close
close

SEC Adopts Rule Changes to Regulation SP to Improve Protection of Customer Information | Proskauer Rose limited liability company

Posted on by darion

On May 16, 2024, the United States Securities and Exchange Commission (“SEC”) announced the adoption of amendments to Regulation SP (the “Final Amendments”) proposed last year.(1) The Final Amendments impose increased requirements on registered investment advisers, investment companies, broker-dealers and transfer agents (“covered companies”) with respect to the handling of consumers’ financial information.

The Final Amendments focus primarily on covered companies’ responsibilities with respect to data security incidents that impact customers’ nonpublic personal information (“customer information”). With amendments, Reg SP now requires:

  • Incident response program: Covered companies are now required to develop, implement, and maintain written policies and procedures for an incident response program that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” The program must include procedures to:
    • assess the nature and scope of an incident involving unauthorized access to or use of customer information;
    • identify the types of customer information that may be subject to such unauthorized access or use;
    • take “appropriate steps” to contain and control the incident and prevent further unauthorized access to or use of the customer’s information; AND
    • notify any affected person whosesensitive Information for customers”(2) was or is reasonably likely to have been accessed or used without authorization”unless sensitive customer information has not been, and is not likely to be, used in a way that would result in significant damage or inconvenience(3)
    • Event notification: If a Covered Business experiences a data security incident affecting sensitive customer information that is or is reasonably likely to be used in a manner that would cause significant harm or inconvenience, the Covered Business must notify affected individuals within 30 days. The Final Amendments contain prescriptive rules specifying what should be included in incident notifications, which covered companies should review carefully.
      • The only exception to the 30-day notice requirement is a written notice from the U.S. Attorney General to a covered company that the required notice creates a significant risk to national or public security.

It is worth noting that the Final Amendments do not include the principles proposed in the draft amendments that would impose normative requirements for written contracts with service providers regarding data security and incident notification. However, the revised rules require covered companies to ensure that they conduct thorough oversight and monitoring of service providers and implement policies and procedures to ensure that service providers protect customer information and notify covered companies of a security breach affecting customer data in within 72 hours of becoming aware of a breach – all requirements that will, in practice, require contracts with service providers to include appropriate provisions for protecting data security and responding to breaches.

The changes will take effect 60 days after publication in the Federal Register. Larger entities will have 18 months from the date of publication in the Federal Register to comply with the changes, while smaller entities will have 24 months from the date of publication in the Federal Register to comply.

(1) Regulation SP: Privacy of Consumer Financial Information and Protection of Customer Information, SEC Release No. 34-100155; IA-6604; IC-35193 (May 16, 2024. For a summary of the proposed amendments, see our previous Notice, The SEC is re-examining Regulation SP after two decades of innovation in information technology (April 4, 2023).

(2) “Sensitive customer information” is defined as “any item of customer information, alone or in combination with other information, the breach of which would create a reasonably probable risk of significant harm or inconvenience to a person identified with the information.” The final definition includes examples of sensitive customer information, including: (a) identification numbers such as SSNs, driver’s license and passport numbers, and employer or taxpayer identification numbers; b) biometric records; (c) unique electronic identification numbers, addresses or routing codes; (d) telecommunications identification information or access devices that can be used to obtain money, goods or services or to initiate the transfer of funds, and (e) customer account information in conjunction with account access information.

(3) The Final Amendments remove the proposed definition of “substantial harm or inconvenience” in the draft amendments, which included a new standard, not used in the GLBA, of “more than trivial” with various examples such as theft, fraud, and physical harm. The final rule leaves undefined the definition of “substantial harm or nuisance” under the GLBA.

(Show source.)