition provides greater specificity regarding what customer information must be protected under the safeguards rule and expands the scope of the disposal rule;
  • Provide customer information protected under both the safeguards and disposal rules, which includes both customer information in the possession of a covered institution and such information handled or maintained on its behalf; and
  • Provide that both customer and consumer information include information that pertains to individuals with whom the covered institution has a customer relationship as well as customers of other financial institutions where such information has been provided to the covered institution.

Recordkeeping

To better implement and enforce compliance over these newly adopted rules, covered institutions (other than funding portals) will be required to maintain written records documenting compliance with the amended safeguards and disposal rules (i.e., maintaining written records of policies and procedures, as well as notifications sent to affected individuals). The time periods for preserving records vary by covered institution to be consistent with existing recordkeeping rules. For RIAs, all records must be kept for five years, the first two in an easily accessible place.

Annual Delivery of Privacy Notice Exception

Currently Regulation S-P generally requires broker-dealers, investment companies and RIAs to provide customers with annual notices informing them about the institution's privacy practices. The Amendments now provide for an exception to the annual privacy notice requirement provided certain requirements are met. To qualify for the exception, the institution (i) only provides non-public personal information to nonaffiliated third parties when an exception to third-party opt-out applies; and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure sent to customers. The Amendments are intended to align with existing privacy notice delivery requirements of the Commodity Futures Trading Commission, the Consumer Financial Protection Bureau and the Federal Trade Commission.

When Will the Rules Become Effective?

The effective date for the Amendments will be 60 days after publication in the Federal Register, with compliance dates of 18 months for "larger entities" (including RIAs with assets under management of US$1.5 billion or more). Other covered institutions which are "smaller entities" will have 24 months after publication in the Federal Register to comply with the new rules.

The full text of the amended S-P Regulation can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Catherine M. Anderson
Catherine M. Anderson
Photo of Aleksis Fernández Caballero
Aleksis Fernández Caballero
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More