Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.
Under the new amendments, covered institutions are required to establish written incident response programs that are “reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information, including customer notification procedures.” (Final Rule, p. 335.) “Covered institutions” subject to the amendments include broker-dealers, investment companies, registered investment advisers and transfer agents. (Final Rule, p. 342.)
Additionally, in the event of unauthorized access or use affecting a customer, a covered institution will be required to provide written notice to that individual “as soon as practicable, but not later than 30 days” after discovery of the unauthorized access or use. (Id. at 335-36.) The contents of the notice must include (1) a description of the incident (including the actual or estimated date of the incident), (2) the types of information that are reasonably believed to have been accessed or used without authorization, (3) contact information for inquiries about the incident, (4) recommendations that the individual should review and immediately report any suspicious activity regarding their account to the covered institution and (5) information about fraud alerts, credit reports, and contacting the Federal Trade Commission. (Id. at 338-39.)
The amendments provide for limited exceptions to the notice requirement. First, if the covered institution “after a reasonable investigation of the facts and circumstances of the incident” has determined that customer information “has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience,” no notice is required. (Id. at 336-37.) This is obviously a subjective standard that could give covered institutions some amount of leeway in making notice decisions. Second, if the United States Attorney General determines that notice under the Final Rule poses “a substantial risk to national security or public safety,” notice may be delayed beyond the 30-day requirement. (Id. at 337.) Application of this exception likely will be extremely rare.
In a statement addressing the new amendments, SEC Chair Gary Gensler emphasized that the “nature, scale, and impact of data breaches” has substantially transformed since the original passage of Regulation S-P in 2000. He asserted that the amendments were necessary to allow investors to maintain their privacy and protect themselves. In her statement, SEC Commissioner Hester Peirce stated that she supported the rule “with some reservations.” She noted that notifying customers when their information is compromised is important, but she raised concerns that the rule may make customer notifications “so commonplace that people ignore them” if covered institutions err on the side of sending notices “even if one might not be necessary.” (Id.)
Time will tell if Commissioner Peirce’s concerns are valid. The amendments will be effective 60 days after the publication in the Federal Register. Larger institutions will be required to be in compliance with the amendments within 18 months after the amendments are published, while smaller entities have up to 24 months to comply.
If your institution needs assistance in preparing to get in compliance with the new amendments, please reach out to Blaine Kimrey, Bryan Clark or Nusra Ismail.