(Article from Registered Funds Regulatory Update, July 2024)
For more information, please visit the Registered Funds Resource Center.
The SEC voted to make significant amendments to Regulation S-P, which governs the treatment of consumer non-public personal information collected by certain financial institutions: broker-dealers, investment companies, registered investment advisers and transfer agents registered with the SEC or another appropriate regulatory agency (collectively, “covered institutions”). It is estimated that compliance by large covered institutions will be required by early 2026, affording such covered institutions time to prepare with what may be onerous requirements.
At a high level, the amendments establish a federal “minimum” standard for covered institutions to provide data breach notifications to affected individuals. This federal standard applies regardless of, and is in addition to, any individual state’s own requirements for data breaches. The federal standard expands the scope of customer information subject to Regulation S-P, requires a 30-day notification period for data breaches and establishes a new notification trigger that starts the 30-day notice period. The amendments further require each covered institution to adopt an incident response program for situations in which there is unauthorized access or use of customer information, specifically instituting a notification requirement to affected individuals if their “sensitive customer information” (e.g., social security numbers and other types of identifying information that can be used alone to authenticate an individual’s identity, such as a driver’s license, passport number, employer, or taxpayer ID) is, or is reasonably likely to have been, accessed or used without authorization. In addition, the amendments also implement recordkeeping requirements and provide an exception to the annual privacy notice delivery requirement (pending certain conditions) as well as requirements for oversight of service providers.
The SEC intended the amendments to consolidate standards for informing customers of sensitive information breaches, rather than rely on varying state requirements. While standardization of requirements can generally be helpful, the amendments impose operationally challenging notification requirements and deadlines. Covered institutions will likely need the entire compliance period to prepare operationally for those requirements.
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Release Nos. 34-100155; IA-6604; IC-35193 (May 16, 2024), available at: https://www.sec.gov/files/rules/final/2024/34-100155.pdf.