On May 16, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P to “modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions.” Affected financial institutions have 18-24 months (depending on their size) to comply, and should begin preparing now.
Background
Regulation S-P is a set of privacy rules originally adopted in 2000 that governs financial institutions’ treatment of consumers’ nonpublic information. Regulation S-P originally provided:
- Broker-dealers, investment companies, and registered investment advisors must adopt written policies to safeguard customer information (the Safeguards Rule);
- Proper disposal of customer information to protect against unauthorized access or use of the information (the Disposal Rule); and
- Financial institutions to provide notice of its privacy policies and practices and opt-out provisions for their customers.
Amendments
The amendment, which was extended to registered transfer agents, expands protection of customer information by requiring certain financial institutions (Covered Institutions) to develop an incident response program in order to “protect against harms that may result from a security incident involving customer information.” These institutions are also required to provide notice to customers whose information was or is reasonably likely to have been accessed or used without authorization. The amendment further “imposes a federal minimum standard for customer notification, which will help ensure timely, consistent notice to affected securityholders regardless of their state of residence.”
Incident Response Program
Under the amended rule, Covered Institutions are required to develop, implement, and maintain written policies and procedures for an incident response program as part of the Safeguards Rule.
- These written policies must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer, not merely all sensitive customer information.”
- The incident response program must include procedures to assess any incident and take appropriate steps to contain and control the incident to prevent further harm.
Customer Notification Requirement
As part of the incident response program, Covered Institutions must provide a notification to customers whose sensitive information “was, or is reasonably likely to have been, accessed or used without authorization.” Notice must be provided as soon as practicable, but not later than 30 days after the Covered Institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notice must:
- Be “clear and conspicuous” through a means to ensure that each affected customer receives the notice; and
- Include details regarding the incident, the breached data, and how customers can respond to protect themselves.
Notice is not required if, after reasonable investigation, the Covered Institution determined that the incident “has not been, or is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.”
Compliance Dates
The amended rule goes into effect 18 months after date of publication for larger covered institutions and 24 months for smaller entities.
If you need assistance reviewing your policies and procedures around these issues, please contact the authors or the McCarter & English attorney with whom you work.