Last month, the Securities and Exchange Commission (the SEC or the Commission) unanimously voted to adopt amendments to Regulation S-P (Reg S-P), which is the SEC's regulation governing the treatment and safeguarding of customers' nonpublic personal information.1 The amendments apply to broker-dealers, investment companies, registered investment advisers and transfer agents registered with the SEC or with another appropriate regulatory agency (collectively, covered institutions) and cover three main areas, discussed in more detail below: (1) a new requirement to design an “incident response program” to detect, contain and control unauthorized access to or use of customer information; (2) an expanded scope of information and entities covered by Reg S-P's safeguarding and disposal requirements; and (3) new recordkeeping requirements for covered institutions. Covered institutions will be subject to the new rules either 18 months after publication in the Federal Register, if the covered institution is a “larger entity,” or 24 months after publication, if the covered institution is a “smaller entity.”2 The amendments were published in the Federal Register on June 3, 2024.
Background
Reg S-P governs the treatment of certain types of information about “consumers” by covered institutions. For purposes of Reg S-P, a consumer is an individual who obtains or has obtained a financial product or service from certain financial institutions that is to be used primarily for personal, family or household purposes, or that individual's legal representative.3 In addition to its privacy disclosure and “opt-out” rules regarding the use of nonpublic personal information, Reg S-P requires broker-dealers, investment companies and registered investment advisers to adopt written policies and procedures to safeguard certain customer records and information (the Safeguards Rule). Reg S-P also requires proper disposal of consumer report information by transfer agents registered with the Commission, broker-dealers, investment companies and registered investment advisers (the Disposal Rule).
Reg S-P was initially adopted in 2000 under the Gramm-Leach-Bliley Act. In the years since, the Commission and SEC staff have recognized a need to “modernize” Reg S-P to address the increased risk of harm to consumers due to the evolving uses of technology and the increased risks of cybersecurity breaches. In a statement accompanying the final rules, Chair Gary Gensler explained that over “the last 24 years, the nature, scale, and impact of data breaches has transformed substantially.”4 He also noted that complaints about identity theft have more than doubled in just the four years from 2018 to 2022, according to the FBI's Internet Crime Complaint Center.5 Commissioner Mark Uyeda echoed the sentiment that updates to Reg S-P were overdue, noting that, at the time Reg S-P was adopted, “pagers were still in vogue, and smartphones in their current incarnation did not yet exist.”6
New Incident Response Program Requirement
New regulation 17 C.F.R. § 248.30(a)(3), (4) and (5) will require covered institutions to implement an incident response program as part of their written procedures if there is a data breach involving certain customer information. The program must address the following areas: (1) assessment, containment and control; (2) notice; and (3) service providers.
Assessment, Containment and Control. Covered institutions must update their written procedures to include a process for assessing the nature and scope of any incident involving unauthorized access to or use of customer information. As part of this process, firms must identify the customer information systems and types of customer information that may have been accessed or used without authorization and take appropriate steps to contain and control the incident to prevent further unauthorized access or use. In the Adopting Release, the Commission explained that strategies for containing and controlling an incident will vary depending on the type of incident but include, for example, “isolating compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords, among other interventions.”7
Notification Requirement to Affected Individuals. As part of their incident response programs and written policies and procedures, covered institutions also must notify each affected individual whose “sensitive customer information” was, or was reasonably likely to have been, accessed or used without authorization. Notification, however, is not required if the covered institution has determined, after a reasonable investigation of the incident, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Notably, the final amendments reflect a presumption of notification. Therefore, if a covered institution conducts an investigation and the results are inconclusive, notification is required. Similarly, a covered institution must notify all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed without authorization unless the covered institution reasonably determines that a specific individual's sensitive customer information was not accessed or used without authorization.
As proposed, the final rules define “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”8 The Adopting Release acknowledges this definition of “sensitive customer information” is broader than the definition used in some states because it includes identifying information that, in combination with authenticating information (such as a partial Social Security number, access code or mother's maiden name), could “create a substantial risk of harm or inconvenience to the customer because [such information] may be widely used for authentication purposes.”9 There is also no exception for encrypted information, though a covered institution may consider encryption as a factor in determining whether the compromise of customer information could create a reasonably likely harm risk to an individual identified with the information.
The Commission initially proposed to define the phrase “substantial harm or inconvenience” in the definition of “sensitive customer information” to mean all personal injuries, as well as instances of financial loss, expenditure of effort or loss of time when they are “more than trivial.” The proposal also included a non-exhaustive list of examples of harms or inconveniences. The final amendments do not include the proposed definition of “substantial harm or inconvenience” or the list of examples, but the Commission did suggest that the list of harms in the proposal may be a “useful starting point” for an analysis by personnel at the covered institution.10 In addition, to provide a little more clarity, the rule includes some examples of “sensitive customer information.”
To read the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.