On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) announced that it had adopted final amendments to its Regulation S-P (the Rule or Amended Rule), which governs “covered financial institutions’” treatment of consumers’ nonpublic personal information, to ensure that these entities implement incident response programs and notify consumers when their information has been compromised. Brokers, dealers, investment companies, investment advisers, crowdfunding portals, and transfer agents registered with the SEC or another appropriate regulatory agency are all considered covered institutions (CIs) under the Amended Rule.
In the Rule’s Fact Sheet, the SEC notes that as technology has advanced and business practices have evolved, cyber risks to consumers’ financial data have greatly increased. In the wake of varying state data breach requirements and other federal requirements, such as the Federal Trade Commission’s (FTC’s) Safeguards Rule,1 the SEC aims to harmonize its Rule with other federal and state breach laws, while filling gaps with respect to regulation of investment firms.
The main changes implemented by the amendments are as follows:
Establish and Maintain an Incident Response Program. Under the Rule, CIs must develop, implement, and maintain written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. Specifically, the policies and procedures should assess the nature of the incident of unauthorized access, identify the systems and types of consumer information affected, notify consumers where appropriate, and outline appropriate mitigation steps.
- Safeguarding Customer Information. A CI’s policies and procedures must address administrative, technical, and physical safeguards for the protection of customer information. Customer information, for most CIs, means any record containing nonpublic personal information about the customer of a financial institution that a covered institution possesses or that is handled or maintained on its behalf.
- Disposal of Consumer and Customer Information. The Rule’s disposal provisions cover customer and consumer information. Consumer information means any record about an individual that is a consumer report (as defined in the Fair Credit Reporting Act2) or derived from a consumer report, that a CI maintains or possesses for a business purpose. CIs, other than notice-registered broker-dealers, must adopt and implement written policies and procedures that include reasonable measures to dispose of information in a way that protects against unauthorized access to or use of the information.
- Customer Notification Requirement. CIs must notify each affected individual whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. Sensitive customer information means any customer information that, if compromised, would create a reasonably likely risk of substantial harm or inconvenience to an individual identified in the information (i.e., identifying information such as a SSN or biometric record; identifying information in combination with authenticating information such as an account number or username; or similar information that can be used to gain access to a customer’s account like a birthdate or access code).
- Notice must take place as soon as practicable, but no later than 30 days after the CI “becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred,” subject to certain exceptions.
- Notice must clearly and conspicuously describe the incident, provide the CI’s contact information, provide guidance on identity theft, and recommend reporting issues to the CI and the FTC.
- Oversight of Service Providers. A CI’s incident response program must ensure due diligence and monitoring of service providers to protect against unauthorized access to or use of customer information by, among other requirements, ensuring that service providers notify CIs of a security breach as soon as possible, but not later than 72 hours after becoming aware that a breach resulting in unauthorized access has occurred.
Recordkeeping. In addition to the policies and procedures described above, covered entities must create and maintain records related to unauthorized access to or use of customer information.
Annual Privacy Notice. Every 12 consecutive months, CIs must provide a clear and conspicuous notice to customers that accurately reflects their privacy policies and practices not less than annually during the continuation of the customer relationship (with certain exceptions).
Violations. SEC rules carry a penalty of $5,000 per violation for natural persons or $50,000 per violation for any other person; however, penalties can be higher upon a finding of fraud, willful disregard of the rule, substantial loss to others, or substantial financial gain by the perpetrator, among other factors.3
This Rule will come into effect 60 days after it is published in the Federal Register. Larger institutions4 will have 18 months from the date of publication in the Federal Register to comply with the Rule and smaller entities will have 24 months.
Key Takeaways
Similar to the SEC, the FTC updated its Safeguards Rule requirements in 2023. Though both agencies receive their authority to issue safeguards regulations from the Gramm Leach Bliley Act, their approaches differ somewhat. Below are some key points of comparison.
- Scope of information protected. As noted above, the SEC’s amendments limit its notification requirement to unauthorized access to or use of sensitive customer information. The FTC’s notification requirement uses the broader term, customer information, described as any record containing nonpublic personal information about a customer of a financial institution.
- Entity to be notified. While both agencies provide a 30-day window for notification, the triggering event and parties to be notified differ. The FTC requires that it be notified after discovery of access to or acquisition of unencrypted customer information without that individual’s authorization, involving 500 or more customers. The SEC, on the other hand, requires notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
- Risk of harm analysis. Lastly, the SEC allows CIs to determine whether the information accessed without authorization has been, or is reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to the affected individual. There is no such harm analysis exception in the FTC’s Safeguards Rule.
Understanding the differences between these rules and other breach regulations is critical for businesses operating in multiple jurisdictions and for those working with service providers in various jurisdictions.
Wilson Sonsini Goodrich & Rosati routinely helps global companies navigate complex privacy and data security issues and specializes in compliance with cybersecurity regulatory frameworks. For more information, please contact Libby Weingarten, Amy Caiazza, Demian Ahn, Boniface Echols, or another member of the firm’s privacy and cybersecurity or fintech and financial services practices.
[2]Section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
[3]15 U.S. Code § 78u–2 – Civil remedies in administrative proceedings(b)(1)–(3).
[4]Larger institutions are investment companies with net assets of $1 billion or more as of the end of the most recent fiscal year; registered investment advisers with $1.5 billion or more in assets under management; and broker-dealers and transfer agents that are not small entities under the Securities Exchange Act.