In a significant regulatory update, the US Securities and Exchange Commission (SEC) has amended Regulation S-P, mandating financial institutions to disclose security breaches within 30 days of discovery. This change aims to enhance the protection of consumers’ personal financial information, reflecting the evolving nature and impact of data breaches.
The updated rule affects broker-dealers, investment companies, registered investment advisers, and transfer agents. These entities must notify affected individuals “as soon as practicable, but not later than 30 days” after becoming aware of a breach. The notification must include details about the incident, the data compromised, and recommended protective measures for the victims.
SEC Chair Gary Gensler highlighted the importance of these amendments, noting that the scale and impact of data breaches have changed dramatically since the rule’s initial adoption in 2000. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors,” Gensler stated.
The regulation also requires financial institutions to develop, implement, and maintain written policies and procedures designed to detect, respond to, and recover from unauthorized access to customer information. This comprehensive approach aims to bolster the overall security posture of these organizations.
However, some experts, including those at Ars Technica, have pointed out a potential loophole in the regulation. Institutions are not required to notify victims if they determine the breached information is unlikely to cause “substantial harm or inconvenience.” This provision could potentially be exploited to avoid disclosures.
The amendments, formally titled “Privacy of Consumer Financial Information,” align with the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). They will take effect 60 days after publication in the Federal Register. Larger institutions will have 18 months to comply with the new requirements, while smaller organizations will have 24 months to make the necessary adjustments.
This regulatory change marks a critical step in strengthening consumer protections and ensuring timely communication of data breaches in the financial sector.
